Authorization approaches

Similar Messages

• ITunes crashes when "De-authorize all computers" is pressed iTunes 12

  Current PC (Windows 7) never had iTunes installed. My other 5 authorized computers are dead.
  Installed new iTunes 12, logged in to "De-authorize all computers" but as soon as I press the button the program freezes.
  At the time of freezing the confirmation dialog appears behind the "This program has stopped responding..." error and I can't click on the confirming "yes de-authorize all computers" button.
  [enter] closes the program.
  I don't get why the iTunes interface is the only way to access my account. I should be able to log into a secure online account and make changes to the iTunes account but that isn't possible as far as I can tell.

  Since this is a users' forum - not an Apple Helpdesk - lack of response probably means that no-one has encountered the same problem or, if they have, cannot offer advice on how to resolve it.
  You should be able to contact Apple Support and request that they de-authorize the computers on your account.  Also, there have been two updates to iTunes (12.1 and 12.1.1) since you first posted the issue, so its possible that the problem has been resolved in one of those.
  Quite why there isn't an automated/secure web-based way to do this I have no idea - the whole authorization/de-authorization approach seems based on fears that iTunes/iPods would become a widespread method for illegal sharing of copyright material, something that might have been true in the early days of iTunes and the iTunes Store, but today must be a tiny risk compared to P2P networks and file sharing.

• Authorization Issue with P_HAP_DOC

  Hi experts,
  we have a problem with our authorizations approach concerning the appraisal documents.
  The situation is the following: We have two different approaches for appraisals. 1st as a manager you give appraisals to your assigned employees and as the employee you can see the appraisals assigned to you and can maintain in certain statuses. That works fine. So generally the access should be restricted to the line. This is achieved by using structural authorizations for the line manager.
  But secondly we have a feedback appraisal where also "further participants" shall give their feedback to any employee. Those further participants do not need to be in the same line!
  Currently we ran into the problem that the 2nd scenario is not working because we need also to restrict the access to employees. But if we grant the access with a certain structured profile (that contains all "P") all performance appraisal can be see from everybody.
  Can it be that the problem is because the further participants are not treated as appraisers in respect of authorizations.
  Does anybody have any idea how to approach a suitable solution? Any help is welcome.
  Please share your thoughts.
  Thanks and regards
    Michael

  Hi Subbu,
  thanks for your reply and the helpful comment.
  The process is not exactly as you discribed. The scenario where we have the problem is a feedback appraisal that is initiated by the HRBP (business person from HR). He creates the appraisal document with the employee as appraisee and direct manager as appraiser. But additionally the manager can request a second feedback provider who can be place anywhere in the org structure, not necessarily in the same line.
  And this is exactly the problem. This person as further participant need to have access to this special appraisal document but not any other of this person (not even to one of the same kind).
  Can this requirement be achieved by your suggestion?
  What we need for our requirement is that we allow the access to the object P through structural authorizations. He also needs to have access to objects VA, VB and VC to be able to work on any appraisal at all. This combination unfortunatly now leeds to our problem that the employees now can see all appraisals with all results.
  Thanks and regards
    Michael

• Apple TV is not authorized message

  I tried renting my first movie via via the Apple Tv (not my Mac) upon trying to play the movie I get the error that my Apple TV is not authorized to play this content. No where in the manuals does it mention authorizing your Apple TV, if i'm wrong about this please point me in the right direction.
  I tried looking on the forums for answers but get a mix of rabbit holes to go down for a solution. I tried the authorize/de-authorize approach but no luck. I'm not even sure why i would need to authorize the Apple TV? Some other post mention seeing the Apple TV in itunes under devices... but i think this is for first gen Apple tvs?
  I gotten home sharing working with no problems and can stream from my mac to the Apple TV with no issue. Netflix also works for that matter...
  I don't see the rented movie in my purchases list via itunes either, should I? Should the rented movie show up in itunes at all if rented via the apple TV. The rental shows that I only have 23 hours now left to view it... even though it never started!
  Does all content have be purchased via iTunes and not directly from the apple tv UI, that would be really lame if so... My wife was a bit peeved that she had to go downstairs to the computer to rent Mad Men, rather than just select if from the Apple TV.
  Jeremy

  I am having *the exact same issue* with the first movie I rented late last night. My Apple TV 2 is set up and working fine with my iTunes library and wifi network in every respect except this one. The money has been taken from my account and I have no way of watching the movie as every time I push to watch it it says "Your Apple TV is not authorized to play this content"! How can this be given that my itunes account details have been entered on the system and allowed me to 'successfully' rent and be charged for the movie in the first place? 20 hours and counting before the money has been wasted, although I have requested a refund through the problem reporting tool on my account!!
  I too have gone through the forums and tried everything with no luck. I even contacted apple care support who kept me online for 30min, resetting and restoring etc... only to tell me that it might be an issue my TV!! Nonsense, otherwise surely it wouldn't work at all.
  I hope someone from Apple is monitoring this thread and that a proper solution will be given in due course. At the moment, I don't want to risk renting any more movies until I know that my machine will be authorized for the purchases I have made.
  James

• Nakisa TF & SP : Read-only Roles

  Hi Experts,
  I am currently using Nakisa SuccessionPlanning 3.0 SP1 0701027700 and Nakisa Talent Framework  3.0 SP1 0701021700.
  My question is, the user currently can log in to TalentFramework and SuccessionPlannning to display & maintain data.
  Is it possible to setup a role that can be assigned to a group of user, so that they are only allowed to display the data (read-only) and not allowed to maintain it?
  Please help to give some insight on this.
  Thanks,

  Hi Aimey00,
  For the STVN solutions the authroizations are all controlled in the backend. I would recommend speaking to a consultant with experience of authorizations who can help you restrict this data access.
  In theory you could introduce application security roles to do this, but the effort required would be significant and would require a great deal of customizing. I recommend going through the backend authorization approach.
  Best regards,
  Luke

• How to approach authorization taking data into account (?)

  hi
  I have been similar to "Introduction to ADF Security in JDeveloper 10.1.3.2" for an approach to authorization taking data into account.
  For example to solve something like this:
  Some users should be able to update SCOTT.EMP.SAL, but only for those records where they "are manager" (e.g. based on SCOTT.EMP.MGR).
  Because the current (10.1.3) "OracleAS JAAS Provider" Re: ADF Security : custom SecurityContext seem to provide the API hooks or customization features I think I need for this, I tried the following approach:
  (1) A solution implementation should preferably be "JAAS like", using classes from the "java.security" package like java.security.Permission or java.security.AccessControlContext etc. This way it is more likely to be future proof and could possibly more easily be integrated with future JAAS solutions from Oracle.
  (2) To minimize dependencies in my application, I introduced only one custom interface that does what I really want to do, that is "to check permissions":
  package accesscontrolstuff.common.security;
  import java.security.AccessControlException;
  import java.security.Permission;
  public interface PermissionChecker
       public void checkPermission(Permission pPermission)
            throws AccessControlException;
  }(3) It should be possible to easily check permissions in the business service implementation (ADF BC) and the view/controller layer (JSF managed beans).
  I have created an example application that implements this approach (check README.txt) :
  http://verveja.footsteps.be/~verveja/files/oracle/AccessControlStuffApp-v0.01.zip
  It has an updateAllEmp.jspx page that has a button for each EMP row to give a raise (that is update SCOTT.EMP.SAL). It will show an error message when the user is not allowed to give a raise.
  It has an updateSomeEmp.jspx page that has a button only for the EMP rows where the user is allowed to give a raise.
  question :
  All suggestions for improvement, on the approach or the example application, are welcome.
  (using JDeveloper 10.1.3.3.0 : ADF Business Components and ADF Faces)
  regards
  Jan Vervecken

  Thanks for you reply Frank and for going through the example.
  (a1) about "... the example could be coded without JAAS in the application as well ..."
  I'm not sure I understand when an application is "with JAAS" or "without JAAS" (in an Oracle context)?
  (The AccessControlStuffApp-v0.01.zip example includes an orion-application file that has a jaas-mode configured, which I could probably use for an implementation variation the works with a javax.security.auth.Subject instance, but the current implementation works with the "no jaas-mode" variant using the getUserPrincipalName() method.)
  (a2) about "This makes it hard to manage security roles ..."
  I don't think I understand. For the example, all authorization configuration is in the EMP table, why would that be hard to manage?
  What alternative would you suggest to "manage" security on the EMP table as is intended in the example?
  (a3) about "I think the required enhancement would be to add the dynamic permissions to an existing ADFSecurityContext ..."
  That sounds like what I have been looking for (see forum thread "ADF Security : custom SecurityContext").
  (a4) about "... and make this available to the business service as well ..."
  That would probably be useful.
  see also http://www.oracle.com/technology/products/jdev/howtos/1013/adfsecurity/adfsecurity_10132.html
  that says : "The defense-in-depth security design pattern demands that application developers implement application security with multiple lines of defense. ..."
  Thank you for pointing developers to this thread.
  regards
  Jan

• Best Approach to create Security / Authorization Schema for an APEX Apps

  Hi,
  I am planning to create a Security / Authorization Schema for an APEX Application.
  Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
  I am looking for following features...
  1. users LOGIN and then user's name is stored in APEX_USER...
  2. Based on the user, I want to restrict the Application on following levels.
  - TABS
  - TABS - Page1 (Report
  - Page2 (Form)
  - Page2 (Region1)
  - Page2 (Region1, Button1)
  - Page2 (Region1, Items,....)
  AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
  I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
  My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
  Also what should be the FRONT end, we should have to enter these detail...
  SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
  Thanks,
  Deepak

  Hi Raghu,
  thanks for the detial info.
  so that means..I should have 2 table...
  master table (2 columns - username, password)
          username    password
     user1       xxxx
     user2       xxxx2nd table (2 columns - username, chq_disp_option)
  - In this table, we don't have Y/N Flag you mentioned..
  - If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
  - so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
  - suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
            username    chq_disp_option
     user1       re_region1
     user1       re_region2
     user1       tb_main
     user1       Page1
     user1       Page5
     ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
  - is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
  Thanks,
  Deepak

• Rational approach for Analysis Authorization:

  This post is regarding the implementation of Analysis Authorization.  Considering the role based approach; please let me know the optimized way to implement the analysis authorization such that there will be very low maintenance.
  For e.g. I have queries which need to be restricted at data level PLANT wise. So I mark the characteristic 0PLANT as authorization relevant. There are 150 plants so I create the 150 Analysis Authorizations and put each one of them in roles (1:1) resulting in 150 roles. In addition; 151th Role and Analysis Authorization for ALL plant access.
  Now to restrict the queries themselves, I create a Role with object S_RS_COMP , S_RS_COMP1 (For queries) ; S_USER_AGR  and S_USER_TCD( for  workbooks).
  Then I create a composite role  with above 2 single roles (one containing AA and other role for Query restriction)and assign it to user.
  Now suppose when I need to restrict data at some other level say DIVISION wise. Then I would be again creating analysis authorization for all the divisions and putting them in roles.
  Using this approach ; there would be many roles and analysis authorizations. Also during production support it may be cumbersome to debug the errors.
  Please comment if any other approach for implementing the above scenarios.
  Regards,
  Ajit
  Edited by: Ajit Nadkarni on Apr 4, 2010 5:47 PM

  Hi,
  I had a similar requirement where in we had 178 plants and each plant manager has to see their own site by default in the selection screen when they run the query.
  By defalut it should display there own site but its not restricted to only that site. Managers can also look into other sites but by default they wanted their own site to be displayed.
  So I have created DSO and did mapping with username and store. And in query I created a variable in plant of type customerexit and written exit in CMOd using I_STEP 1. This solved our requirement. But to restrict to particular site i guess we can extend the routine in cmod.
  Thanks
  Srikanth

• Logical OR in BW authorizations

  Hi,
  I am using BW 3.5. and have following authorizations issue:
  My cube contains 2 country-related infoobjects, 'sender-country' and 'receiver-country'.
  For simplification lets say the cube contains only 3 records:
  Sender   Receiver   Amount
  DE         FR           100,--
  FR         GB            80.--
  US         DE            70,--
  The user access to this cube must be restricted like this:
  User 1 should have access to all DE data, but regardless in which country field the value DE occurs, in other words, its a logical OR. if the value 'DE' appears in either field the record should be displayed. In the example above he would therefore see record 1 and record 3.
  Likewise, another user with access to FR should only see record 1 and 2.
  To my knowledge the authorizations usually work as a logical AND, that is, if I make both characteristics authorizationrelevant and create 2 roles with:
  Role 1:                   
  Sender: *                
  Receiver: DE
  and
  Role 2:
  Sender: DE
  Receiver: *
  then it will internally grant * to both sender and receiver which I dont want.
  Any ideas how to design this?
  Thanks for any insight.
  Regards
  Udo

  Hi Olivier,
  Thank you very much for your answer.
  Unfortunately it does not work with this approach, or only partly.
  I have set up the authorizations the way you mentioned, still I am getting a 'no authorization message' for records that should be accessible now.
  On the other hand, the existing roles do work correctly if I put fixed filter values for the countries into the query.
  For example a query with SENDER = DE, Reciever = ZZ is accessible, which is correct with the new roles.
  However, the scenario does not work if the allowed filter values are retrieved via the authorization variables.
  I think this behavious is due to the inability of the query to process logical OR filters.
  The authorization variables retrieve the allowed values from the roles.
  These roles contain now the allowed value set
  Sender = DE, Receiver = *
  and
  Sender = *, Receiver = DE
  These values cannot be applied meaningfully as it would lead to a logical OR in the query select statement which cannot be done.
  So I dont see any further solution to this....do you?
  Regards
  Udo

• Not able to decide on : Mission Configurable Authorization

  Hello,
  I post here after begging people to
  please understand my problem first.this is what I need to achieve:
  It is about dynamic authorization.
  My application will have an admin page where the admin will be able to give access rights to users for certain actions on certain pages. these could be any permutation and combination.
  I need to be able to authorize them based on this condition.
  For example :
  If it were a mechanic application.
  The admin will be able to authorize MechA to be able to perform "Add, Delete" actions on garage A, but only VIEW rights on garage B.
  similarly MechB to be able to only "ADD" in garage A, but ADD,DELETE in garageB.Again, the number of garages can be many. the admin will be able to add a garage and delete a garage.
  (ofcourse, based on the current access rights they have, the JSP will display those current access rights)
  I have poured over google search and forums and security frameworks to decide on an approach for this.
  I initially had thought that I will have a table which will have two cols USER and PERMISSIONS.
  where users would be the suers and permissions would be URLs. Ex. :
  mechA | garageA/add.jsp
  mechA | garageA/delete.jsp
  mechA | garageb/view.jsp
  However, this premature understanding will not work because of obvious reasons (if I need to update or delete the URL for the user.. I am screwing up everything).
  Then, now I am thinking of an XML based authorization now. where the parent node will be the user name and his child nodes will be the URLs he has access to. Though i have not worked on this, I know this will be of no use, because my application will have the capability to switch between a db and LDAP. I have very little knowledge of LDAP though.
  No secuirty framework is going to be of help ( i have looked extensively through JAAS and Acegi).
  because they function majorly on ROLES. In my case I have no ROLES at all :-(
  I have been pulling my hair out trying for a solution for this kind of a configurable scenario, where the user base could be on a DB and on LDAP.
  Any ideas/help/pointers towards an approach would be highly appreciated.
  thanks in advance for your time.

  If you don't have roles now, rethink your design.
  What if another mechanic comes in as a replacement
  for an existing mechanic who left or goes on holiday?
  Do you really want to have to assign all permissions
  to the new mechanic again? No, you want to be able to
  say: this new mechanic has the same role(s) as the
  original mechanic and be done with it. Or what if a
  mechanic gets promoted? Instead of having to add and
  remove all the accompanying permissions, just set or
  add the new roles.Well, there will also be Groups, to which the mechanics can be assigned, but it is not a necessity for them to be under a group.
  A mechanic can be an individual with individual rights, or can be a part of a group which has certain permissions. In my case, everything needs to be highly configurable. Creating a single user(with specific permissions) or creating the group(with specific permissions) and then assigning mechanics to the group, will really be the admins choice, who will set the users up.
  If you realy, really, really can't think of any roles
  that make sense, you can pretend each mechanic
  defines his own special role (the role is the same as
  the mechanic) and still use those frameworks.hmmm... I have typically assigned URLS with wildcard chars. like /admin/*.* with ROLE_ADMIN thing.
  In this case,I will probably have to have many relative URLS mapped with a singular ROLE. However, how I can change/update these URLs based on the admins input, still remains a mystery to me.
  Any other suggestions ?

• Authorization Error on Peoplesoft Login Page

  Hi, this is related to the previous project we are still working on.
  Invoking a Java Method from Peoplecode
  While we have found that our approach have been successful in Dev and Test Environments, once we migrated the changes to Production, it seem to have stoppped working. Our client wants to test the link from Test Environment and would Single Sign On to the Production environment. But we are getting this eror, Authorization Error -- Contact your Security Administrator on the Peoplesoft login page when the link is clicked from the Third Party website.
  The node setup for Dev, Test and Prod environments under Node Definitions are using PSFT_CR as the default local node and are all working when ping'ed. The defaut user that is used for allowing public access in the Web Profile are setup'ed just the same in all three environments, and application/web servers have been restarted as well.
  One thing we noticed is that the url of the third party website is http and the url for the PS prod is https. Could this be the one causing the error, or have we missed something on the setup.
  Again, we appreciate your insights regarding this.
  Edited by: Jeremy Leung on Jul 9, 2012 11:50 PM

  Hello,
  Have you tried the steps suggested by
  Imtiaz Hussain in the
  previous thread you queried ?
  Is the error the same that you were previously encountering ?
  Regards,
  Neelesh.

• Unit Testing  approach

  Hi,
  We had done technical migration of value based roles to derived roles, and facing problem to design the unit testing approach for the same. can you please suggest what must unit testing approach and how to create test cases for authorizations specificaly to derived roles created from value based roles ?
  goal is after testing, end users should not feel any changes done in roles approach.
  Thanks.
  Regards,
  Swapnil
  <removed_by_moderator>
  Edited by: Julius Bussche on Oct 7, 2008 3:40 PM

  Hi Swapnil,
  The Testing of Security roles need to be taken in a two step approach
  Step 1 Unit Testing in DEV
  A. Prepare the test cases for each of the derived roles and ensure that your main focus is to see if you are able to execute all the tcodes that have been derived from the parent role with out authorization errors. You also need to verify if each of the derived roles are applicable to those respective Org level Values.
  B. Because there will not enough data in DEV ( except In some cases where you have a refresh of fresh PROD data) it is always advisable to do the actual testing of the roles in QA. The goal here is to see if you are able to perform a dry run of all tcodes/Reports/Programs that belong to the roles.
  C. You may create fewer Unit test ids as you only assign one ID with one role and once the role is tested you can assign the same ID to another role.
  Step 2 Integration Testing in QA
  A. Prepare the Integration Test cases for each of the Derived roles. Here most likely the testing will be performed by the  end users/Business Analysts in that respective Business Process. Each test case must reflect the possible Org level Authorization Objects and Values that need to be tested.
  B. As Integration testing is simulation of actual Production authorizations scenario, care must be taken when creating mulitple Integration test user ids and assigning them right roles and send the ids to the end users to perform the testing in QA.
  C. The objective here is that end user must feel comfortable with the test cases and perform both Positive and Negative testing. Testing results must be caputured and documented for any further analysis.
  D. In an event of any authorization errors from Integration testing, the authorization errors will be sent to the Security team along with SU53 screenshots. The roles will be corrected in DEV and transported back to QA and the testing continues.
  E. Also the main objective of Integration testing would be to check if the transactions are reflecting the right amount of data when executed and any mismatch in the data will be direct implication that the Derived roles do not contain the right Org level values.
  Hope this helps you to understand how testing of Security roles (Derived) is done at a high level.
  Regards,
  Kiran Kandepalli.
  Edited by: Kiran Kandepalli on Oct 7, 2008 5:47 AM

• Analysis Authorization & its compaitbility with BW 3.5 Query

  Hi,
  We have technically upgrade our system from BW 3.5 to BI 7.0. Now we are planning to upgrade to Analysis Authorization.
  1. Is it necessary to Migrate BW 3.5 query to BI 7.0 so that it will work with Analysis Authorization? If not, then how Analysis auth will treat authorization variable defined in the query?
  2.What are pro & cons of two approach: Fresh Implementation of Analysis Authrization v/s Migration using tool ?
  Please advise.
  Best Regards,
  UR

  Dear UR,
  Iu2019m going to try helping you,
  In advance a give you some ideas about migration process regarding authorization system.
  Currently you can use the old concept of authorization (reporting authorization object) in the 7.0 2004s environment. You can set up in Tcode: RSCUSTV23 what authorization mode, you would like use. 
  When have you migrated whole queries but you keep the old concept, this doesnu2019t impact the authorization system functionality.
  When you change the authorization mode to current procedure with analysis authorizations, you need be careful with the attribute navigational. Because, in the old mode, the attribute navigational get setting of its characteristic. Example if you use 0COMP_CODE__0COSTCENTER, and de 0COSTCENTER is relevant authorization, all of attribute navigational com from 0COSTCENTER are relevant authorization. Otherwise, in current procedure with analysis authorizations, where each navigational attribute has the same level of a characteristic.
  When you migrate to analysis authorization, SAP best practice recommend keep in each reporting role all of reporting authorization object for a short period of the time.
  In my experience the main thing was list above.
  Try to get more information in:
  SAP BI - User Management & Authorizations
  OSS Note 923176
  I hope this suggestion can help you,
  Luis

• What's the best way to do authorization for my app?

  The authorization situation is somewhat complicated for my app.
  Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM.
  From what I've seen so far, there are two different options of setting the authorization for the component:
  1. Set its Condition
  2. Set its Security Authorization Scheme
  Here is my understanding for each (from my limited experience with APEX):
  1. Set its Condition
  + Can pass in parameters such as :APP_USER, page numebr, P0_ITEM. So I can just create one function that does all the authorization
  - Have to combine the SQL query with the component's non-authorization display conditions, if any.
  2. Set its Security Authorization Scheme
  + By name, it seems like it should be used for authorization
  - Cannot take in parameters relating to the page, such as the page number --> therefore I will need to create many different schemes, for all the different pages.
  #2 will end up with a long list of schemes (each with its own SQL queries) for different pages, which doesn't seem as efficient as #1 with far fewer SQL queries and just take in parameters.
  Which one should I pick?
  Thanks!

  953006 wrote:
  Thanks fac586 for the detailed response, and also everyone else who replied. You guys are very helpful and respond promptly. And we'd appreciate it if you changed "953006" into a real handle promptly.
  Andre mentioned using conditions:
  The way I work around this is to have two functions, one which is used at the page level as a normal authorization scheme and one which can be passed variables which is called as a Condition and the name of the item is one of the variables, in effect giving it "self awareness".But fac586 said:
  You can't pass "parameters" to authorization schemes. Use application items, APEX collections or application contexts to set current context before the authorization scheme is evaluated, and access these values in the functions.Does this mean, fac586, that we can avoid conditions altogether? No, it means that I prefer to use Authorization Schemes to control access to resources based on user privileges and security, and Conditions to control rendering and processing for functional reasons. Using the approach described above I have found it possible to maintain this separation.
  Say if a page has two buttons, Button_A and Button_B. Button_A has a set of requirements for displaying and Button_B has its own set of requirements (some of which are shared with Button_A). So far, the only way that I can see of using pure authorization is to write 2 different authorization schemes, and set the authorization schemes for the two buttons respectively.What's the problem with that? Consider a more concrete example using a standard APEX report/form pattern for customer maintenance. Page 6 contains the report, and page 7 is the maintenance form with P7_CREATE and P7_SAVE buttons. Only users entitled to create new customers should have access to P7_CREATE, and only users able to edit customers access to P7_SAVE. This would be controlled by the CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes respectively. Functionally, conditions are used to show P7_CREATE if the P7_CUSTOMER_ID is null, and P7_SAVE if it's not null. We don't mix non-functional security considerations with functional requirements.
  The CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes are of type PL/SQL Function Returning Boolean. These are implemented using package functions. Exactly how a user has create/edit customer privilege is determined in the package. Determinants that are shared by multiple schemes can be combined at this level. These implementations can be changed as necessary without requiring changes to the application.
  The authorization schemes are reusable across pages and components. On page 6, CREATE_CUSTOMER can be used on the "Create New Customer..." button; EDIT_CUSTOMER on the report column containing the "Edit" links.
  Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM. So I guess this goes back to my original concern with Authorizations:
  [Using purely authorizations] will end up with a long list of schemes (each with its own SQL queries) for different pages [and page items] ....
  Re: VPD policies. Note that in the example above there's no need for the authorization schemes to "know" which pages/items are being evaluated. The P7_SAVE button and the page 6 link column are involved with the EDIT_CUSTOMER operation, so that authorization scheme is applied to them.

• What is the best way to ask organisations to authorize your application?

  We want to support Office 365 customers with organizational account (type 2 as shown in REST API docs - http://msdn.microsoft.com/office/office365/APi/discovery-service-rest-operations). We basically followed these steps:
  Subscribe to O365 with organizational account (developer preview trial in our case).
  Create our own application in Azure AD managing our O365 organization.
  Configure end-points and other application settings in Azure AD.
  Integrate and test the actual non-Azure service on our side which is consuming Azure AD and O365 APIs.
  What we have found during tests is that users from different organizations cannot authorize our application to access their data. It
  simply fails, they don’t even have the option. On the other hand, users from our organization are not presented with anything.
  I understand that principle behind this is that admins are responsible for allowing applications that users in their organization can use. But
  how can users or admins from different organizations use our application?
  We know there is an application directory for Azure AD. But it seems like rather brutal approach to what is fairly straight forward elsewhere - including
  Microsoft's own Live and O365 services consumed by Microsoft account (type 1 as shown in REST API docs).
  Therefore, we wonder whether there is something we are missing? Some settings in application manifests? Some process which we must undertake
  to be verified as a trusted developer/application?

  In order for other organizational users to access your application using their organizational account, they need to setup ADFS (or others like SiteMinder, etc.) to act as identity provider (or authorization server) and to achieve single sign-on capability.
  For example, when a user access your application, your application directs the user back to his/her own ADFS server. ADFS server validates the identity and provides a claims token. The user then access the application and now he/she has
  the token and is granted access. Maybe this link can help:
  http://blogs.technet.com/b/rmilne/archive/2014/04/28/how-to-install-adfs-2012-r2-for-office-365.aspx
  Frank