Starting the data administration GUI to change the _Can-* fields whenever you have to modify data security is not feasible in an enterprise. Full Stop. Therefore you need to roll your own since Progress does not provide an API in the ABL -like GRANT and REVOKE in the SQL world. Especially when you have the entitlements delivered to you via file transfer from the entitlements system containing thousands of records. That does not mean that this is recommended by Progress in any way to do so - it's just a pure necessity because Progress fails to deliver an API in the ABL that one could use.
Having said that, I am in the process of migrating all our Progress applications to single sign on via a smartcard and utilizing the client principal. Still that does not lift the need to have the permission set on table level. One of the issues you might face with the Progress OpenEdge RDBMS is that its philosophy is contrary to the rest of the SQL competition. Therefore corporate security policies and auditors, most of the times even unaware of the fact that there are such databases in their scope, insist on having security designed at table level in the database. That's the way it has to work. Full stop.
If you fancy horror stories when it comes to auditors and regulators I am more than happy to dive into gory details with anyone - even at Progress.
Heavy Regards, RealHeavyDude.