User ID patterns as ACLs and ABL permissions checking
ABL permissions for table and field access test a given user ID against a permission string, which is a comma delimited list of permission entries. Permission testing is performed in the ABL client at different times, all using the same permission checking algorithm:
1. Compile-time permission checking is performed when an ABL source (.p/.i/.w/.cls) file is compiled into r-code.
Note: Compile-time permission checking no longer is a recommended best practice data security model when a database can execute pre-compiled modules from any source.
2. R-code execution checks permissions to access:
a. Meta-schema and schema tables at run time
b. User data tables when run-time permission checking is enabled
c. User data tables accessed through dynamic buffers and queries
The matching rules for permission checking are simple, but powerful:
The first match of the user ID against one of the pattern entries ends the check and returns the results to the caller.
When no match between the user ID and any pattern entry exists, permission is always denied.
If the pattern entry begins with an exclamation mark ("!"), permission is denied when a match between the user ID and pattern entry exists.
If the matched pattern does not begin with an exclamation mark, permission is granted when a match between the user ID and the pattern entry exists.
The first match of the user ID against one of the pattern entries ends the check and returns the results to the caller.
