ABL permissions for table and field access test a given user ID against a permission string, which is a comma delimited list of permission entries. Permission testing is performed in the ABL client at different times, all using the same permission checking algorithm:

  1. Compile-time permission checking is performed when an ABL source (.p/.i/.w/.cls) file is compiled into r-code.
    Note: Compile-time permission checking no longer is a recommended best practice data security model when a database can execute pre-compiled modules from any source.
  2. R-code execution checks permissions to access:
    1. Meta-schema and schema tables at run time
    2. User data tables when run-time permission checking is enabled
    3. User data tables accessed through dynamic buffers and queries

The matching rules for permission checking are simple, but powerful:

  • The first match of the user ID against one of the pattern entries ends the check and returns the results to the caller.
  • When no match between the user ID and any pattern entry exists, permission is always denied.
  • If the pattern entry begins with an exclamation mark ("!"), permission is denied when a match between the user ID and pattern entry exists.
  • If the matched pattern does not begin with an exclamation mark, permission is granted when a match between the user ID and the pattern entry exists.