Security domains are OpenEdge domains configured in an OpenEdge database. They identify how a user's identity must be authenticated and what tenant data they can access.
Each domain is configured with a domain name and other domain information, the name of an authentication system, and (in a multi-tenant database) the name of a tenant. The authentication system identifies the mechanism supported to authenticate users who are members of the domain, and whether OpenEdge or an ABL application performs the authentication. The tenant name identifies the tenant data that a user authenticated to a domain can access in the multi-tenant database. To be used for authentication, a configured domain must also be enabled (the default).
The membership of a user in a domain depends on the authentication system that is configured for the domain. If the configured authentication system can authenticate the user's identity, the user is a member of that domain. So, any domain to which a user belongs must be defined in every OpenEdge database that the user accesses, and must directly, or indirectly, identify an authentication system capable of authenticating the user's identity.
When users provides their user credentials for authentication to an application, either OpenEdge (including SQL) or the ABL application performs the authentication, depending on the specified domain and whether that domain is enabled. If authentication is successful, either OpenEdge or the ABL application assigns the user's identity to the database connection. For a multi-tenant database, setting the connection identity also sets the tenant identity specified by the database domain configuration, and the user can access only the specified tenant and shared data according to the user's access permissions.
Users can be defined inside or outside of the database, or both, depending on the authentication systems for which the database domains are configured. Users can also authenticate to domains defined in both non-multi-tenant and multi-tenant databases as long as the domains are enabled. If a user does not specify a domain in their user credentials, OpenEdge assumes the blank ("") domain, which by default is configured to authenticate users defined in the _User table accounts, and to provide access to data for the default tenant of a multi-tenant database. Note that security best practices recommend that all users in a production environment be a member of a named domain.