Runtime application security is the process of checking to see if the user requesting to run a piece of code has permissions to do so. If the user is not authorized, the request will be denied.
To establish run-time application security, the developer must set up a permissions table within the database.
The permissions table contains records that specify users who are authorized to run specific procedures. Each record in the permissions table must contain at least two fields: an Activity field and a Can-Run field. The Activity field contains the name of the procedure and the Can-Run field contains a list of the user IDs of those who have permission to run the procedure. Within the application, the developer uses the CAN-DO function to test whether the current user can run a specific procedure. For example, if the authorized users are stored in a table named "permission", the following code might be used:
DO FOR permission:
FIND permission WHERE Activity = "custedit".
IF NOT CAN-DO(permission.Can-Run, USERID) THEN DO:
MESSAGE "You are not authorized to run this procedure".
RETURN.
END.
END.
See the documentation reference below for a more detailed version of this example.
The security administrator must maintain the permissions table. It is the developer's responsibility to provide the tools to maintain the runtime permissions table.
