Try OpenEdge Now
skip to main content
Programming Interfaces
Data Management : Application Security : Authenticating and managing user identity in ABL : User identity applications
 
User identity applications
OpenEdge supports management features for one or more of the following user identity applications, depending on configured database options:
*Database connection identity — A database connection identity is the user identity assigned to a connected OpenEdge RDBMS. This can be an authenticated identity or an OpenEdge default identity. To ensure that a database is connected with an authenticated identity, you can establish the connection with the CONNECT statement or use the SET-DB-CLIENT function on an existing connection to set an authenticated identity. Initially, database access is fully open to all users. Using database options set by the security administrator, OpenEdge can then authorize access to specific database tables and fields or to specific database management functions (for security administrators, for example) based on the authenticated or default connection identity. The ABL USERID function returns the user ID of the current database connection identity, regardless of how it is set (by authentication or default).
*ABL session identity — An ABL session identity is a user identity assigned to a given ABL session, independent of any database connections. To establish a session identity, you must invoke the SET-CLIENT( ) method on the SECURITY-POLICY system handle; otherwise, the session identity is undefined. The ABL session identity can thus be used to authorize user access to application features in a database-independent fashion. These can be features that are entirely application defined or that are supported specifically by OpenEdge, such as the auditing identity (see the next bullet). Depending on database options you set and how your application handles the authentication of database connections, setting the ABL session identity can also set the identity for all database connections in the session.
*Application user identity — An application user identity is a common user identity established by a multi-tier application for use by all ABL sessions that run on behalf of the application. Typically, the application user identity is shared between a single OpenEdge AppServer client and the AppServer agent or agents that process client requests. Depending on the application session model, this single application user identity can also be shared between a single OpenEdge client session and multiple AppServer instances. Each AppServer session uses the application user identity to set the ABL session identity and any or all database connection identities required by the session. You typically set the application user identity from a user ID that is asserted to the client session and authenticated by an AppServer running as an authentication service. For more information on multi-tier applications, the OpenEdge AppServer, and application session models, see OpenEdge Getting Started: Application and Integration Services.
*Auditing identity — An auditing identity is the designated user identity that OpenEdge records in the audit event records of an audit trail. There is no functionally independent auditing identity. Instead, the auditing identity is set from one of the other established identities, depending on the application configuration. By default, the auditing identity for the audit trail recorded by a given database is the database connection identity for that database. However, you can also set a database option to use the identity of any ABL session that connects to the database as the auditing identity. In this way, you can configure auditing for every database that is connected to a given ABL session so that all database audit trails for that session are associated with the same user identity. For more information on auditing identity, see OpenEdge Getting Started: Core Business Services - Security and Auditing.
In any given ABL application, you might use none, some, or all of these user identities to secure and identify features and data. Also, the management of user identities can be more or less complex depending on whether your application is client-server or multi-tier. ABL provides features to handle both.
ABL also provides features for creating and managing a unique identity for client context. You might use this client context ID as part of a current multi-tier application user identity to key database objects you might maintain for storing and retrieving client context across all the sessions that execute on behalf of the user.