Set up URL access controls

The CLIENT-PRINCIPAL token that is generated by PAS for OpenEdge contains the Active Directory user account’s granted roles in its roles attribute. The CLIENT-PRINCIPAL role attribute is used by the ABL web application's URL authorization processes to grant or deny access to your deployment’s APIs. When configured effectively, URL authorization can significantly reduce the volume of ABL application code and strengthen the application’s overall security. Using best-practice designs, each ABL web application contains its own configuration of the CLIENT-PRINCIPAL token's role that is allowed to execute a specific HTTP method on a specific transport’s URI.

Because of the implementation of its enterprise-strength security, Active Directory is a trusted source of a user’s role information. Enterprises define their own role names in their Active Directory services and individually control the granting and denying of the roles each user account has.

You can use two possible approaches for working with Active Directory role names:

• You can use the existing enterprise’s role names, and adapt your deployment’s security configuration to use those names.
• You can define your deployment’s built-in role names, and collaborate with the Active Directory administrator to use them; that is, to grant your deployment’s roles to the existing user accounts in Active Directory.

OpenEdge does not include tools for managing those roles, but the role information is stored in a .CSV file format that is supported by a variety of third-party tools that you can use to tailor the information. Because most OpenEdge-based products have their own installation and tailoring tools, Progress recommends that you choose the one best fit for your deployment.

The default role names shipped in your deployment’s ABL web application’s .CSV file, WEB-INF/oeablSecurity.csv, will be replaced by your enterprise’s role names in, for example: