Release 10.1A: OpenEdge Getting Started:
New and Revised Features

Security

OpenEdge 10.1A security enhancements largely support the new auditing features, but also provide general enhancements to support general purpose authentication, database authorization, and identity management.

Authentication and identity management

By default, OpenEdge provides support for authenticating and authorizing user IDs that are defined for use as database connection IDs in the _User table, the OpenEdge internal authentication system. Starting with Release 10.1A, OpenEdge also provides support for authorizing user IDs that are defined and authenticated in external authentication systems that you access in your 4GL application.

OpenEdge provides a new 4GL object, the client-principal object, that you can use to maintain login sessions for an externally authenticated user ID. Using the attributes maintained for this object, OpenEdge can optionally record information about each such client login session in an OpenEdge RDBMS. The client-principal object provides methods to manage this client login session from login to logout. These recorded client sessions can also become part of any audit trail established for a database (see the "Auditing" section).

OpenEdge also introduces mechanisms for maintaining secure and trusted domain registries that store domain information about trusted external authentication systems that you use in your 4GL application. OpenEdge provides new methods for the SECURITY-POLICY system handle that allow you to build a trusted application domain registry at run time and provides new data administration features to build trusted database domain registries at configuration time. Using a new SET-CLIENT( ) method on the SECURITY-POLICY system handle and a new 4GL SET-DB-CLIENT function, you can assert, validate, and manage various identities associated with a client-principal object. OpenEdge can then authorize various services, including database access and auditing services, based on the identity assumed by the user ID associated with the client principal object.

Auditing

OpenEdge 10.1A provides new authorization privileges for controlling access to auditing features. It also provides mechanisms for securing audit data from unauthorized access both when it is live in an OpenEdge database and off-line in archival storage. These mechanisms support nonrepudiation of the audit trail. For more information on auditing features, see the "Auditing" section.

Blank user ID connection checking

By default, the blank user ID can be used to connect a 4GL client to a database. Starting with OpenEdge 10.1A, you can optionally choose to block use of the blank user ID as a valid database connection ID.

Note: Only OpenEdge 10.1A and later database clients can perform blank user ID connection checking. This feature is not backwards compatible.

Run-time permissions checking

By default, OpenEdge provides compile-time database table- and field-level security. Starting with OpenEdge 10.1A, you can optionally also choose to apply database authorization at run time through a new setting in the Database Options dialog box of the Data Administration tool.

Note: Only OpenEdge 10.1A and later database clients can perform run-time permission checking. This feature is not backwards compatible.

For more information, see:

Manuals:	OpenEdge Getting Started: Core Business Services OpenEdge Development: Programming Interfaces OpenEdge Development: Basic Database Tools
HTML online help:	Data Administration