_progress._sec-role

This table defines the roles that are available to control authorized access to resources. The use of roles for authorization provides high scalability by minimizing the need to setup specific permissions against individual user accounts, with restrictions on specific user accounts being the exception case. The definition of a role in this table is mandatory and a role cannot be granted to a user or other role until it is created in this table. This table therefore provides a registry of the available roles and can be used to validate rules such as the inability for a user to have the same name as a role and the limitation that a user can never authenticate as a role name. The SQL standard states that a role cannot be defined with the same name as a user account and vice-versa. This constraint is generally useful and is enforced in all cases, thereby avoiding the need to record whether a granted role is for a user or for a role. The role name will be defined with a namespace to avoid conflicts. The role name will be case insensitive and will be limited to 32 characters. The role itself can be used as a permission and the fact the user is granted the role can drive authorized behavior. This concept will be used for internal system roles, e.g. a DBA or Audit Administrator. As far as possible however permissions for system roles will be explicit (defined in ACLs). System roles will follow a standard naming convention in that they will all start with an underscore and a code to determine which clients the system role is applicable to as follows; _SYS - Internal system role applicable to all clients _PVM - Internal PVM specific role. This role is only valid for 4GL clients _SQL - Internal SQL specific role. This role is only valid for SQL clients In addition, for application defined roles they cannot begin with an underscore but can follow a similar convention, namely: SYS - Application defined role applicable to all clients 4GL - Application defined role applicable to 4GL clients only SQL - Application defined role applicable to SQL clients only If there is no such prefix to the role name then it will be assumed to be an application role applicable to all clients. Note that the above rules are purely a convention and not currently enforced by the database, or the SQL/4GL clients. It is strongly recommended that the convention is followed however to support future migration in the event that behavior is added later that uses this convention. As mentioned above, the fact a user or role is granted membership of a role can be useful in itself for authorizing actions on resources, but to support a finer level of detailed permissions to be defined, roles can have explicit permissions granted or denied via the _sec-access-control-entry table used to define ACLs. Sample rolenames could include; _sys.audit.admin _sys.audit.archive _sys.audit.insert


Table details

Area Schema Area
Dumpname _sec-role
Label ?
Val.exp ?
Val.msg

Fields

Order Field Name x Label Datatype Format Initial Mand Description
8 _AuthVer X ? integer >>>>9 0 D: Version capability for authorization
5 _Custom-role-detail X Custom role detail character X(500) V: e sz 70 BY 8 sv MAX-CHARS 500
D: This is a free field to hold custom specific role details.
7 _Role-attr X ? character X(8) ? D: The Role attribute.
4 _Role-creator X Role creator character X(32) D: The name of the user or role that created / owns this role definition.
3 _Role-description X Role description character X(500) V: e sz 70 BY 8 sv MAX-CHARS 500
D: A free text description to describe the purpose and the use of the role
2 _Role-name X Role name character X(32) D: The actual name of the role. The role name will be defined with a namespace to avoid conflicts. It will be limited to 32 characters and will be case insensitive. The SQL standard states that a role cannot be defined with the same name as a user account and vice-versa. This constraint is generally useful and is enforced in all cases, thereby avoiding the need to record whether a granted role is for a user or for a role. System roles (e.g. DBA) will follow a standard naming convention in that they will all start with an underscore and a code to help determine which clients the system role is applicable to as follows; _SYS - System role applicable to all clients _PVM - PVM specific role. This role is only valid for 4GL clients _SQL - SQL specific role. This role is only valid for SQL clients This is purely a convention and no behavior is currently enforced that depends on it. For non-system roles, the same distinction between clients is also valid, so similar rules will be applied for role names that conform to the following convention; rolename begins with; SYS - applicable to all clients PVM - PVM specific role. This role is only valid for 4GL clients SQL - SQL specific role. This role is only valid for SQL clients If the rolename does not begin with any of the above, then the role will be applicable to all clients by default.
6 _Role-type X ? int64 >>>>>>>>>9 0 D: The type of role

Indexes

Index name Flags Fields Datatype
_Role-name P U _Role-name (+) character
    _AuthVer (+) integer
_Role-creator _Role-creator (+) character
    _AuthVer (+) integer
_Role-description _Role-description (+) character
    _AuthVer (+) integer
_Role-type U _Role-type (+) int64
    _Role-name (+) character
    _AuthVer (+) integer
+ = Ascending - = Descending P = Primary U = Unique I = Inactive W = Wordindex

generated 3-3-2025 10:55