Try OpenEdge Now
skip to main content
Core Business Services - Security and Auditing
Auditing : Audit Security : Controlling the user ID and login sessions in audit data records
 

Controlling the user ID and login sessions in audit data records

As described in Configuring additional user authentication systems and domains, and in OpenEdge Getting Started: Identity Management, there is more than one way to architect an ABL application's security system to authenticate and authorize application/database access, which supports non-repudiation of the user ID recorded in auditing events. You might want to use a single user ID for the application and all database connections, or you might want to use different user IDs for the application and each database connection. Another option is to use a combination of the previous two. For this reason, an ABL application must be able to configure auditing to use the user ID set in the database connection or obtain it from an ABL session or application-level authentication operation.
Both the model of user authentication through SETUSERID and the model using the client-principal object are supported. The general rule, however, is that you employ only one of the models in an application.
When using the SETUSERID model, your application is required to connect to an OpenEdge database using either the -U and -P parameters or a default connection identity, and then call the SETUSERID function. Either way, your application is required to populate and use the user accounts provided by the OpenEdge database's _User table. With regard to auditing, the database connection's user ID is recorded in auditing records and the users domain is always the default (blank) domain.
The client-principal model gives the application much more flexibility, but might require some additional configuration work at the production site by the security administrator. Using this model requires at least some of the following steps:
1. Coding the ABL application to generate a client-principal object or retrieve an OpenEdge-generated client-principal object
2. Configuring the local domain registry in the OpenEdge database
3. Configuring the database options to set the authentication trust relationships allowing the database connection to trust a client-principal validated against one of the following domain registries:
*Local database domain registry
*Application (ABL session) domain registry
4. Coding the ABL application's initialization and use of a session domain registry. For example:
*Loading the session domain registry from the local domain registry of an OpenEdge database
*Building the session domain registry from an external, ABL-brokered domain source
5. Coding the ABL application for where a user identity must be set. For example:
*Using the SECURITY-POLICY:SET-CLIENT( ) method to validate and set an application-wide user identity, including for all available database connections
*Using the SET-DB-CLIENT function to explicitly validate and set a user identity for one or more OpenEdge database connections only
Whether the application uses a single user identity (client-principal) for the entire application or multiple user identities is totally at the discretion of the application designer. Progress Software recommends that an application run with only one user identity at a time. The one rule is that the SET-DB-CLIENT (or SETUSERID) function supersedes any user identity set using the SECURITY-POLICY:SET-CLIENT( ) method. For additional details about how to set this up in an application, see OpenEdge Development: Programming Interfaces.
The Audit Policy allows the audit administrator to select whether an authentication audit event will record just the simple user authentication operation or add the additional user login session information about the authentication system that was used.
The recorded user ID in the auditing records can come from either the ABL session for those applications that provide their own user authentication or from the OpenEdge database connection for those applications that use OpenEdge user authentication. You control where the user ID comes from through configuration options in the OpenEdge database that control that database's policy. When the database option Use Application User Id for Auditing is not selected (which is the default), the user ID recorded in auditing records can be set through one of the following three methods:
*The OpenEdge database -U connection parameter
*The ABL SETUSERID function
*The ABL SET-DB-CLIENT function, which requires a client-principal object
When the Use Application User Id for Auditing option is selected, the user ID recorded in audit records is taken from the ABL session, which is controlled through the SECURITY-POLICY object. On that object is a method SET-CLIENT( ), which allows you to set the session user ID using a client-principal object.
For more information about:
*Managing user identities, see OpenEdge Getting Started: Identity Management
*Creating and using a client-principal object, see OpenEdge Development: Programming Interfaces
*Selecting the Use Application User Id for Auditing option,see the Data Administration Help