Try OpenEdge Now
skip to main content
Identity Management
Configuring and Implementing Authorization in OpenEdge : When a user's domain is available for access control
 

When a user's domain is available for access control

The name of a use's domain is available for authorization purposes depending on the type of database client, the type of access, and whether the database is multi-tenant or non-multi-tenant (non-tenant). In general, authorization to access a multi-tenant database is always controlled using a fully qualified user ID, including the domain name. However, authorization to access a non-tenant database is always controlled using only the user name—non-qualified user ID without the domain name—even if the user has been authenticated in a specified domain using a fully qualified user ID.
The following table shows more specifically for what database client and what type of access you can use a fully qualified user ID or only the user name to control access to database resources, where user@domain represents a fully qualified user ID and user-name represents non-qualified user ID.
Table 4. Where a domain name is available for access control (authorization)
This database client type...
For database utility access uses...
For tenant data access uses...
For view access uses...
For table access uses...
For field/column access uses...
Database command-line utilities
user@domain
user@domain
user@domain
ABL non-tenant
user-name
user-name
ABL multi-tenant
user@domain
user@domain
user@domain
SQL non-tenant
user-name
user-name
user-name
SQL multi-tenant
user@domain
user@domain
user@domain
user@domain
Access to restricted database command-line utilities is granted to two user roles:
*ABL Security Administrator
*SQL DBA
In general, an ABL Security Administrator is granted access to:
*Restricted database command-line utilities
*Restricted ABL database configuration API's and classes
*Management of auditing roles
*Management of table and field time permissions checking at compile time or run time
*Restricted meta-schema tables, such as _User, _File, _Db, and so on
An ABL Database Administrator must take all these access permissions into account when determining what users they assign to the Security Administrator role.
An SQL DBA is granted access to:
*Restricted database command-line utilities
*Management of security for views, tables and fields
All of the database client types perform run-time authorization to tenant data, and always use a fully-qualified user ID to do this type of access control.