You can establish a database connection identity for one or more database connections in a number of ways (see Authenticating and setting user identity). Because a database connected from the command-line can be connected with a default user identity, which can provide open access to the database. Therefore, Progress Software corporation recommends that you authenticate and set the identity for all database connections entirely under ABL control using a client-principal object.

You can connect and authenticate the connection identity for all databases using the CONNECT statement, for which OpenEdge creates and seals a client-principal for each connection identity that you can return for other uses. However, to take full advantage of all client-principal settings, and certainly to allow your application to perform its own user authentication, you can also authenticate and set the identity for any database after it is connected using a client-principal that you create yourself.

For OpenEdge-performed user authentication and SSO for database connections, ABL supports the SET-DB-CLIENT function and, additionally, the SECURITY-POLICY:SET-CLIENT( ) method. To seal a client-principal after application-performed user authentication, ABL supports the SEAL( ) method, after which you can use SET-DB-CLIENT or SET-CLIENT( ) in SSO operations to set the authenticated identity for one or more database connections.

The following sections describe some of the mechanisms that OpenEdge supports for using these ABL elements to authenticate and set database connection identity.