Try OpenEdge Now
skip to main content
Identity Management
Configuring and Implementing Authorization in OpenEdge : User ID patterns as ACLs and ABL permissions checking

User ID patterns as ACLs and ABL permissions checking

ABL permissions for table and field access test a given user ID against a permission string, which is a comma delimited list of permission entries. Permission testing is performed in the ABL client at different times, all using the same permission checking algorithm:
1. Compile-time permission checking is performed when an ABL source (.p/.i/.w/.cls) file is compiled into r-code.
Note: Compile-time permission checking no longer is a recommended best practice data security model when a database can execute pre-compiled modules from any source.
2. R-code execution checks permissions to access:
a. Meta-schema and schema tables at run time
b. User data tables when run-time permission checking is enabled
c. User data tables accessed through dynamic buffers and queries
The matching rules for permission checking are simple, but powerful:
*The first match of the user ID against one of the pattern entries ends the check and returns the results to the caller.
*When no match between the user ID and any pattern entry exists, permission is always denied.
*If the pattern entry begins with an exclamation mark ("!"), permission is denied when a match between the user ID and pattern entry exists.
*If the matched pattern does not begin with an exclamation mark, permission is granted when a match between the user ID and the pattern entry exists.
* Patterns affecting ABL permissions