From ABL clients, SQL clients, or database utilities, you can authenticate a user ID found either in the OpenEdge RDBMS _User table, or in other user accounts supported by OpenEdge built-in or user-defined authentication systems, using the following features:

  • User ID (-U) and Password (-P) startup parameters — Authenticates the user ID specified on the ABL command line or in the ABL CONNECT statement to authentication systems that allow OpenEdge to perform the user authentication, including the OpenEdge _User table and local operating system accounts. SQL clients and database command-line utilities have similar mechanisms for authenticating a user ID and password. User-defined authentication systems that support ABL application-performed user authentication cannot authenticate users from the command line or CONNECT statement. However, user-defined authentication systems that support OpenEdge-performed authentication can authenticate users through the CONNECT statement, but not from the command line.
  • SETUSERID ABL function — Authenticates a specified user ID and password only to the OpenEdge database _User table. If authenticated, this function also sets the user identity for a database connection, with the user ID returned by the USERID function.
  • SET-DB-CLIENT ABL function — Authenticates a user identity stored in a client-principal object to authentication systems that allow OpenEdge to perform the user authentication, including the OpenEdge _User table, local operating system accounts, and any other user accounts managed by a user-defined authentication system that is enabled for user authentication. If authenticated, this function also sets the user identity for one or more database connections in a session, with the user ID returned by the USERID function. This function also supports the validation and setting of a previously authenticated database connection identity using single sign-on (see Assert a user ID validated using SSO).
  • SET-CLIENT( ) ABL method on the SECURITY-POLICY handle — Authenticates a user identity stored in a client-principal object to authentication systems that allow OpenEdge to perform the user authentication, including the OpenEdge _User table, local operating system accounts, and any other user accounts managed by a user-defined authentication system that is enabled for user authentication. If authenticated, this method also sets the user identity for the ABL session, and optionally as the identity for every available database connection in the session. This method also supports the validation and setting of a previously authenticated database connection or ABL session identity using single sign-on (see Assert a user ID validated using SSO.

In ABL, you can authorize an authenticated user ID for permissions specified by application resources and OpenEdge RDBMS tables and fields using the following ABL features:

  • Can-* permissions — Specify these permissions based on user ID pattern lists through OpenEdge Data Administration to authorize the connected user ID for table and field operations at ABL compile time and (optionally) at run time.
  • CAN-DO function — Use this function to authorize one or more user IDs against a list of permissions based on user ID pattern lists that specify whether a user can access certain procedures or features.

These two authorization mechanisms use exactly the same mechanism to evaluate user access permissions.

For more information on authentication and authorization in ABL, see Learn about Identity Management, and in the sections on application security in OpenEdge Programming Interfaces and Manage ABL Applications.

In OpenEdge SQL, users are automatically authenticated and authorized against user IDs and SQL privileges specified in the OpenEdge RDBMS. SQL privileges are automatically available to users once they have been granted by the SQL DBA or another SQL user who has the privilege to grant them using the SQL GRANT statement. Users can be blocked from privileges by another SQL user who has the privilege to revoke them using the SQL REVOKE statement.

Note: OpenEdge SQL also allows DBAs to create user definitions—in the database _User table—that are only visible to and used by the OpenEdge SQL, and are transparent to OpenEdge Advanced Business Language (ABL).

For more information on authentication and authorization in OpenEdge SQL, see Learn about Identity Management and Develop SQL for OpenEdge.