DBPOLICYUTIL utility

Defines the security policy for a database or a database tenant. You need system administrator privileges to execute this command.

Syntax

dbpolicyutil operation policy-options db-options -U username
 -P password

Parameters

operation

• set—Sets the policy options that you specify. The format is policy-name=policy-value. Every policy must have at least one policy name and a corresponding value. Separate each policy name and value pair with a space.
• query—Provides the status of a policy option. Specify each policy and separate the policies with a space. Policy type can be included here as type=policy type. Optionally, you can provide policy-options. If you do not provide any policy options, then the status of all options is displayed.
• help—Lists the various command-line options and the syntax to perform the set and query operations for the policies. Separate each policy name with a space. Policy can include type=policytype which applies your selection to all the policies of the given policy type. You can also include policy-options for optional help operation. If you do not procide any policy-options, help for all options is displayed.

policy-options

The policy-specific options.

db-options

The connection parameters for the database.

username

The username of the administrator.

password

The password of the administrator.

Database Security Policies

DBPOLICYUTIL enables you to maintain security policies for a database. Only a user with administrator privileges can run this utility to configure the database security policies.

A policy type or prefix is the OpenEdge component for which a specific policy is targeted. The types could be one of the following:

DBPOLICYUTIL is used to assign the following security policies to any database:

• noblankuser (Disallow Blank UserID)—Blocks database connections with blank user IDs. If set to true, a user must have a non-blank user ID in order to connect to the database.

  Policy Type: avm, sql

  Value: yes | no

• enforceauditinsert (Enforce Audit Insert Privilege)—Requires application users to use Application Auditing, set Auditing Context, and have the Application Audit Event Inserter privilege granted to them.

  Policy Type: avm

  Value: yes | no

• recordsessions (Record Authenticated Client Sessions)—Controls whether to place an authenticated client session record in the _client-session table of the database, to provide additional authentication information about the client login session. When used in conjunction with theidentity auditing, the session identity described in the client session record is linked by user login session ID to the database connection identity of the auditing context.

  Policy Type: avm

  Value: yes | no

• safeuseridpolicy (Safe User ID)—Enables a PAS for OpenEdge session agent to restore a specified user ID connected to a multi-tenant database before or after running each server request.

  Policy Type: avm

  Value: DISABLED | preact | postact | predeact | postdeact

• Trust Application Domain Registry—Overrides the private domain registry settings used for authenticating database connections and allows them from an application-level domain registry instead.

  Policy Type: avm

  Value: yes | no

• enforceauditinsert (Use Application User ID for Auditing)—Overrides the database connection's user ID for recording, audit user ID, and uses the application-level user ID (if set) for auditing.

  Policy Type: avm

  Value: yes | no

• usefquserid (Use Fully Qualified User IDs)—Causes all user IDs to be qualified by a domain name, where the user ID consists of a user name followed by its corresponding domain name delimited by the (@) character.

  Policy Type: avm

  Value: yes | no

• runtimepermissions (User Runtime Permissions Checking)—Grants CAN-READ/WRITE/CREATE/DELETE permissions to runtime access of files and grants CAN-READ/WRITE permissions to runtime access to fields in files, which otherwise gets checked only at compile time.

  Policy Type: avm

  Value: yes | no