Using Groups with Procedure and Database Security

KMoody

Member
Progress: 10.2b SP7
OpenEdge Architect: 3.4.2.R342_v20090122-9I96EiWElHi8lheoJKJIvhM3JfVsYbRrgVIWL
OpenEdge OS: Windows 7 Professional 2009 SP1

I want to assign permissions based on which group(s) a user belongs to rather than using individual user names.
  • In my permissions table, could I use groups instead of names and run something like this before running a program?:
Code:
permission:
Activity  | Can-Run
-------------------------
custedit  | management,hr,it
ordedit  | management,hr,it
itemedit  | management,sales,it
reports  | management,inv,sales,it
 
USER-GROUPS
USER-GROUPS-ID| MEMBER-ID
-------------------------
management    | staceyc
management    | jsmith
hr            | hnobody
 
FUNCTION hasPermission RETURNS LOGICAL (INPUT procedureName AS CHAR):
  FIND permission WHERE Activity = procedureName.
  FOR EACH USER-GROUPS WHERE USER-GROUPS.MEMBER-ID = userid NO-LOCK:
    IF CAN-DO (permission.Can-Run, USER-GROUPS.USER-GROUPS-ID ) THEN DO:
      DISPLAY "You have permission!".
      RETURN TRUE.
    END.
  END.
  DISPLAY "You do NOT have permission!".
  RETURN FALSE.
END FUNCTION.
  • In the Data Administration tool, how can I edit Data Security using groups instead of user names? If this isn't possible, then can I do this programmatically?
 
The database does not support the concept of groups in the built-in security ( speaking of the _User table ) in the ABL. Therefore you need to roll your own.

Since you are on 10.2B you are able to use the CLIENT-PRINCIPAL ojbect to authenticate against the database which is what I would recommend you to use instead of the _User table. We only have two accounts in the _User table ( one for a emergency DBA access and one for a technical user under which our server backend runs ). All other users are authenticated against the security domain stored in the database based on the trust relationship existing between the application and the database. The actual ( strong or two-factor ) authentication is performed by a third-party system. Based on the output of the third-party system the CLIENT-PRINCIPAL object is build.

Nevertheless you would need to maintain groups and - if necessary - users in your own dedicated application database tables.

In the end - from my point of view - the question is how you authenticate the users and authorization ( or access control ) is what happens next.

This is just to give you an idea.

Heavy Regards, RealHeavyDude.
 
Thanks, RHD.

I'm trying to create a new authentication domain for my database, but I can't choose a type (see screenshot). My database uses auditing, so what else am I missing?
 

Attachments

  • Capture.PNG
    Capture.PNG
    11.6 KB · Views: 9
You need to create at least one Security Authentication System first. It is the menu item just above the one to create the Authentication Domain. For example you could give your Authentication Domain type the name of your authentication system - for example LDAP ...


Heavy Regards, RealHeavyDude.
 
Back
Top