Release 10.1A: OpenEdge Getting Started:
Core Business Services

Audit security

OpenEdge Release 10.1A introduces the ability to use an external authentication system to validate user identity. You can use this new capability with auditing to establish an external system, such as a 4GL application, as an authentication source trusted by OpenEdge. Although you can continue to use the validation of user name and password in the _User table, you can now configure your application to use its own authentication system if you so choose.

An essential component to auditing success is the knowledge that the generated audit data is secure and protected from outside tampering. The OpenEdge auditing solution allows you to determine which authenticated users have access to audit policy configuration and audit data management, including the truncation, deletion, or archiving and loading of audit data, by assigning these specific predefined audit privileges: audit administrator, application audit event inserter, audit data archiver, and audit data reporter.

Granting of audit privileges occurs within the Data Administration tool or character Data Dictionary for Progress 4GL administrators or through the SQL GRANT statement for SQL administrators.

To detect when an audit data record has been tampered with at the binary storage level by an unsecure or unregulated program, you can optionally seal the audit data records by using either a message digest or a message authentication code (MAC). Both allow detection of unauthorized changes if someone attempted to modify audit data outside of a Progress 4GL or SQL application. The MAC is a message digest with a secret key, so it is more secure than the message digest.

You can also assign each database instance its own unique identifier, which provides a way to uniquely associate a database with its audit data, no matter where the audit data is archived.

For information about audit data security, see Chapter 9, " Audit Security."