Is there a way of connecting to shared OpenEdge RDBMS with read only access?

Question

Our new security policies require data access restriction for developers to the production database. Setting up -RO parameter does not work for several reasons (extracts from 'Startup command and Parameter reference' http://documentation.progress.com/output/OpenEdge102b/pdfs/dpspr/dpspr.pdf)

1) "If you use the -RO parameter when other users are updating the database, you might see invalid data, such as stale data or index entries pointing to records that have been deleted."

2) "A read-only session is essentially a single-user session. Read-only users do not share database resources (database buffers, lock table, index cursors)."

3) "When a read-only session starts, it does not check for the existence of a lock file for the database. Furthermore, a read-only user opens the database file, but not the log or before-image files. Therefore, read-only user activity does not appear in the log file."

We would like to be able to access data on the production database from OpenEdge Architect, but not being able to edit data. Is it possible?

Answer 1

In most security conscious companies developers are not allowed to access production. Period. Full stop.

One thing that you could do as a compromise... if the need is to occasionally query data you could give them access to a replicated database via OpenEdge Replication Plus. This is a read-only db connection without the drawbacks of -RO. It is real-time, up to date and access is separately controlled -- you could, for instance, put the replicated db on a different server that is on a different subnet.

Answer 2

The short answer is no, they can't access it directly and read-only.

If you have an appserver, you could write some code which would provide a level of dynamic RO data access via appserver or webservice calls.

The other question I'd have is - what are your developers doing accessing the production database? That should be a big no-no.