PAS for OpenEdge can support one or more Tomcat realm definitions. A realm is a collection of usernames and passwords, and it includes the roles associated with each of those users. A role controls the amount of access a given group of users has. All authorizations in PAS for OpenEdge are role-based. Access privileges cannot be granted on a user-by-user basis.

PAS for OpenEdge retains the roles defined in the default Tomcat MemoryRealm, but also adds a set of PAS for OpenEdge roles that map to the Tomcat roles and allows for consistency across the product. For example, ROLE_PSCadmin allows unrestricted administrator access, and it maps to admin-gui, admin-script, manager-gui, manager-script, and manager-status roles in Tomcat. These roles are described in Role-based user authentication.

Remote access can be handled by using remote access filters, which is described in Secure online deployment of a new ABL application and Remote access filters.