Implementing authorization based on database roles

Hi,
I am trying to implement authorization in my sample jdeveloper application.
I have the list of users stored in LDAP and my database table contains the roles for those users.
Now how can I get the roles from the database table and implement authorization based on the roles?
I am using jdev 11 and weblogic 10.3
Thanks

Hi,
Checkout [this post|http://forums.oracle.com/forums/thread.jspa?threadID=928304]
Sireesha

Similar Messages

  • Implementing Authorization based on roles

    Hi,
    I have the list of users created in ldap/oid and their roles in the data base table.
    I wrote the following method in AppModuleImpl.java which returns data from pl/sql to ADF BC.
    public String callgetUserRole(String usrRole){
    String result = null;
    CallableStatement plsqlBlock = null;
    String statement = "BEGIN :1 := *get_roles(:2);* END;";
    plsqlBlock = getDBTransaction().createCallableStatement(statement, 0);
    try{
    plsqlBlock.registerOutParameter(1, OracleTypes.VARCHAR);
    plsqlBlock.setString(2, usrRole);
    plsqlBlock.execute();
    result = plsqlBlock.getString(1);
    //catch
    return result;
    get_roles is the pl/sql function created in the database.
    The above method is returning the role for the user who logged in.
    for example: if User1 logged in, it return 'USER' which is the role of user1
    if User2 logged in, it returns 'NON_USER'.
    I have a SAVE button in my sample application. This button should be disabled if role is 'non_user' and enable if the role is 'user'.
    How can I achieve this?
    Thanks

    If you are going to use this information in the user interface a lot it's probably better to use real security roles rather than trying to roll (forgive the pun) your own separate role lookup from the database. you can then directly check again that role with a simple expression on the button. Or if you're on 11g you can use ADF Security fully and check to see if you have permissions to carry out that function - again in expression language (loads about this stuff on the code corner: http://www.oracle.com/technology/products/jdev/tips/fnimphius/index.html)
    However, Assuming you have what you have, you need to be careful about the separation of your layers. if the role information is held in a DB Table can you create an ADFBC view object directly on that and then write a service method to return all the info for that user into a Map in the session?
    If that's the case then you can use expression language on the button to enable or disable as required.

  • When will APEX be capable of observing Database Roles?

    Hi All,
    When will APEX be capable of observing Database Roles and RLS?
    Joel Kallman in his APEX blogspot article " [Application Express and parsing SQL|http://joelkallman.blogspot.com/]" states that
    +"the execution of SQL in an Application Express application still does not observe roles when parsing user SQL. This remains true for the recently released Application Express 4.0"+
    Is there anyone with inside knowledge of APEX who can shed light on this?
    Amgine

    Hi All,
    Thank you for responding to this discussion.
    The initial point of my post was to indicate that applying fine grained data security with APEX, is problematic. In my organisation we have hundreds of databases, thousands of tables and a requirement to protect confidential data. The DBA's and Developers over the years have developed a system of controlled data access based on database roles, Row Level Security with policies, and even Cell Level Security.
    We are looking at APEX as a means of replacing Oracle Forms and Reports. The method by which CRUD applications are made with
    APEX methodology, involves assigning schemas to a workspace. Doing this circumvents all of the above-mentioned security, because APEX developers, then take on the effective role of schema owner.
    If an application is created using the schema, assigned to a workspace, it requires the APEX application developer to develop a parallel authentication/authorization scheme, to match the levels of control normally achieved by the database data security methods.
    e.g.. I can easily create a form with select, insert, update capability, based on a table normally having restricted record access and even select only access, controlled by roles or RLS methods. If do not explicitly create a complex Authentication/Authorization system to protect the data, I could easily, and accidently, expose restricted or confidential data, and the unintended ability to modify it, to the end user.
    I have found by experiment that there is a partial solution to this problem:
    If schema's are not directly assigned to the workspace but instead, a single parsing schema with minimal system privileges is created, and no other schema is assigned to the workspace. The privileges on individual schema objects are then granted to the parsing schema. Applications can then be built which limit the CRUD operations which may be implemented.
    With my current APEX /Oracle DB There is still the problem that privileges (e.g. insert, update select on table X) cannot be granted to the parsing schema via a role but need to be explicitly granted. This becomes a maintenance nightmare for the schema owner or DBA, normally avoided by use of roles and/or RLS.
    In answer to Andre. I a currently use APEX ver. 3.1.2.00.0 and Oracle 10.2.0.
    According the APEX Builder notes:
    In Oracle Database Server versions before 10.2.0.3, these privileges must be granted directly to the schema. In Oracle Database Server versions 10.2.0.3 and later, these privileges may be granted to the schema directly or through a role in order for the SQL Workshop to be able to perform the operation using the selected schema.
    The reason you can't use roles is because you are always identified in session as APEX_PUBLIC_USER with privileges granted by proxy via the parsing schema, never as the logged on user.
    Using the following query logged on as sys:
    select
    username,
    osuser,
    program
    from v$session
    where type='USER'
    gives results:
    USERNAME    OS_USER    PROGRAM
    APEX_PUBLIC_USER SYSTEM Apache.exe
    Amgine

  • Custom plugin based on user role membership

    Hi all,
    I would like to develope a custom plugin that generates account userid (on process form) with different syntax against role membership.
    With "syntax" I mean name.surname.random_number for employee users and surname.company.random_number for example.
    I'll try to explain the scenario more in details:
    1. I create a user identity through a request
    2. After user identity has created successfully, I assign a role to the user. Since roles are associated with access policies, role assignment triggers provisioning on target system.
    3. The custom plugin that I would like to develope shuold be able to generate proper userid against role membership. For example if I assigned the role "Project Manager" the custom plugin should generate the account userid with name.surname.random_number format; viceversa if I assigned the role "External Reseller" the custom plugin should generate the account userid with surname.company.random_number format.
    Looking for custom plugin based on role membership in forum, I found a couple of threads about this subject:
    - Email notifications after role grant
    - Re: OIM 11g Role Membership Event Handlers.
    I tried to implement what explained in the threads, but I would be sure about what I've done.
    Here what I've done:
    1. created plugin.xml file
    2. created EventHandler.xml metadata file
    3. developed a java calss for testing pourpose
    4. copied the custom plugin class to OIM server for example in $MIDDLEWARE_HOME/OIMPlugins/lib
    NOTE: during this operation I have exactly mantained the same directory structure of custom java package.
    For example custom plugin class is under my.custom.plugin java package and I have copied custom java class under $MIDDLEWARE_HOME/OIMPlugins/lib/my/custom/plugin folder
    5. created a zip file containing custom plugin class (always with its directory structure) and plugin.xml file
    6. copied the zip file to $OIM_HOME/server/plugins
    7. edited ant.properties file (under $OIM_HOME/server/plugin_utility) setting wls.home and oim.home variables
    8. built the wlfullclient.jar (only the first time)
    9. registered the custom plugin
    10. created the custom plugin dataset file
    11. imported it in OIM database using "weblogicImportMetadata" utility
    12. purged cache using "PurgeCache" utility
    NOTE: all the steps above was executed using the system user running OIM process
    test java class
    package com.zeropiu.sky.custom.eventhandlers;
    import java.io.Serializable;
    import java.util.HashMap;
    import com.thortech.util.logging.Logger;
    import oracle.iam.platform.kernel.spi.ConditionalEventHandler;
    import oracle.iam.platform.kernel.spi.PostProcessHandler;
    import oracle.iam.platform.kernel.vo.AbstractGenericOrchestration;
    import oracle.iam.platform.kernel.vo.BulkEventResult;
    import oracle.iam.platform.kernel.vo.BulkOrchestration;
    import oracle.iam.platform.kernel.vo.EventResult;
    import oracle.iam.platform.kernel.vo.Orchestration;
    import oracle.iam.platform.context.ContextManager;
    import java.util.Set;
    public class TestUserAnonimi implements PostProcessHandler, ConditionalEventHandler {
         private static final Logger logger = Logger.getLogger("com.zeropiu.sky.custom.eventhandlers");
    private static final String className = "TestUserAnonimi";
         @Override
         public void initialize(HashMap<String, String> arg0) {
              // TODO Auto-generated method stub
              String methodName = "initialize";
              System.out.println("###### " + className + " - " + methodName);
         @Override
         public boolean isApplicable(AbstractGenericOrchestration abstractGenericOrchestration) {
              // TODO Auto-generated method stub
              String methodName = "isApplicable";
    System.out.println("###### " + className + " - " + methodName + " - STARTED");
    System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextType(): " + ContextManager.getContextType());
    System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextSubType(): " + ContextManager.getContextSubType());
    System.out.println("###### " + className + " - " + methodName + " - abstractGenericOrchestration.getOperation(): " + abstractGenericOrchestration.getOperation());
    System.out.println("###### " + className + " - " + methodName + " - Printing ContextManager parameters");
    HashMap allContextManagerPairs = ContextManager.getAllValuesFromCurrentContext();
    Set<String> allContextManagerParams = allContextManagerPairs.keySet();
    String[] parameters = allContextManagerParams.toArray(new String[allContextManagerParams.size()]);
    for (int i = 0; i < parameters.length; i++) {
              System.out.println("###### " + className + " - " + methodName + " - Context parameter " + i + ": " + parameters[i] + " - Object type is: " + Utils.getObjectType(ContextManager.getValue(parameters)));
    System.out.println("###### " + className + " - " + methodName + " - ENDED");
    return true;
         @Override
         public boolean cancel(long arg0, long arg1,     AbstractGenericOrchestration arg2) {
              // TODO Auto-generated method stub
              String methodName = "cancel";
              System.out.println("###### " + className + " - " + methodName);
              return false;
         @Override
         public void compensate(long arg0, long arg1, AbstractGenericOrchestration arg2) {
              // TODO Auto-generated method stub
              String methodName = "compensate";
              System.out.println("###### " + className + " - " + methodName);
         @Override
         public EventResult execute(long arg0, long arg1, Orchestration orchestration) {
              // TODO Auto-generated method stub
              String methodName = "Eventresult execute";
              System.out.println("###### " + className + " - " + methodName);
              return null;
         @Override
         public BulkEventResult execute(long arg0, long arg1, BulkOrchestration arg2) {
              // TODO Auto-generated method stub
              String methodName = "BulkEventResult execute";
              System.out.println("###### " + className + " - " + methodName);
              return null;
    plugin.xml file
    <?xml version="1.0" encoding="UTF-8"?>
    <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
    <plugin pluginclass="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" version="1.0" name="TestUserAnonimi">
    </plugin>
    </plugins>
    </oimplugins>
    EventHandler.xml metadata file
    <?xml version='1.0' encoding='UTF-8'?>
    <eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
    <action-handler class="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" entity-type="RoleUser" operation="CREATE" name="TestUserAnonimi" stage="preprocess" order="1007" sync="FALSE" />
    </eventhandlers>When I assign a role to a user through OIM web interface, I can see in OIM log file all System.out.println contained in initialize(), isApplicable() and BulkEventResult execute() methods. Is it correct? Can I implement my custom plugin logic now, or my starting point is wrong?
    ###### TestUserAnonimi - initialize
    ###### TestUserAnonimi - isApplicable - STARTED
    ###### TestUserAnonimi - isApplicable - ContextManager.getContextType(): ADMIN
    ###### TestUserAnonimi - isApplicable - ContextManager.getContextSubType():
    ###### TestUserAnonimi - isApplicable - abstractGenericOrchestration.getOperation(): CREATE
    ###### TestUserAnonimi - isApplicable - Printing ContextManager parameters
    ###### TestUserAnonimi - isApplicable - Context parameter 0: origuser - Object type is: java.lang.String
    ###### TestUserAnonimi - isApplicable - Context parameter 1: oimuser - Object type is: java.lang.String
    ###### TestUserAnonimi - isApplicable - Context parameter 2: RESOLVED_LOCALE - Object type is: java.lang.String
    ###### TestUserAnonimi - isApplicable - Context parameter 3: counter - Object type is: java.lang.String
    ###### TestUserAnonimi - isApplicable - Context parameter 4: TIME_ZONE - Object type is: java.lang.String
    ###### TestUserAnonimi - isApplicable - Context parameter 5: ipaddress - Object type is: java.lang.String
    ###### TestUserAnonimi - isApplicable - ENDED
    ##### TestUserAnonimi - BulkEventResult execute
    Thanks,
    Daniele
    Edited by: 886636 on Jan 24, 2012 2:53 AM
    Edited by: 886636 on Jan 24, 2012 2:53 AM

    Probably I don't explain myself clearly....sorry for that!
    Anyway you are right, the role of the user can change after the user is initially provisioned.
    I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
    1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
    2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
    Is it possible with pre-populate adapter?
    Sorry again for my not very clear explanations.
    Daniele
    Edited by: 886636 on Jan 24, 2012 4:10 AM

  • Transaction based security vs. Authorization based security

    Hi All just a general question does any one know any pro's and con's about implementing transaction based security vs. authorization object based
    Thanks Mike

    Well, the Tcode goes into an authoruization object as well, namely S_TCODE, so it always boils down to authorization objects. When properly configured, PFCG will propose all necessary authorization objects once you put a transaction in the role menu. On a new system, have a look at SU25 and it's documentation to setup PFCG.
    In my opinion putting the relevant transactions in the roles first and fine tuning the authorization values afterwards is the right way to go. Tracing may help but is no substitute for testing.

  • Credit management Authorization Based on Value.

    Hi All,
    Can help me out to find whether we can implement Credit management based on different level of Values or not.As i know we can do authorization based on % like 100%, 110% etc.
    But i want to activate release authorization based on the Amount like
    level 1              Rs 1 lakh( Can release upto 1 lakh) when it reaches to above of 1 lakh
    level2               Rs  2 lakh ( it will release upto 2 lakh)
    like wise.As what i understand whatever the standard roles are given relevant to % basis only.

    hello, friend.
    yes, you can do this in a few ways...
    1.  try 'Document Class' - a document class is assigned a certain value, which is assigned to a user (the link to credit management is indirect)
    2.  the traditional way is to use 'Risk Category', and you can set specific values (e.g. maximum document values) when doing OVA8. 
    i seem to recall there may also be a way to assign values to risk category, but i will check on this.
    regards.

  • Federation, remote role assignment based on ABAP roles on producer

    Hi all,
    We have implemented the federated portal solution for our ESS users. We use the ABAP stack of the producer portal as user store for consumer and have no problems in assigning portal roles on our consumer based on ABAP roles in the backend (displayed as groups in the portal).
    Now we want to add some extra functionality (eg SRM and eRec) and we encounter some problems. These systems all have their own ABAP stack as user store. We have maintained the functional authorization model in the ABAP roles for instance in SRM. So an example:
    System I: ABAP + JAVA --> ECC 6.0
    Here we have the standard R/3 functionality and the producer portal (A) installed. Roles created on producer portal and assigned based on ABAP roles.
    System II: JAVA --> NW 7.0 Portal
    Our consumer portal (B) where we use roles created on the producer portal (A) on System I.
    System III: ABAP + JAVA --> SRM
    Our SRM system with SRM producer portal (C). In the ABAP stack of this sytem the functional SRM roles have been assigned to the users. We have created functional SRM Portal roles in order to use remote role assignment on consumer portal (B).
    +PROBLEM+
    We want to remotely assign portal roles created on the SRM Producer (C) to users on the consumer portal (B), based on the ABAP role assignment in the backend of system III. How can we achieve this in a fast and efficient way?
    Looking forward to your ideas. Anything helpfull will be gladly awarded with SDN points.
    Best regards,
    Jan Laros

    Jan,
    Interesting question. Let me share my experience and hope that's of some use to you.
    We started off federating corporate NetWeaver Portal (lets say B, parallel to your convention) as consumers to BI Portals (Lets say A).
    - B's UME points to Active Directory
    - A's UME points to BI ABAP user store
    - User ids are identical in both systems
    We ran into the problem of dual administration ((de)assigning portal role on both portals instead of just one) for a long time. The issue was because of different reasons at different times as we patched B's and A's. At one point we were on SP15 on both portals and we were told by SAP that RRA can be done on B for remote roles and the assignment propagates to A automatically if the following configuration is set up on both A and B.
    - A's permissions are relaxed allowing "Everyone" group checked for "End User" access as per ([http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm|http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm]
    However, we chose not to do the permission relaxation as enabling "Everyone" group with "End User" access can allow anyone to launch an iView (if the URL is known somehow) and the user would be able to see the layout of the iView, which can include text, etc. The user won't be able to access any data though, however, there is certain compromise on security which we decided that its not okay. So, we digressed in SAP's suggested practice because of security reasons.
    Today we, manage security on B using Active Directory groups and on A using Java groups (ABAP roles).
    In your case, I suggest investigating the option of relaxing the security on producer portal like in the above link. If you think its okay, all you have to do is, provision users on B by assigning remote roles from C and A.
    Either my story is applicable or I must have got you totally wrong,
    Kiran

  • How to check the authorization based on webdynpro application

    Hi Experts,
    I was asked to develop a webdynpro component with two webdynpro applications, one each for internal party and external party to be used.
    So how to restrict or check the authorization based on webdynpro application used?
    Do we have any authorization object like S_TCODE for webdynpro application in roles and authorizations?
    Please enlighten me.
    Regards,
    Ajay Matam

    You can assign an authorization object to the Web Dynpro Application within SICF -
    http://help.sap.com/saphelp_nw70ehp1/helpdata/en/61/d93822a88e15489a9391f309767366/frameset.htm
    Of course you could also programatically check which web dynpro application is being used from within the component and then call a custom auth-check. However maintain at the SICF is probably better for visibilty and long term maintenance costs.

  • Customize portal "Help" link based on user roles

    Is there a chance to customize the Help link URL in Masthead iView based on user roles? The use case we have is that the "Help" should be different for users of the purchasing company from those of the supplying company.
    Thanks.

    Hello Jay.
    This is a multi step process.
    Step 1 : Create 2 desktops with everything as same but different mastheads.
    - Copy your existing desktop and paste it in your working folder in PCD (Not select Delta link)
    - Now download masthead par file.
    - Modify your masthead par file where you will disable help link. Rename you masthead file (newMasthead.par) and export it from NWDS. Now import it in portal.
    - open your framework page in desktop2. Just add your new masthead in it. Enable the new one and disable the existing one.
    Step 2 : Create 2 groups of users. (First one belong to users who wish to see help link . i.e existing desktop) (Second of thoese users who do not have to see help link i.e. newDesktop)
    - Assign users to appropriate groups.
    - Assign same roles to both groups.
    Step 3 : Modify main rule section in PCD.
    - If group = HelpLinkUsers Then Desktop1
    If group = NoHelpLinkUsers Then Desktop2.
    You may find above process bit tedious and lengthy.
    But if you wish to further customize your portal then this will be needed one day.
    If you find problems in implementing any step then please search in google or SDN.
    Please revert back on any specific question on above approach you may face while implementing.
    Thanks

  • Purchasing Group authorization based on the user

    Hi All,
    Can anyone suggest me ideas on how to restrict in accessing details of a PO for a  purchasing group based on the user who tries to access it .
    the object is M-BEST_EKG.
    need guidance in using AUTHORITY_CHECK in restriciting PO group based on the userid.
    Thanks in advance.
    Regards,
    Ry

    Hi,
    ACTIVITY controls what user can do to the PO.
    01-Create
    02-Change
    03-Display
    EKGRP controls the purchasing group
    To restrict to a specific purchasing group, modify the authorization object in the role which user has to allow the specfic P.Grp. only
    Cheers !

  • Implement log based change data capture

    Hi,
    I am trying to get log based change data capture to work . My ODI version is 11.1.1.5. I guess for log based there are 2 ways:
    1) use streams
    2) use log miner tool
    My database is Oracle 11g Express Edition. Streams i know can be possible only in enterprise edition of Oracle. So can anyone tell me how to implement log based CDC then since logminer tool is not preferred to be used in 11g

    Hi,
    Thanks for ur reply...
    I received an error while creating the change table ..
    ORA-29540: class oracle/CDC/PublishApi does not exist
    ORA-06512: at "SYS.DBMS_CDC_PUBLISH", line 298
    Canu pls help me to fix this..
    by,
    Nagaa

  • AAA Authorization Using Local Database

    Hi Guys,
    I'm planning to use AAA authorization using local database. I have read already about it, I have configured the AAA new-model command and I have setup user's already. But I'm stuck at the part where I will already give certain user access to certain commands using local database. Hope you can help on this.
    FYI: I know using ACS/TACACS+/RADIUS is much more easy and powerful but my company will most likely only use local database.

    For allowing limited read only access , use this example,
    We need these commands on the switch
    Switch(config)#do sh run | in priv
    username admin privilege 15 password 0 cisco123!
    username test privilege 0 password 0 cisco
    privilege exec level 0 show ip interface brief
    privilege exec level 0 show ip interface
    privilege exec level 0 show interface
    privilege exec level 0 show switch
    No need for user to login to enable mode. All priv 0 commands are now there in the user mode. See below
    User Access Verification
    Username: test
    Password:
    Switch>show ?
    diagnostic Show command for diagnostic
    flash1: display information about flash1: file system
    flash: display information about flash: file system
    interfaces Interface status and configuration
    ip IP information
    switch show information about the stack ring
    Switch>show switch
    Switch/Stack Mac Address : 0015.f9c1.ca80
    H/W Current
    Switch# Role Mac Address Priority Version State
    *1 Master 0015.f9c1.ca80 1 0 Ready
    Switch>show run
    ^
    % Invalid input detected at '^' marker.
    Switch>show aaa server
    ^
    % Invalid input detected at '^' marker.
    Switch>show inter
    Switch>show interfaces
    Vlan1 is up, line protocol is up
    Hardware is EtherSVI, address is 0015.f9c1.cac0 (bia 0015.f9c1.cac0)
    Internet address is 192.168.26.3/24
    MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Switch>
    Please check this link,
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • Implementing Authorization in Provider hosted Apps

    Hi
    I am developing App for SharePoint Online using Chrome control and Apps is hosted at Amzon Cloud(using Windows server 2012 and SQL server 2014).
    I want to Implement Authorization in this App based on logged in user  in SharePoint Online.
    Can any body Help me on same? Thanks in advance
    Kaps

    Hi Kaps,
    Please check if the links below could help:
    OAuth authentication and authorization flow for cloud-hosted apps in SharePoint 2013
    http://msdn.microsoft.com/en-us/library/office/fp142382(v=office.15).aspx
    How to: Create apps for SharePoint that can be used by anonymous users
    http://msdn.microsoft.com/en-us/library/office/dn579415(v=office.15).aspx
    SharePoint Online Enterprises App Model Management Policies and Process
    http://technet.microsoft.com/en-us/library/dn198209.aspx
    Since the forum is specific for SharePoint on-premise, I'd recommend you could also ask the question in our SharePoint online forum for more sufficient resource and professional assistance. Thanks for the understanding.
    http://social.technet.microsoft.com/Forums/msonline/en-US/home?forum=onlineservicessharepoint
    Regards,
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected] .
    Rebecca Tu
    TechNet Community Support

  • Database roles and APEX

    Can database roles be used with APEX to control table and other object access between schemas?
    If so, please provide an example.
    If not, please explain why the product would be limited in this way. One of the major short comings we see is the need to directly grant privileges to each schema, rather than having the power of roles to do this.

    Kannan,
    With DATABASE ACCOUNT credentials set, we were able to authenticate users for each page, in accordance with their table privileges, as follows. Please join us in encouraging Oracle to build this logic into Application Express, as one of the authentication options. We consider this to be a major shortcoming of an otherwise great product.
    For each page, create a PL/SQL anonymous block process "before header", to determine if the user has the necessary privileges. In this example, the user must have UPDATE privilege for one table, and SELECT privilege for the other table used by the page.
    DECLARE
    CURSOR c_get_role IS
    SELECT DISTINCT drp.granted_role,dtp.privilege,dtp.table_name
    FROM dba_tab_privs dtp, dba_role_privs drp
    WHERE dtp.grantor = '<database name>'
    AND dtp.grantee = drp.granted_role
    AND drp.grantee = v('APP_USER')
    AND dtp.table_name IN ('<updateable table name>','<readable table name>')
    AND dtp.privilege IN ('UPDATE','SELECT');
    BEGIN
    :Pnn_USER_ROLE_MESSAGE := 'NO ROLE';
    :Pnn_USER_ROLE_PROTOCOL := 'NO ROLE';
    :Pnn_USER_HAS_PRIVS_FLAG := 0;
    FOR rec IN c_get_role
    LOOP
    IF rec.table_name = '<updateable table name>' AND
    (rec.privilege = 'UPDATE')
    THEN
    :Pnn_USER_ROLE_MESSAGE := rec.granted_role;
    ELSIF rec.table_name = '<readable table name>' AND
    (rec.privilege = 'SELECT' OR rec.privilege = 'UPDATE')
    THEN
    :Pnn_USER_ROLE_PROTOCOL := rec.granted_role;
    END IF;
    END LOOP;
    IF (:Pnn_USER_ROLE_MESSAGE != 'NO ROLE') AND (:Pnn_USER_ROLE_PROTOCOL != 'NO ROLE')
    THEN
    :Pnn_USER_HAS_PRIVS_FLAG := 1;
    END IF;
    END;
    Note that APEX_PUBLIC_USER must have read privilege for the dictionary tables.
    Now you can use the flag variable and create an HTML region to source the error message to display if the user has insufficient privileges.
    PL/SQL Function Body Returning a Boolean..
    IF :Pnn_USER_HAS_PRIVS_FLAG = 0 THEN
    RETURN TRUE;
    ELSE
    RETURN FALSE;
    END IF;
    Add a condition to the normal page regions to display themselves only if the user has privileges and appropriate role, based on the flag being TRUE (same as the IF block above, except FLAG = 1).

  • Implementing Authorization Programatically - Best practise

    Hi,
    Where is the best place (AppModule, Entity Object, View Object) for implementing authorization programatically?
    Of course, we use JAAS (more specially JAZN) for Authentication.
    Thanks,
    Trung

    Trung,
    if you are on JDeveloper 10g then Entity Objects are supporting permission based authentication.
    For all other releases see
    http://www.oracle.com/technology/products/jdev/howtos/bc4j/bc4jvpdjaas.html
    Frank

Maybe you are looking for

  • Printing: Double-sided or Duplex | Learn Acrobat X | Adobe TV

    How to print PDF pages double-sided or duplex in Acrobat or Adobe Reader X (not 10.1.2 or later). http://adobe.ly/yMEfay

  • The 32-bit  client is not installed in B1_SHR

    Hello I just upgraded to SBO 9.0 PL12 after hard work, it all upgraded BUT in the server in the B1_SHR folder the 32 bit client is not installed (only 64bit). Is there an easy way to install the the clients ? I see that in the PL12 Upgrade Patch is n

  • RFCtoSOAP

    Could you please tell me the steps or one Example scenario in order send the RFC to XI Integration server.In this regard i have created RFC Destination (tcp/ip Connection) and sender communication channel in the XI successfully.so please let me know

  • Capacity -Product costing

    Hello, How capacity is influencing the product costing.Are there any configuration required for  it. Thx in advance

  • Reference to older Photoshop versions ?

    I recently looked inside the Roaming\Adobe folder and noticed not only an Adobe Photoshop CC folder,  also these folders; why are they there when CS3 and CS4 were never installed ? Adobe Photoshop CS3 Adobe Photoshop CS4 Adobe Photoshop CS5 Adobe Pho