In OpenEdge, DDM support is role-based. Any user with access to PROUTIL and the database can enable the database for DDM. Enabling a database for DDM adds a new built-in role called _sys.ddm.admin for the DDM administrator.
Note:
  • A DDM administrator is a user that has been assigned the _sys.ddm.admin role.
  • An ABL security administrator is a user who has been granted security administrator privileges using the Data Administration tool and is typically referred to as a Database Administrator (DBA).

  • The user who creates the database is the default SQL DBA and therefore can inherit DDM administration privileges in the absence of a DDM administrator. You can revoke or grant the SQL DBA privileges using OpenEdge SQL commands.

Enabling DDM has no effect on the existing features of the OpenEdge database, regardless of whether these features access ABL or SQL. DDM establishes the authority of a DDM administrator to securely manage user-defined roles for DDM in the database.
A DDM administrator can:
  • Grant and revoke membership in user-defined DDM roles.
  • Manage (add, delete, or update) authorization tags for DDM that determine which user-defined role is authorized to see the unmasked version of column data.
  • Assign or remove authorization tags and masking rules for designated columns in the database.
  • Activate and deactivate DDM.

However, if there is no DDM administrator, either the ABL security administrator or SQL DBA acts as a DDM Administrator. The ABL security administrator or the SQL DBA are granted this permission for convenience in initial configuration and protection against losing all DDM administrators.

The ABL security administrator or SQL DBA has authority to establish the first DDM administrator, after which they may relinquish the authority of this member to add new members or update existing DDM administrators. A DDM administrator can grant their role to another user only if they have grant rights. Furthermore, a DDM administrator cannot change the grant rights for their own membership; only another DDM administrator may do that.

Any DDM administrator may remove other members from the DDM Administrator role until there is only one DDM administrator left who cannot remove themselves.

If only one DDM administrator remains, that member of the _sys.ddm.admin role may be removed by the ABL security administrator.

The ABL security administrator, therefore, prevents users from being locked out of DDM administration if a sole DDM administrator leaves the organization.

The ABL security administrator, not the DDM administrator, has the authority to add user-defined roles for use with DDM.