When using an STS-enabled database, the _oeusertable authentication system is not required, and accounts do not have to be in the _User table.
Description
Authenticates a user identity for a specified database connection, verifying that the user ID and password supplied to the SETUSERID function match a user account in the _User table of the database. If they match, the database connection is set to the specified user identity and the function returns a TRUE value. If the database is multi-tenant, is also sets the user's tenancy.
If the user ID is not in the _User table or the password is incorrect, SETUSERID returns a FALSE value and does not assign the user identity to the database connection. You can also check the ERROR-STATUS system handle for any messages returned.
Using this function overrides user identity previously set for the database connection by either the SECURITY-POLICY:SET-CLIENT( ) method or the SET-DB-CLIENT function.
This function authenticates user identities only against user accounts defined in the _User table of a connected OpenEdge RDBMS. To authenticate against additional OpenEdge-supported and application-defined authentication systems, use the SET-CLIENT( ) method or the SET-DB-CLIENT function instead.
A literal value, field name, variable name, or expression that results in a character value that represents the user's user ID. If you use a literal value, you must enclose it in quotation marks ("").
If the user is defined in a non-default domain, this value must be a fully qualified user ID, including both the non-qualified user ID and domain separated by a domain delimiter (@). If the user is defined in the default (blank) domain, only a non-qualified user ID (without a domain delimiter) must be specified. For more information on specifying a fully qualified user ID, see the reference entry for the QUALIFIED-USER-ID attribute.
Note: The default blank domain provides backward compatibility with OpenEdge releases that do not support domains as part of a user's identity.
password
A literal value, field name, variable name, or other character expression that results in a character value that represents the user's password. If you use a literal value, you must enclose it in quotation marks ("").
Alternatively, you can encrypt the password using the ENCRYPT-AUDIT-MAC-KEY( ) method. For more information, see the documentation on encrypted passwords in OpenEdge Development: Programming Interfaces.
logical-dbname
The logical name of the database on whose connection you want to check and set the user identity. The logical database name must be a character string enclosed in quotes, or a character expression. If you do not specify this argument, the compiler inserts the name of the database that is connected when the procedure is compiled. If you omit this argument and more than one database is connected, ABL raises an error.
Notes
Within a transaction on a:
Multi-tenant database — Any attempt to set an identity for the connection that changes the current database tenancy raises a run-time error.
Non-multi-tenant database — As a best practice, Progress Software recommends that you not set a new identity for the connection.
To assign a user identity while making a database connection, use the CONNECT statement.
After a user identity is set for a database connection, the AVM uses that identity to determine if the user has permission to access tables and fields in that particular database.
This function has the following restrictions:
It does not generate any audit events, such as for login and logout.
It can change the user identity for only one database connection at a time.
The domain of the user identity you want to set must be configured to use the authentication system, _oeusertable.
The domain of the user identity you want to set must be enabled in the _User table of the connected database.
Note: When using an STS-enabled database, the _oeusertable authentication system is not required, and accounts do not have to be in the _User table.
Under the following conditions, the SETUSERID function returns a value of FALSE and does not assign a user identity to the user:
There are no entries in the _User table.
There is no _User record with the same user ID as the one supplied with the SETUSERID function.
The password supplied with the SETUSERID function does not match the password in the _User table record of the specified user ID.
When using the SETUSERID function, ABL returns a compiler error under the following conditions:
There is no database connected.
The logical-dbname argument is omitted, and more than one database is currently connected.
When specifying the logical-dbname argument, you must provide the name of the logical database, not the physical database.
SETUSERID encodes the password argument and then compares the result with the value stored in the _User._password field of the _User table.
After SETUSERID returns a value of TRUE and assigns the authenticated user ID to a database connection:
ABL uses that user ID when the user compiles procedures.
Subsequent invocations of the USERID function for the same database connection return the assigned user ID.
If the root user ID does not exist in the _User table, SETUSERID returns a value of FALSE when supplied with a userid of root. If the _User table does have a root entry, the user who assumes that user ID has all the privileges associated with the root user ID on UNIX.
You must create and enable a blank user ID ("") if you want to set the user ID to a null value.
See OpenEdge Getting Started: Identity Management, OpenEdge Development: Programming Interfaces, and OpenEdge Data Management: Database Administration for more information on user privileges.
Once an initial database connection is established, you can also use the SET-CLIENT( ) method (on the SECURITY-POLICY system handle) or the SET-DB-CLIENT function to set the user identity for the connection.
Any database connection whose user identity is set using this function locks out the SET-CLIENT( ) method from setting an identity for that connection. To unlock and allow the SET-CLIENT( ) method to set the identity for a locked database connection, call the SET-DB-CLIENT function for the connection, passing the Unknown value (?) for its client-principal-handle parameter. This unlocking of a database connection leaves the current connection identity unchanged.
For each user identity authenticated by the SETUSERID function, the function creates a sealed security token containing the user credentials for the database connection, which you can return as a client-principal object using the GET-DB-CLIENT function. You can then use this sealed client-principal in a single sign-on (SSO) operation to set the identity of another database connection or ABL session.
This function returns FALSE and with messages returned in the ERROR-STATUS system handle if:
The format of the non-qualified user ID or domain name is invalid or the value has contains characters outside of the restricted user ID or domain name character sets (see the QUALIFIED-USER-ID attribute entry)
Multiple databases are connected and logical-dbname is not passed or resolves to the Unknown value (?)
Multiple databases are connected and logical-dbname does not refer to a connected database
This function does not attempt set the connection identity for the foreign data source of a DataServer connection. However, it does attempt to set the connection identity for the OpenEdge schema holder database.