Release 10.1A: OpenEdge Deployment:
Managing 4GL Applications

Compile-time security

Compile-time security checking is built into OpenEdge. You define compile-time security for an application database at the table and field levels to prevent the user from writing their own procedures to access data in the database. This level of security also applies to dynamic queries and FINDs as well as databases with run-time permission checking.

OpenEdge lets you define the type of access rights or permissions different users can have to the tables and fields in your database applications. OpenEdge checks these permissions when the user runs and compiles a procedure for the first time during an OpenEdge session. The default compile-time checking is useful for applications that are compiled each time a different user runs the application.

However, the default compile-time permissions are not enough for precompiled applications. If you use CRC-based r-code (the default), the user can compile a procedure against a database that has the same schema as the database (a counterfeit database) and then run the procedure against the database. Since the default for OpenEdge is to do compile-time permission checking only, your database is unprotected at run time unless you do one of the following:

Turn on run-time permission checking as described in "Specifying run-time permissions checking" section.
Use the PROUTIL utility’s DBAUTHKEY qualifier to set an authorization key for the database. The authorization key prevents unwanted r-code that has been compile-time checked only from running against the database.

For more information about CRC-based object code, see Appendix B, "R-code Features and Functions," For more information about the PROUTIL utility, see OpenEdge Data Management: Database Administration .