Controlling the user ID and login sessions in audit data records

As described in Configuring additional user authentication systems and domains, and in OpenEdge Getting Started: Identity Management, there is more than one way to architect an ABL application's security system to authenticate and authorize application/database access, which supports non-repudiation of the user ID recorded in auditing events. You might want to use a single user ID for the application and all database connections, or you might want to use different user IDs for the application and each database connection. Another option is to use a combination of the previous two. For this reason, an ABL application must be able to configure auditing to use the user ID set in the database connection or obtain it from an ABL session or application-level authentication operation.

Both the model of user authentication through SETUSERID and the model using the client-principal object are supported. The general rule, however, is that you employ only one of the models in an application.

When using the SETUSERID model, your application is required to connect to an OpenEdge database using either the -U and -P parameters or a default connection identity, and then call the SETUSERID function. Either way, your application is required to populate and use the user accounts provided by the OpenEdge database's _User table. With regard to auditing, the database connection's user ID is recorded in auditing records and the users domain is always the default (blank) domain.

The client-principal model gives the application much more flexibility, but might require some additional configuration work at the production site by the security administrator. Using this model requires at least some of the following steps:

Whether the application uses a single user identity (client-principal) for the entire application or multiple user identities is totally at the discretion of the application designer. Progress Software recommends that an application run with only one user identity at a time. The one rule is that the SET-DB-CLIENT (or SETUSERID) function supersedes any user identity set using the SECURITY-POLICY:SET-CLIENT( ) method. For additional details about how to set this up in an application, see OpenEdge Development: Programming Interfaces.

The Audit Policy allows the audit administrator to select whether an authentication audit event will record just the simple user authentication operation or add the additional user login session information about the authentication system that was used.

The recorded user ID in the auditing records can come from either the ABL session for those applications that provide their own user authentication or from the OpenEdge database connection for those applications that use OpenEdge user authentication. You control where the user ID comes from through configuration options in the OpenEdge database that control that database's policy. When the database option Use Application User Id for Auditing is not selected (which is the default), the user ID recorded in auditing records can be set through one of the following three methods:

When the Use Application User Id for Auditing option is selected, the user ID recorded in audit records is taken from the ABL session, which is controlled through the SECURITY-POLICY object. On that object is a method SET-CLIENT( ), which allows you to set the session user ID using a client-principal object.

For more information about: