Hello all,
Is it possible to use the syntax user@domain in _can-* fields ?
I've setup a sports2000 db and not able to make it work, but I'm wondering if I'm doing anything wrong.
Gilles
Hello all,
Is it possible to use the syntax user@domain in _can-* fields ?
I've setup a sports2000 db and not able to make it work, but I'm wondering if I'm doing anything wrong.
Gilles
Flag this post as spam/abuse.
Reply by Mike FechnerI thought that was the whole point in the behavior change in the CAN-DO function.
Stop receiving emails on this subject.Flag this post as spam/abuse.
[/collapse]Reply by Mike FechnerI thought that was the whole point in the behavior change in the CAN-DO function.
Stop receiving emails on this subject.Flag this post as spam/abuse.
My simple test (11.5 Linux) :
* Create sports2000 DB
* Add a domain based on _oeusertable, and a record in _user table with this domain
* Set _can-read = "!,!MyUser@MyDomain,*' for table Benefits
* Turned on runtime security
* Connect the DB (either with -U -P or with set-db-client) with this account, and execute for each benefits : I'm able to read Benefits account.
* If I change to _can-read to "!,!MyUser,*", then I'm not able to read the table...
Trying can-do(_File._Can-Read) also says 'yes' (with _file buffer pointing to the Benefits record). If I execute can-do(_File._can-read, hCP:qualified-user-id), then I get a 'no'. Documentation says that userid with a non multi-tenancy db return a non-qualified userid. Could it be the problem ? Or am I missing something ?
Gilles
Are you compiling your code and running r-code when reconnecting to the database?
No, running directly from source, and also why I've turned runtime security on. Note that when I switch from "!,!MyUser@MyDomain,*" to "!,!MyUser,*", then the result is immediately available (access or no access to the records).
Actually you are seeing is actually the documented behavior. There is more information in the "Identity Management" book, under the “Non-multi-tenant vs. multi-tenant authorization” and “When a user's domain is available for access control” sections.
The behavior you see is for backwards compatibility.
You should define only the user name in the _Can-* fields, for a non-multi-tenant database. And there is no option for enabling full domain authorization in that case.
Thanks Fernando.
So the outcome is that there's no way to define authorizations using domains on a non-MT database ? Or is there an option to turn off backward compatibility ?
Reply by Riverside SoftwareThanks Fernando.
So the outcome is that there's no way to define authorizations using domains on a non-MT database ? Or is there an option to turn off backward compatibility ?
Stop receiving emails on this subject.Flag this post as spam/abuse.
[/collapse][/collapse]Reply by Tim KuehnI thought user@domain was the "new default", since Progress's added a -nocanddodomain client parameter which turns off user@domain processing for can-do(). (See the 11.5 Startup Command and Reference docs)
[collapse]On Tue, May 12, 2015 at 1:35 PM, Riverside Software <bounce-rssw@community.progress.com> wrote:
Reply by Riverside SoftwareThanks Fernando.
So the outcome is that there's no way to define authorizations using domains on a non-MT database ? Or is there an option to turn off backward compatibility ?
Stop receiving emails on this subject.Flag this post as spam/abuse.
--
Tim Kuehn: Senior Consultant - TDK Consulting Services
President - Ontario PUG
Program Committee Chair - PUG Challenge Americas,
Course Instructor: Intro to OO Concepts for Procedural Programmers
Skype: timothy.kuehn
Ph: 519-576-8100
Cell: 519-781-0081Stop receiving emails on this subject.Flag this post as spam/abuse.
No, there is no option for turning off backwards compatibility on this.