Authorization scheme for users stored in a database table?
Hello!
I'm trying to find out how to make an authorization scheme for database users.
I first made an authentication scheme for my current application, I named it "Authentication for database accounts", and the scheme type is "Database Accounts".
A word of explanation:_
I have a table in my database, named "USERS". Inside this table, I have the following columns:
- USERID (NUMBER)
- USERNAME (VARCHAR2(50))
- PASSWORD (VARCHAR2(50))
- EMAIL (VARCHAR2(200))
For this question, I'll take an example user. The username is USER and the password is USER. Email and UserID don't matter here, but let's just say the UserID is 1.
What I want:_
When you go to the application, and you are requested to log in (page 101), then I want a user to be able to log in with the data that has been stored in the USERS table.
So, on the login page, the user will enter USER as username, and USER as password. The authorization scheme then needs to check whether or not this username and password match the data in the USERS table. If it does, then it must sign the user in with the credentials the user entered (those being USER and USER).
I also want the UserID to be stored somewhere in the application (if possible, in an application item).
How do I do this? I've never made an authorization scheme before... I'm not too good with PL/SQL either, but I'm working on that part.
Any help is greatly appreciated.
I'm trying to find out how to make an authorization scheme for database users. I think there may be some confusion here. An authorization scheme gives the user access to different parts of an Apex Application. Database users are the users that you use to login to the database, for example with sqlplus.
From the rest of your post it sounds like you need a custom authentication scheme to validate users against a custom table. For this you need to create a custom authentication scheme and select use my custom function to authenticate. Exactly how you set up the authentication scheme depends on the version of Apex you are using. But an example of validate user function you could use is given below:
function validate_login (
p_username in varchar2
, p_password in varchar2) return boolean
is
v_result varchar2(1);
begin
select null into v_result
from USERS
where userid = p_username
and password = p_password;
return true;
when no_data_found then return false;
end validate_login;Once the user has successfully logged on the userid will be in the APP_USER apex substitution string.
And for Application Express Account Credentials, does this mean an admin must make each new user by hand?If you using Apex account credentials the user details are stored within the Apex tables. You can create users using the Apex admin application or by using the APEX_UTIL.create_user api.
Rod West
Similar Messages
-
Best Approach to create Security / Authorization Schema for an APEX Apps
Hi,
I am planning to create a Security / Authorization Schema for an APEX Application.
Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
I am looking for following features...
1. users LOGIN and then user's name is stored in APEX_USER...
2. Based on the user, I want to restrict the Application on following levels.
- TABS
- TABS - Page1 (Report
- Page2 (Form)
- Page2 (Region1)
- Page2 (Region1, Button1)
- Page2 (Region1, Items,....)
AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
Also what should be the FRONT end, we should have to enter these detail...
SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
Thanks,
DeepakHi Raghu,
thanks for the detial info.
so that means..I should have 2 table...
master table (2 columns - username, password)
username password
user1 xxxx
user2 xxxx2nd table (2 columns - username, chq_disp_option)
- In this table, we don't have Y/N Flag you mentioned..
- If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
- so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
- suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
username chq_disp_option
user1 re_region1
user1 re_region2
user1 tb_main
user1 Page1
user1 Page5
---- ---- - how you are defining unique name for Regions..i mean in static ID or the Title
- is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
Thanks,
Deepak -
Daily report for user sessions in oracle10g database
I would like to genarate the daily report for user sessions in oracle10g database
daily report of how many of sessions present in oracle database for each userThanks for link ( I know you always post the oracle document link here)
But I am expecting scripts( someting like logon trigger and logg off trigger) to genarate the user session report. -
Generic Authorization Scheme for items?
I have created a generic authorization scheme for our application pages, and I would like to extend that to items if possible.
The page one was easy enough as I could identify the calling page through :APP_PAGE_ID in the authorization scheme. Unfortunately, I do not know of any built in variables that would identify a calling item on a page.
Is there such a variable or some other way of identifying the item?
thanks!
JohnJohn,
No, currently you cannot pass any parameters to an Authorization Scheme. I have requested that this be a new feature in a future release of APEX, as it makes all the sense in the world. It would be a lot easier to have 1 scheme that can take a parameter for 100 items vs. 100 schemes, one for each of 100 items.
In the mean time, you'll have to default to using a condition to determine if an item should be rendered or not. The trick here is that conditions are often used for business rules (such as not showing the SAVE button when you're inserting). Thus, you'll have to account for that when creating your conditions, and thus check both.
Hope this helps.
Thanks,
- Scott -
http://spendolini.blogspot.com/
http://sumnertechnologies.com/ -
Defining an Authentication Scheme for user ID and password and client certi
Hi,
I do need to define an Authentication Scheme for user ID/Password and client certificate,, both at the same time, so whenever the end user access the SAP Portal he/she will be asked to provide user and password as well digital certificate,
Despite of the whole idea behind o f the concept of digital certificate, my client sill wants to keep the user ID and password to complies with business requirements.
I found a documentation that discuss Authentication Scheme with example using both ID and Digital certificate, but the priority was set different for each authentication method.
http://help.sap.com/saphelp_nw04s/helpdata/en/d3/1dd4516c518645a59e5cff2628a5c1/content.htm
So I am wondering with I can accomplish User ID/Pwd plus digital certificate just by making the priority the same value. Anyone had a similar requirement?
Best Regards
Claudio RochaHi
Did you get an answer for this Query ?
Regards
Priyanka -
How add Authorization check for user with assigened role for t.code-MIR4
Hi All,
Regarding authorization how to check authorizations check for user whith assigned roles for the t.code MIR4 using ABAP.
In Detail:2) All users are allowed to go to MIR4(invoice number), But ONLY for users with role: MM_RELEASE_INVOICE can proceed to do the posting.
suggest me...
Thanks,
srii..Hi Sri ,
first u need to find out in which user rules u are using this object , after that if u want to restrict users then remove create/change values from that object values .
make use of Tcode SUIM to find out all roles which are using this Object.
or
ask ur basis guy to remove authorizations to create/change....
regards
Prabhu -
Failed to activate authorization check for user SAPSYS
Hi Experts
I am trying to run the sdcc, it was throwing time_out error. i have increased the work process runtime. now
i am getting a error Failed to activate authorization check for user SAPSYS.
Please help me to solve this issue.
Regards
VenkatHi, Mr. Joe Bo.
Thanx for your reply. We are using ECC6 (HP Unix with Oracle)
Basis Patch - 15, Kernel 159
I have seen the the note but it's showing ccms method defination settings, but for my case we are yet to go live we have not made any settings from sap they are planning to run a session for the go live. When i am running sdcc i am getting a error in the system log "Failed to activate authorization check for user SAPSYS"
Thanks & Regards
Venkatesan J -
Displaying html stored in a database table in a region
Hi All,
I would like to pass html to regions on the page which is stored in a database table.
I have got this working for simple html (call a packaged function to get the html and then in a PL/SQL Anonymous Block htp.p(f_get_html(:P1_param1,'REGION1')); to display it within the region ) but what I would also like to take the html generated for charts/graphs etc out of the application and also put them into the database table so that the position on the page can be determined by database tables.(i.e. have a page with lots of regions and assign html to them at runtime). I am struggling with substituting all the necessary parameters into the HTML returned from the database and how it should be formatted.
Any help appreciated and if I get any further I will update the postI have actually managed to achive this now. When I get chance I will post the code.
The idea is that a page could have say 6 regions and depending on choices made (i.e. selected project or the individual user permissions) there are regions which you would want to display and regions you dont. Also, you may want to move regions around the page so that the important ones for that user or project etc. are at the top.
You can then, on entering a page, query database tables to decide what is to be displayed in region1, region 2 etc. and then getting the html from the database for that region and displaying it.
I have successfully done this now with embedded Oracle Reports showing graphs which look better than the SVG graphs and are more flexible. -
Authorization scheme for display/read only conditions on item level
Hi All,
I have question. I want to use an authorization scheme to manage if users with a certain role have the permission to either update an item or have the persmission to only see the item or that they don't have permission to see it at all.
So, the input for the scheme would be: 1. user role 2. the current page 3. the current item.
The output would be: 0 (update) 1 (read only) 2 (not displayed).
I think I can manage that.
And I can attach this schema to the items.
So far so good.
But how can I make it so that the 0,1 and the 2 will actually do what they need to do?
I have been thinking about making a function like GET_AUTHORISATON(ROLE,PAGE,ITEM) output: 0,1,2 but I still can't figure out how to connect this with the functionality I want to achieve.
Can somebody give me a hint?
AndreThanks Hari,
Thanks, it works, almost, but what if items are mandatory on a page, but not always mandatory?
If a user has a certain role, some fields are manadatory, otherwise not.
Again, a function would do the trick as far as the input and output information
something like IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) but how can I make it work?
I guess a PL/SQL validation like:
IF IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) THEN ITEM IS NOT NULL
END IF;
Andre
PS: personally I think item level security is not something you wish to implement in your system. I prefer different screens for different roles.
Far more straightforeward. Easy for maintenance. When something disfunctions, it's far more easy to pinpoint the location of the cause. -
Create Authorization Scheme for LDAP Groups
I have installed APEX 4.0 in my staging environment and got the LDAPS to finally work. I can now login to the application with my LAN user name and password. The only problem is so can everyone else on the LAN. So I wanted to create an authorization scheme that would only allow a certain group or groups of LDAP users into the application rather than everyone.
I am at the Create Authorization Scheme page and am kind of stuck. Has anyone done this before and can share some SQL or knowledge?hi larosejh
If you want to do that you must write your own procedures using the dbms_ldap package. I found some code a while back that searches the LDAP. Maybe you can use this to create a function for your authentication.
DECLARE
retval PLS_INTEGER;
my_session DBMS_LDAP.session;
my_attrs DBMS_LDAP.string_collection;
my_message DBMS_LDAP.message;
my_entry DBMS_LDAP.message;
entry_index PLS_INTEGER;
my_dn VARCHAR2(256);
my_attr_name VARCHAR2(256);
my_ber_elmt DBMS_LDAP.ber_element;
attr_index PLS_INTEGER;
i PLS_INTEGER;
my_vals DBMS_LDAP.STRING_COLLECTION ;
ldap_host VARCHAR2(256);
ldap_port VARCHAR2(256);
ldap_user VARCHAR2(256);
ldap_passwd VARCHAR2(256);
ldap_base VARCHAR2(256);
BEGIN
retval := -1;
-- Please customize the following variables as needed
ldap_host := 'host';
ldap_port := '389';
-- In case of update/insert/delete need change ldap_user to other.
-- ldap_user := 'cn=orcladmin';
-- ldap_passwd:= 'welcome';
-- set User and password to NULL for anonymous user.
ldap_user := 'user';
ldap_passwd:= 'password';
ldap_base := 'CN=Users,DC=ee,DC=intern';
-- end of customizable settings
-- Start output Header--
DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
DBMS_OUTPUT.PUT('> DBMS_LDAP Search Example ');
DBMS_OUTPUT.PUT_LINE('');
DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Host ',25,' ') || ': ' || ldap_host);
DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Port ',25,' ') || ': ' || ldap_port);
-- Choosing exceptions to be raised by DBMS_LDAP library.
DBMS_LDAP.USE_EXCEPTION := TRUE;
my_session := DBMS_LDAP.init(ldap_host,ldap_port);
DBMS_OUTPUT.PUT_LINE (RPAD('> Ldap session ',25,' ') || ': ' ||
RAWTOHEX(SUBSTR(my_session,1,8)) ||
'(returned from init)');
-- bind to the directory
retval := DBMS_LDAP.simple_bind_s(my_session,
ldap_user, ldap_passwd);
DBMS_OUTPUT.PUT_LINE(RPAD('> simple_bind_s Returns ',25,' ') || ': '
|| TO_CHAR(retval));
-- issue the search
my_attrs(1) := 'dn'; -- retrieve all attributes
retval := DBMS_LDAP.search_s(my_session, ldap_base,
DBMS_LDAP.SCOPE_SUBTREE,
'objectclass=*',
my_attrs,
0,
my_message);
DBMS_OUTPUT.PUT_LINE(RPAD('> search_s Returns ',25,' ') || ': '
|| TO_CHAR(retval));
DBMS_OUTPUT.PUT_LINE (RPAD('> LDAP message ',25,' ') || ': ' ||
RAWTOHEX(SUBSTR(my_message,1,8)) ||
'(returned from search_s)');
-- count the number of entries returned
retval := DBMS_LDAP.count_entries(my_session, my_message);
DBMS_OUTPUT.PUT_LINE(RPAD('> Number of Entries ',25,' ') || ': '
|| TO_CHAR(retval));
DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
-- End output Heading --
-- get the first entry
my_entry := DBMS_LDAP.first_entry(my_session, my_message);
entry_index := 1;
-- Loop through each of the entries one by one
while my_entry IS NOT NULL loop
-- print the current entry
my_dn := DBMS_LDAP.get_dn(my_session, my_entry);
-- DBMS_OUTPUT.PUT_LINE (' entry #' || TO_CHAR(entry_index) ||
-- ' entry ptr: ' || RAWTOHEX(SUBSTR(my_entry,1,8)));
DBMS_OUTPUT.PUT_LINE (' dn: ' || my_dn);
my_attr_name := DBMS_LDAP.first_attribute(my_session,my_entry,
my_ber_elmt);
attr_index := 1;
while my_attr_name IS NOT NULL loop
my_vals := DBMS_LDAP.get_values (my_session, my_entry,
my_attr_name);
if my_vals.COUNT > 0 then
FOR i in my_vals.FIRST..my_vals.LAST loop
DBMS_OUTPUT.PUT_LINE(' ' || my_attr_name || ' : ' ||
SUBSTR(my_vals(i),1,200));
end loop;
end if;
my_attr_name := DBMS_LDAP.next_attribute(my_session,my_entry,
my_ber_elmt);
attr_index := attr_index+1;
end loop;
my_entry := DBMS_LDAP.next_entry(my_session, my_entry);
DBMS_OUTPUT.PUT_LINE(' --------------------------------------------------- ');
entry_index := entry_index+1;
end loop;
-- unbind from the directory
retval := DBMS_LDAP.unbind_s(my_session);
DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||
TO_CHAR(retval));
-- Start Output Footer --
DBMS_OUTPUT.PUT_LINE('Directory operation Successful .. exiting');
-- Start Output Footer --
-- Handle Exceptions
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE(' Error code : ' || TO_CHAR(SQLCODE));
DBMS_OUTPUT.PUT_LINE(' Error Message : ' || SQLERRM);
DBMS_OUTPUT.PUT_LINE(' Exception encountered .. exiting');
END;
/ -
Authorization Scheme for Application - Login Page?
Hi,
When I set an Authorization Scheme at Application level, HTML DB prevents access to my login page. Is there a way around this?
Thanks,
Stephen BaishyaIf you follow the above route you have to run the check on each page view.
If you leave as per session the first time you run the authorisation check on the login page it returns true and the user will be allowed onto the application!
I'm looking for an alternative way to run the authZ check after the authN check passes the credentials to validate the user access right to the app. I'll post my findings later ...
cheers
Craig -
Looking for a value in a list stored in a database table field
Hello,
I have a field in a database table that contains a comma
separated list on numbers. In my CFQUERY I am attempting to extract
records from the database table where a parsed number is present in
the comma separated list. I have tried the code below, but it is
throwing an error.
variables.publicationID is the number that I am looking for
in the database table field.
publicationList is the name of the database table field
containing the comma separated list of numbers.
where <cfqueryparam value="#variables.publicationID#"
cfsqltype="cf_sql_integer"> in publicationList
Can anybody help?
Many thanks,
smnbinThe only way to do it with the data model you currently have
is as follows:
WHERE publicationList LIKE '#variables.publicationID#' OR
publicationList LIKE '#variables.publicationID#,%' OR
publicationList LIKE '%,#variables.publicationID#,%' OR
publicationList LIKE '%,#variables.publicationID#'
You need to check for 4 cases:
it's the only ID in the list
it's the first ID in the list
it's in the middle of the list
it's the last ID in the list.
The better solution would be to replace this comma-delimited
list with a mapping table, where each row in this mapping table
contains a reference to the main table as well as a single
publicationID. -
Restriction for users NOT to viewa particular table/Infotype..
Hi All,
We have a requirement where employee's salary details need to be uploaded into the SAP HR database.
But in our scenario, someof our consultants have Production login and can access SE16 Tcode to view the database table entries.
Now since we need to upload the salary details into an Infotype, this infotype should not be made accssable to the consultant logins. In the meanwhile, the logins should not be restricted to user SE16 Tcode.
Hence can we put a restriction, so that these consultants can not view the particular infotype which as salary details?
They should be given access to browse SE16. But at the same time, they should not be allowed to browse PAXXXXX Infotype which contains SALARY details..
How to handle this kind of problems????
Regards
PavanHi All,
I have got a response from another user as follows. But can anyone explain me how exactly move ahead....???
We have recently dealt with a similar scenario.
What we have done is we have used the authorization object S_DEVELOP with OBJTYPE TABL(means table access).
Unfortunately we could not find a way to exclude one or several tables from selection.
Thus we have given two intervals to OBJNAME field.
First interval starts from the very first table in the system /1CN/AMFSAPH1FDT (please check your system for this) to the table just before the one we are trying to restrict (P593R).
Second interval starts from the first table after the restricted one (PABASN) to the last table in the system(ZZXXX) (please check your system for this).
In the solution above we had restricted access to all PAXXXX tables.
Regards
Pavan -
We have created a stage schema and tested application which is working fine when we are moving it to another schema for further testing ( This schema is created using same scripts which were used to create objects in staging schema) the performanc of application (Developed in .NET) slows down drastically
Some of the store procedures we have checked at Databse/SQLdeveloper level are giving almost same performance but at Application level there is lot of difference
Can you please help
We are using Oracke 11g DatabaseAre you using the Database Cloud Service? You cannot create schemas in the Database Cloud Service, which makes me think you are not. This forum is only for the Database Cloud Service.
- Rick Greenwald -
Text file storing in a database table
I have a text file, that contains so many lines in it,..
Now the problem is that.. I want to store my text file with the pl/sql code in a database table....
plz suggest, how to create a table and how to store that text file in a database table.....The following code is tested and get the correct result (forms 10.1.2.0):
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> create table tclob (col_lob clob);
Table created.
Declare
file TEXT_IO.FILE_TYPE;
text varchar2(10000);
L$Clob CLOB;
Begin
-- prepare CLOB object --
dbms_lob.createtemporary( L$Clob, TRUE ) ;
-- open text file --
file := TEXT_IO.FOPEN( 'c:\forms.css', 'R' ) ;
If TEXT_IO.IS_OPEN( file) Then
-- start reazding file --
Begin
Loop
TEXT_IO.GET_LINE( file, text );
-- add the line to the CLOB variable --
dbms_lob.writeappend (L$Clob, length(text), text);
End loop;
Exception
when no_data_found then
-- end of text file --
TEXT_IO.FCLOSE(file);
when others then
null;
End ;
-- store the CLOB in the database --
--Update tclob Set col_lob = L$Clob ;
insert into tclob (col_lob) values (L$Clob);
forms_ddl('commit');
dbms_lob.freetemporary( L$Clob ) ;
End if ;
exception
when others then
message(error_code || '-' || error_text);
End;Francois
Maybe you are looking for
-
HT204053 how do i create a new icloud account
hi i have had problems with my icloud since i started as i couldnt get my email address and my apple id just to be the same from get go i started off with a mobile me account and now it has changed over to icloud completly i dont no how to change any
-
downloaded beta v 4, worked for a while then stopped. When i start firefox, it starts in task manager with some cpu, then cpu goes to zero. Firefox never actually opens. Can not open profile manager either. Tried uninstalling, reinstalling, uninstall
-
Creating a seamless PDF, version issues and re-ordering
Hi, I'd like to create a PDF portfolio of my graphic design work. In the past I've created a PDF portfolio and added other PDFs or jpegs into them with difference pieces of work. However, is it possible to create a portfolio where a multi-page PDF (w
-
Processing an empty file with file adapter
Hi, We have a scenario where we are merging multiple files via a BPM. One of the files that we read is a delta file, which at times can be blank/empty. The multiple receive steps in the BPM are in one fork and the end condition is set up so that al
-
Hi experts, Need your help in this following scenario, We receive customer PO through EDI, we have to create same document in SAP as Customer PO, lets say order type- ZCPO and then with reference to ZCPO we create SO, can any body suggest how to work