Try OpenEdge Now
skip to main content
Identity Management
How is OpenEdge Identity Managed? : OpenEdge authorization : Role-based authorization
 

Role-based authorization

Both SQL and ABL authorization models support roles to which users can be assigned. When a user is assigned to a role, they can perform certain types of operations on and in the database that are permitted for their assigned role.
The basic roles include:
*Database administrator — Allows access to all database operations as any role initially, including the authorization to assign users to all other roles. Once users are assigned to other roles, the database administrator might no longer have authorization to perform the assigned roles. In the SQL model, there are a number of roles that a database administrator (DBA) always has the power to grant or revoke. In the ABL model, everyone is a database administrator. For more information on the database administrator role in the:
*SQL model — See OpenEdge Data Management: SQL Development
*ABL model — See OpenEdge Data Management: Database Administration
*Security administrator — Allows access to all database security operations, such as setting various database security options, configuring domains, defining users in the database _User table accounts, and assigning data access privileges and permissions to users. In the SQL model, the DBA is also the security administrator. In the ABL model, after a database administrator assigns the first security administrators, only the assigned security administrators can act as security administrators and assign other security administrators. The default ABL security administrator is everybody and public.
Caution: If the blank user is the only ABL security administrator, do not add any non-blank users to the database _User table accounts. Once a non-blank user is added to the database _User table accounts, OpenEdge no longer allows a blank user to act as a security administrator, and all access to database security functions, if not to the database itself, is effectively locked out.
For more information on security administrators, see OpenEdge Getting Started: Core Business Services - Security and Auditing and OpenEdge Data Management: Database Administration.
*Audit roles — Allow access to various roles that have different audit privileges, including the audit administrator, application audit event inserter, audit data archiver, and audit data reporter. The assignment of audit roles follows a grant model. SQL DBAs and ABL security administrators are all audit administrators until they explicitly assign the first audit administrator. The audit administrator can assign users, including themselves, to all other audit roles. If only one user is assigned as an audit administrator, the database administrator can revoke that assignment and become the default audit administrator, again. Although the mechanism for assigning audit roles and privileges is different in SQL and ABL, settings made in either authorization model are recognized by the other, because auditing is a core service in common to both models. For more information on OpenEdge auditing and audit roles, see OpenEdge Getting Started: Core Business Services - Security and Auditing.