Salesforce

Database Security Enforced at Compile Time - Not at Runtime

Printable View
« Go Back

Information

 
TitleDatabase Security Enforced at Compile Time - Not at Runtime
URL Name15817
Article Number000118110
EnvironmentProduct: Progress
Version: 8.x, 9.x
Product: OpenEdge
Version: 10.x, 11.x, 12.x
OS: All supported platforms
Question/Problem Description
Errors running r-code after security change.
Security change opened access to tables for user.
 
Steps to Reproduce
Clarifying Information
Error Message** Insufficient access privilege for table <table>. (234)
QUERY-OPEN for query <name> requires a previous QUERY-PREPARE. (7312)
Cannot run GET methods on query <name> until it is opened. (7313)
Insufficient permission to read buffer field <name>. (7364)
Error: Invalid access to change security for <file name> File. (499)
Error: Insufficient access privilege for table <name>. (978)
Defect Number
Enhancement Number
Cause

OpenEdge supports compile time security by default. With few exceptions, the security created using the Data Administration tool (Data Administration > Admin > Security) is ignored when running a compiled procedure (r-code).  The r-code does not contain any security information. If the code is run in uncompiled (p-code) form, it will check the data security that was created on the database and report an error message if security constraints are violated.

Database security constraints are checked at run time in the following cases:

  • For metaschema tables, security enforcement is done at runtime in some cases. Error 499 (Invalid access to change security for <file name> File) and/or error 978 ( Insufficient access privilege for table <name>) may be raised when trying to access metaschema tables to which the user does not have permissions.
  • Dynamic buffers must be checked at run time, since they do not exist at compile time. If the user does not have sufficient privileges, some or all of the errors 234, 7312, 7313 and 7364 will be generated.
  • When the "Use Runtime Permissions Checking" database security option is selected in Data Administration > Database Options, the user permissions are checked both at compile time and at run time. "Use Runtime Permissions Checking" is available in OpenEdge 10.1A and later.
Resolution

To enforce permissions restrictions that have been applied to tables and fields in the Edit Data Security dialog, choose one of the following approaches:

  • Control security in the application at run-time.  This can be done by finding the _file or _field record associated with the table or field that is being modified, and checking whether the currently connected user is in the list or the permission string equals *. Alternatively, use the CAN-READ, CAN-WRITE, CAN-DELETE and CAN-CREATE functions with the buffer handle and the connected user ID.
  • Use dynamic queries and buffers to modify all tables and fields in the database.
  • Run uncompiled code (p-code), often called "compiling on the fly".  This requires a development license to be installed in the deployment environment. Any permissions errors will be visible to end users.
  • In OpenEdge 10.1A or later, use the "Use Runtime Permissions Checking" option.
Workaround
Notes

References to Other Documentation:

OpenEdge Development: Programming Interfaces, Chapter 2: "Application Security"

Progress Articles:

 What does selecting the "Use Runtime Permissions Checking" database option mean?

 

Keyword Phrase
Last Modified Date11/20/2020 7:36 AM
Powered by