Defines the security policy for a database or a database tenant. You need system administrator privileges to execute this command.

Syntax


         dbpolicyutil 
         
          
           operation
           
         
          
           policy-options
           
         
          
           db-options
           -U 
         
          
           username
            -P 
         
          
           password

Parameters

operation
  • set—Sets the policy options that you specify. The format is policy-name=policy-value . Every policy must have at least one policy name and a corresponding value. Separate each policy name and value pair with a space.
  • query—Provides the status of a policy option. Specify each policy and separate the policies with a space. Policy type can be included here as type= policy type . Optionally, you can provide policy-options . If you do not provide any policy options, then the status of all options is displayed.
  • help—Lists the various command-line options and the syntax to perform the set and query operations for the policies. Separate each policy name with a space. Policy can include type= policytype which applies your selection to all the policies of the given policy type. You can also include policy-options for optional help operation. If you do not procide any policy-options , help for all options is displayed.
policy-options
The policy-specific options.
db-options
The connection parameters for the database.
username
The username of the administrator.
password
The password of the administrator.

Database Security Policies

DBPOLICYUTIL enables you to maintain security policies for a database. Only a user with administrator privileges can run this utility to configure the database security policies.

A policy type or prefix is the OpenEdge component for which a specific policy is targeted. The types could be one of the following:

  • The Advance Virtual Machine (AVM)—the runtime engine in which OpenEdge language instructions are executed.
  • SQL The SQL engine (SQL)— the runtime engine in which SQL language instructions are executed.
  • The “Rocket” database engine (DB)—the runtime engine in which core OpenEdge database instructions are executed.
One or many OpenEdge components may be influenced by a policy.

DBPOLICYUTIL is used to assign the following security policies to any database:

  • noblankuser (Disallow Blank UserID)—Blocks database connections with blank user IDs. If set to true , a user must have a non-blank user ID in order to connect to the database.

    Policy Type: avm, sql

    Value: yes | no

  • enforceauditinsert (Enforce Audit Insert Privilege)—Requires application users to use Application Auditing, set Auditing Context, and have the Application Audit Event Inserter privilege granted to them.

    Policy Type: avm

    Value: yes | no

  • recordsessions (Record Authenticated Client Sessions)—Controls whether to place an authenticated client session record in the _client-session table of the database, to provide additional authentication information about the client login session. When used in conjunction with theidentity auditing, the session identity described in the client session record is linked by user login session ID to the database connection identity of the auditing context.

    Policy Type: avm

    Value: yes | no

  • safeuseridpolicy (Safe User ID)—Enables a PAS for OpenEdge session agent to restore a specified user ID connected to a multi-tenant database before or after running each server request.

    Policy Type: avm

    Value: DISABLED | preact | postact | predeact | postdeact

  • Trust Application Domain Registry—Overrides the private domain registry settings used for authenticating database connections and allows them from an application-level domain registry instead.

    Policy Type: avm

    Value: yes | no

  • enforceauditinsert (Use Application User ID for Auditing)—Overrides the database connection's user ID for recording, audit user ID, and uses the application-level user ID (if set) for auditing.

    Policy Type: avm

    Value: yes | no

  • usefquserid (Use Fully Qualified User IDs)—Causes all user IDs to be qualified by a domain name, where the user ID consists of a user name followed by its corresponding domain name delimited by the (@) character.

    Policy Type: avm

    Value: yes | no

  • runtimepermissions (User Runtime Permissions Checking)—Grants CAN-READ/WRITE/CREATE/DELETE permissions to runtime access of files and grants CAN-READ/WRITE permissions to runtime access to fields in files, which otherwise gets checked only at compile time.

    Policy Type: avm

    Value: yes | no

Note: Since noblankuser supports two policy types—sql and avm—it is important to specify the type as prefix before performing any operation.
For example:
  • set dbpolicyutil set avm.noblankuser=true -db database -U username -P password
  • query dbpolicyutil query avm.noblankuser -db database - U username -P password
  • help dbpolicyutil help sql.noblankuser -db database - U username -P password