Startup Command and Parameter Reference

User ID (-U)

Save PDF

User ID (-U)

Save PDF

Last Updated: October 30, 2020
4 minute read

OpenEdge
Version 12.2
Documentation

Use User ID (-U) together with the Password (-P) connection parameter to specify the user ID and user account password when connecting to an OpenEdge RDBMS, either at ABL application startup or when executing the ABL CONNECT statement.


Operating system and syntax	UNIX / Windows	`-U` `userid`
Use with	Maximum value	Minimum value	Single-user default	Multi-user default
Client Connection	—	—	Blank (`""`) or OS process user ID¹	Blank (`""`) or OS process user ID¹

userid

The user ID of the user. For an OpenEdge database defining only the default blank ("") domain, you can use a non-qualified user ID (user account name only). For a database defining multiple security domains, you can use a fully qualified user ID that includes both the user account name and the name of the user's security domain separated by the domain delimiter (@). Thus, the specified userid can be formatted as shown in the following table, where user-name is a non-qualified user ID and domain-name is the name of the user's domain.


This format...	Writes the...
	Blank (`""`) user in the blank domain
`@`	Blank user in the blank domain
`@` `domain-name`	Blank user in the specified domain
`user-name`	Specified user in the blank domain
`user-name` `@`	Specified user in the blank domain
`user-name` `@` `domain-name`	Specified user in the specified domain

OpenEdge authenticates the user ID and password specified by the -U and -P parameters against the user account system defined by the authentication system configured for the user's security domain. OpenEdge identifies the authentication system to authenticate the user ID using the local database domain registry, regardless of any database options that you have set. If the user's domain is authentication-enabled and registered in the database domain registry, and a user account is found that matches the user ID and password, OpenEdge completes the database connection and sets it to the specified connection identity. Otherwise, the user is not allowed to connect to the database. If the database is multi-tenant, a successful connection also sets the user's tenancy (database tenant organization) as it is configured for the user's domain.

Note: To authenticate the user identity for a valid setting of this connection parameter, the code page of the authenticating user account system must match the setting of the startup parameter.

For backward compatibility, if you do not specify -U and -P for a database connection, OpenEdge connects the database using a default connection identity. OpenEdge resolves one of two possible user IDs as the default connection identity: the blank user ID or the operating system process user ID, depending on the conditions listed in the following table.


Does the database define at least one authentication-enabled domain?⁵	Are the -U and -P connection parameters specified?	Resulting user identity
NO	YES	Error: `-U` and `-P` not allowed unless enabled domains exist that support user authentication performed by OpenEdge.
NO	NO	Default connection identity: The operating system process user ID.², ³
YES	NO	Default connection identity: The blank (`""`) user ID.², ⁴
YES	YES	If the `-Uuserid` and `-Ppassword` match a user account that exists for the user's authentication system, use that identity.Otherwise, OpenEdge raises an error and access is denied.

For more information on database connection identity, see the sections on connecting to a database in Learn about Identity Management.

The -U and -P parameters support a common user authentication model for connecting to a database from:

The command line used to start an ABL application
Within a running ABL application using the CONNECT statement
The command line used to start a database utility, such as PROUTIL (using the -userid and -password parameters)
The command line or other configuration used to start an OpenEdge SQL (JDBC or ODBC) application

The authentication model for these connections is supported by a common security domain configuration within the OpenEdge database that you define using OpenEdge Database Administration. The requirement for all users connecting to a database, whether from an ABL application, an SQL application, or a database utility, is that their domain must be authentication-enabled (supports OpenEdge-performed user authentication). A domain enabled only for single sign-on (SSO) or for application-defined user authentication cannot authenticate a user who is connecting to a database from an ABL application, SQL application, or database utility.

In addition, if a domain is configured with an ABL authentication plugin, users cannot authenticate in this domain from an SQL application or from the startup command line of an ABL application. To connect a database with a user identity that authenticates using an ABL plugin, you must use the ABL CONNECT statement within the ABL session, or connect the database from the command line using a different identity, then use the ABL SET-DB-CLIENT function or SET-CLIENT( ) method on the SECURITY-POLICY system handle to authenticate and set the connection identity using the ABL plugin.

For more information about the CONNECT statement, see the statement entry in ABL Reference. Note that, except for use of an ABL plugin or when otherwise noted, the features described for connecting a database using the CONNECT statement also apply to connecting a database on the startup command line for an ABL application.

For more information about using security domains and authentication systems in OpenEdge, see Learn about Identity Management. For more information on using ABL authentication plugins, see the topics on application security and authentication in OpenEdge Programming Interfaces.

For more information about the features for authenticating the user of an OpenEdge SQL application connection to an OpenEdge database, see the topics on using JDBC and ODBC clients in Develop SQL for OpenEdge.

For more information about how to specify a user ID and password when connecting from a database utility, see the reference entry for the utility in Manage the OpenEdge Database.

Note: With certain DataServers, the -U and -P parameters also pass DataServer login information to the foreign (non-OpenEdge) database. For more information, see your DataServer documentation.

¹ For more information on the setting of the default user ID, see the default connection identity settings.

² Any client-principal object that you return for a database connection using the ABL GET-DB-CLIENT function, and that represents a default connection identity, cannot be used to set the identity for any other database connection or ABL session. A client-principal can only be used to set the identity for additional OpenEdge resources if it represents an authenticated user identity. For more information, see the CONNECT statement entry in ABL Reference.

³ OpenEdge sets the domain name for any default operating system user ID to "windowsid" or "unixid", depending on the operating system where the database is connected.

⁴ The default blank user identity creates ambiguity in database authorization (table and field permissions) with any authenticated blank user account defined and enabled in the _User table accounts.

⁵ A domain is authentication-enabled if: 1) it is configured with an authentication system that is enabled for OpenEdge-performed user authentication, 2) this authentication system has access to a source of valid user accounts, and 3) the domain is enabled for use in the database.