OpenEdge can authorize user access to tables and fields of a given OpenEdge RDBMS according to permissions settings available through the OpenEdge Data Administration or character-mode Data Dictionary tools. These settings can authorize specific users to read, write, create, delete, dump, and load table records, or to read and write individual table fields. These settings can apply at both compile time and run time, or at compile-time only, at your option. For more information on configuring these settings and using them for compile-time authorization, see the sections on security in Manage ABL Applications.

Note: Permissions settings for the _Sequence metaschema table apply both during compile-time, and during run-time.

When you choose to make these settings apply at run time (using Data Administration), OpenEdge automatically enforces the configured permissions during procedure execution for the current connection ID of a given connected database. Any attempt by the application to affect tables and fields contrary to the authorized settings returns an error to the application.

To avoid returning these data access errors within a procedure, you can test a given dynamic record buffer or field to determine if a specific permission is granted to the current connection ID for the database table associated with the specified dynamic record buffer or field.

To test the run-time permissions of a database record buffer or field, return the logical value of the appropriate CAN-* attribute on the corresponding buffer object handle or buffer-field object handle. If the permission is allowed to the user running with the current database connection ID, the attribute returns TRUE.

Note: These attributes do not apply to buffers associated with individual temp-tables.

The following table lists the CAN-* attributes that you can use to test these data permissions.

Table 1. CAN-* attributes for testing run-time data access permissions
This attribute... Indicates if the user can...
CAN-CREATE Create records in the database table associated with the given buffer object
CAN-DELETE Delete records in the database table associated with the given buffer object
CAN-READ Read records or fields in the database table associated with the given buffer object or buffer-field object
CAN-WRITE Write records or fields in the database table associated with the given buffer object or buffer-field object

For example, to test a dynamic record buffer for permission to read records from the associated table before you attempt to query the table, you might use a code fragment like the following:

DEFINE VARIABLE bh AS HANDLE NO-UNDO.
DEFINE VARIABLE qh AS HANDLE NO-UNDO.

CREATE BUFFER bh FOR TABLE "customer".

IF bh:CAN-READ THEN DO:
  CREATE QUERY qh.
  qh:SET-BUFFERS(bh).
  qh:QUERY-PREPARE("FOR EACH Customer").
  qh:QUERY-OPEN.
  qh:GET-FIRST.
  DISPLAY bh:NAME.
END.