Progress-Level Database Access
Unless properly controlled, it is possible under certain conditions to start a Progress session and then connect to an application database without starting the application itself. After connecting, there would be no effective controls over accessing private or confidential data, modifying, or deleting records. Since an application session is never initiated, any application-level controls such as menu security could be circumvented. To mitigate this exposure, user and password access controls can be implemented at the Progress level as well as the system level.
To set Progress security, access the Edit User List option on the Admin|Security menu of the Progress Data Dictionary. Use this function to load valid user ID, name, and password combinations into the user security (_user) table.
Note: Controls on user IDs and passwords that have been implemented for the application do not apply to user records in the Progress _user table.
You can use this table in combination with command-line security options when the database is started. There are several possibilities:
1 No Progress users are defined and the –U and –P options are not specified. This is the default. The Progress user ID is set to the operating system login or the network logon ID.
2 Progress users are defined but the –U and –P options are not specified. On all systems, this results in a blank Progress user ID. This can be used to establish basic system security for the majority of users. Any users with additional capabilities must specify a –U and –P at startup.
3 Progress users are defined and the –U and –P options are specified. The system verifies that the user ID and password combination is in the user security (_user) table. If not, an error displays and the session is not started.
Note: If no Progress users are defined, the –U and –P options cannot be specified.
By setting Progress user/password controls on the application database, restricting access to the database files, and monitoring the database log file for unusual access events, security exposures from inappropriate access to the application database can be substantially reduced.