Authorization scheme methods/techniques

Similar Messages

• Page Authorization Scheme OK button not working

  Hi All,
  I have a Page Level Authorization scheme, which makes a PL/SQL Function call to determine whether the logged in user should have access to the Page. This works well and displays an 'Access denied by Page security check' error message, but the OK Hyperlink that is displayed does not work as I would expect as I am not returned to the calling page.
  The pages in question are Popups and when I hover over the OK Hyperlink, the Javascript in the Taskbar shows javascript:window.history.go(-1). Is this the route of my problem, and is there any way around this when using Popup windows?
  Thanks,
  Mike

  Scott,
  Thanks for your response. Yes you have the sequence right: "User clicks on link to popup page from base page and the link is to a forbidden page"
  "The basic question is why would you ever show a link to a forbidden page to the user?"
  The main reason is time, ideally yes we would like to hide links to forbidden pages but it will take time to implement due to complexity of role combinations and number of pages. So for now, we are confident in our method for denying access to forbidden pages.
  The error message that is displayed on the forbidden page is set in the Authorization Scheme, but how do I alter the OK link? Isn't this generated 'behind the scenes'?
  Thanks,
  Mike

• Authorization Scheme -- Best Practices?

  Hi All --
  We have a reporting application containing approximately 300 pages and 60 or so menu items all using authorization schemes (exists SQL method) as a means to determine whether or not a use can see the menu items and/or access the pages. We've been seeing an issue where a user logging into the application experiences poor performance upon login and have traced it to our access checks and the number of "exists" queries run when a user logs in and before our menu is displayed.
  What would be considered best practice in a case such as this? Does anyone have any ideas on how to increase the performance on these authorizaton checks?
  Thanks,
  Leigh Johnson
  Fastenal Company

  Leigh - No, the asktom post Joel referred to is posted above: http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:62048567543425
  We just want to know if this post if from you folks or not.
  About the authorization schemes for each page, I would think that whatever scheme you code to authorize a link to a page, e.g., on a menu, would be the same scheme you'd want to attach to the page itself.
  So the authorization has to take place first at the point you render (or suppress) a link to a page and again at the point the page is requested (the latter being necessary because a user can bypass the menu links and try to access pages directly by entering the page ID in the URL.
  So again, if you have X links on the menu page, each requiring a distinct query for authorization, you'll have to pay the price to do all that authorization once per session because of the design of the menu page. More precisely, the authorization scheme code, e.g., their EXISTS queries, have to be executed once per session per resource access attempted. For performance purposes, the results of these checks are cached for the duration of the session (because you set them up to be evaluated once per session and not on every page view).
  One thing that might help you is region caching (or page caching) for the menu. You'd use the Cache By User option, of course. Then if the same named user logged in and out numerous times during the "cache valid" period, which is adjustable, the user would see the cached menu "instantly". Authorization checks will not have been performed during these page requests however, so you'd want to be sure that it makes sense to present cached versions of these links. However, the corresponding authorization schemes that you'd attach to the pages themselves would be evaluated when the user clicked on a "cached" link, so you'll get the protection you need, ultimately.
  Scott

• Parameters to authorization schemes

  I apologize for the fact that this question is so so so like a number of others..
  I want to build an application that allows for a half a dozen or so different roles and that easily allows roles to be added. An individual page or component may allow access to a subset of these roles. To allow any combination of roles to be specified would seem to require the creation of 64 authorization schemes. A number which doubles for every additional role created.
  I appreciate that in practice I will only need to create authorization schemes for those combinations I actually use but this does nevertheless seem rather cumbersome. An authorization scheme can easily determine the user and the current page but can it determine the component that is being authorized? If it could I might be able to build a drive table and have a single authorization scheme that did a lookup. If only I could just pass an argument to the authorization scheme...
  Any advice welcome

  I took a somewhat different approach. I also needed to provide a menu of applications that a given person could access, and I needed to accomodate a number of existing authorization techniques already in use in my pre-APEX world. Most of these use Oracle Roles, but in some cases more complex, task specific PL/SQL functions.
  I stepped outside of the APEX world and built a table of applications (that tie back into the apex application world), and each of my apex applications call the same authentication function:
  begin
  return apex_registry_maint.validate;
  end;
  Which really looks like:
  function Validate
  return boolean
  is
  app_id number;
  uname varchar2(32);
  app_page_id number;
  begin
  app_page_id := v('APP_PAGE_ID');
  app_id := v('APP_ID');
  if app_page_id = 101 then return true; end if;
  uname := v('APP_USER');
  return check_access(app_id, uname);
  end Validate;
  This essentially lets me call my authorization function with parameters such as the application id and page number, but still live "outside" of the APEX space.
  The full package can be seen at:
  http://www.rpi.edu/campus/rpi/simon/misc/Tables/SIMON_APEX.APEX_REGISTRY_MAINT.html
  (I have 15 years of legacy applications I am moving into APEX, lots of history and inexperience with APEX are driving this approach. I am not claiming it to be a good approach, just one that works for me)

• Multiple Authorization Schemes

  Greetings,
  How would one handle putting more than one authorization scheme on say a button on a page. Can a button/item/region have more than one authorization scheme? If so, how does one do it or does it have to be done through pl/sql?
  Thx
  -- cliff

  Would there be any concern against using this technique?
  Condition Type = PL/SQL Function Returning a Boolean
  Expression 1
  declare
    b_good boolean;
  begin
    if upper(:APP_USER) = 'ADMIN' then
      return false;
    end if;
    b_good := HTMLDB_UTIL.PUBLIC_CHECK_AUTHORIZATION( 'IS_MANAGER' );
    if b_good <> true then
      return false;
    end if;
    return true;
  end;
  I'm wondering if this would be an acceptable coding practice.
  Thanks,
  Michael Cunningham

• Report Link + Authorization Scheme

  I have an authorization scheme that checks whether a certain person has privileges to edit a record on Page 2 by referring to the :P2_ID in the authorization scheme. Page 1 has a report with a report link, but the user can see both items they are able to edit and items they are not. I know I can make the link dynamically in the sql but wanted to see if there was an easy way to use an authorization scheme, but pass the #REPORT_COL# value in the report over to an authorization scheme to show or hide the icon for me so I can get the link out of the sql.

  Great example Scott! However, I'd would caution the other Sc0tt that calling functions in a SQL statement is fine for a small number of rows, but can CRUSH performance for medium to large result sets. Even if the function is fast, you're still context-switching between SQL and PL/SQL for every row. Make sure you test this with the volume of data you expect your users to encounter. If it's a problem, you might force the user to apply some filters before running the query.
  If you're running 11g you can at least minimize the hit of the function with "Function Result Cache". Even if you're not on 11g yet, you can use the following code in 10g and it will switch-on result cache when you compile it in 11g:
  create or replace function auth_user(p_key in number)
       return varchar2
       $IF not dbms_db_version.ver_le_10_2 $THEN
            result_cache
       $END
  as
  begin
      pkg.g_value := p_key;
      if apex_application.public_security_check (p_security_scheme => 'AUTH_USER_COLUMN') then
          return '1';
      else
          return '0';
      end if;
  end;
  / If it is a reasonable result set, Scott's solution is perfect.
  Thanks,
  Tyler

• Display page items based on Authorization Scheme...

  I have a report form that shows all my columns, but I have two columns that I only want "Admin" and "Edit" from my authorization scheme to be able to edit; but I would like for "User" to view.
  Currently I have "authorization" enabled for the two items, and set for "Edit". This works, except the "User" logins cannot view the items.
  I thought of two possibilities, both I think I'd need help on though!:
  1. Create a duplicate page item for these two items. One would show as "Text" only (cannot edit). The other would be "Text Field". The "Text Field" column would only be
  accessible by "Edit" or "Admin".
  The problem, though, is now "Edit" or "Admin" users will see both columns
  2. Set up something in "Conditions" that would show as "text" for "User", and as "Text Field" for "Admin" or "Edit"?
  I would have no clue how to do this...
  Any thoughts?
  Kevin L.

  Kevin
  You can create two items and in the Authorization Scheme you can set one as Users and second as Edit. Also You can do something using small JS. Create a variable P_USR_TYPE to hold the value of User group lets say 1 for Users and 2 for Edit. Then on the HTML header or footer of the region you can add a javascript call
  function UsrCustomization()
       if ( P_USR_TYPE == 1 )
            // mark the item as readonly
            // document.getElementById('P1_FIELD_QUESTION').disabled = true;
            document.getElementById('P1_FIELD_QUESTION').readOnly="readonly"
  UsrCustomization();Thanks,
  Manish

• Error in executing authorization scheme code

  I run my application on APEX.ORACLE.COm and I immediatly get the following error:
  ORA-06550: line 13, column 28: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line 12, column 14: PL/SQL: SQL Statement ignored ORA-06550: line 16, column 19: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 16, column 5: PL/SQL: Statement ignored ORA-06550: line 17, column 15: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 17, column 5: PL/SQL: Statement ignored ORA-06550: line 25, column 28: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line
  Error ERR-1082 Error in executing authorization scheme code.
  Here are the login credentials:
  Workspace: RGWORK
  Application: Online Certification Application Prototype - 21405
  User: TESTER
  Password: test123
  The application s/b public . I am not able to identify the invalid authorization scheme. I checked all the authorization schemes in the Shared Components > Security > Authorization Schemes and can't find the culprit.
  Can someone assist please?
  Thank you,
  Robert
  My Blog: http://apexjscss.blogspot.com

  Your Authorization Scheme "Access control - administrator" has this line of code that uses a table that isn't there (or RGTEST has no access to):
  select id, application_mode
  from apex_adm.apex_access_setup
  This Authorization Scheme is used in the Admin tab.
  If you run the page in debug mode you'll see (amongst a lot of other stuff):
  0.19: Authorization Check: "11204012643155257465" User: "nobody" Component: "tab"
  0.20: Show ERROR page...
  That pointed me to the Tab section...and there it was!

• Using Page Text Item in an Authorization Scheme

  Hello,
  I will be having a text item is every page say, Px_RESP_ID (hidden and its value set in an earlier page), and want to use its value in an authorization scheme to verify if the user has an access to the page.
  I'm using the following SQL in the authorization scheme -
  Apex Version: Apex 3.2
  Scheme Type: Exists SQL Query
  SQL:
  SELECT 1
  FROM zs_users zu
  , zs_responsibilities zr
  , zs_user_resp_groups zur
  WHERE
  zu.user_name = :APP_USER
  AND zr.resp_id = '&P'||:APP_PAGE_ID||'_RESP_ID.'
  AND zu.user_id = zur.user_id
  AND zr.resp_id = zur.resp_id
  For some reason this approach is not working. Any ideas to help me move forward will be greatly appreciated.
  Regards,
  Seshu

  AFAIK an application item, or maybe a page 0 item, is the only way to do this (as those items effectively exist across all pages of an application). Unfortunately since authorization schemes are application-level, you can't really effectively reference page items at runtime since you aren't necessarily on that page.
  The other option is an ugly one. Instead of creating one auth scheme (e.g.: "user_has_whatever_authority"), create one for every page (e.g.: "user_has_whatever_authority_1", "user_has_whatever_authority_2", etc.) and attach each auth scheme to each page by matching up the number in the name with the page. But this is a maintenance nightmare and terrible style IMHO, but it'll work. Your colleagues will hate you for it when you're gone though.

• Authorization scheme for users stored in a database table?

  Hello!
  I'm trying to find out how to make an authorization scheme for database users.
  I first made an authentication scheme for my current application, I named it "Authentication for database accounts", and the scheme type is "Database Accounts".
  A word of explanation:_
  I have a table in my database, named "USERS". Inside this table, I have the following columns:
  - USERID (NUMBER)
  - USERNAME (VARCHAR2(50))
  - PASSWORD (VARCHAR2(50))
  - EMAIL (VARCHAR2(200))
  For this question, I'll take an example user. The username is USER and the password is USER. Email and UserID don't matter here, but let's just say the UserID is 1.
  What I want:_
  When you go to the application, and you are requested to log in (page 101), then I want a user to be able to log in with the data that has been stored in the USERS table.
  So, on the login page, the user will enter USER as username, and USER as password. The authorization scheme then needs to check whether or not this username and password match the data in the USERS table. If it does, then it must sign the user in with the credentials the user entered (those being USER and USER).
  I also want the UserID to be stored somewhere in the application (if possible, in an application item).
  How do I do this? I've never made an authorization scheme before... I'm not too good with PL/SQL either, but I'm working on that part.
  Any help is greatly appreciated.

  I'm trying to find out how to make an authorization scheme for database users. I think there may be some confusion here. An authorization scheme gives the user access to different parts of an Apex Application. Database users are the users that you use to login to the database, for example with sqlplus.
  From the rest of your post it sounds like you need a custom authentication scheme to validate users against a custom table. For this you need to create a custom authentication scheme and select use my custom function to authenticate. Exactly how you set up the authentication scheme depends on the version of Apex you are using. But an example of validate user function you could use is given below:
  function validate_login (
     p_username   in   varchar2
  , p_password   in   varchar2) return boolean
  is
  v_result varchar2(1);
  begin
  select null into v_result
  from USERS
  where userid = p_username
  and password = p_password;
  return true;
  when no_data_found then return false;
  end validate_login;Once the user has successfully logged on the userid will be in the APP_USER apex substitution string.
  And for Application Express Account Credentials, does this mean an admin must make each new user by hand?If you using Apex account credentials the user details are stored within the Apex tables. You can create users using the Apex admin application or by using the APEX_UTIL.create_user api.
  Rod West

• Public and Authenticated App with Authorization Scheme once per session

  I have a question . . .
  Let's say I have an application and at the application level I have an authorization scheme (auth1). If auth1 is set up to evaluate once per session, does it authenticate for the public user, then pass me back to the page and then check then evaluate the auth1 scheme. Or does it evaluate the auth1 scheme, then log in, then return to the page. Is it the same regardless of authentication scheme (e.g. Oracle SSO).
  It may make a big difference. If the authorization sheme is based upon the user (most will be) then setting it to evaluate once per session can be a real problem. If it evaluates before the user logs in, then it won't really work.
  This is an even bigger question when the application does not have a authorization scheme at the application level and allows public pages. If a page that is not public has an authorization scheme set, and the user goes directly to that page, it seems to authenticate the authorization scheme and then logs you in, but does not re-evaluate authorization scheme after you are logged in. Is this accurate? I realize that I could set it up to evaluate for every page view, but I really only need it once after login.
  Is this clear?

  Anton,
  It seems that all authorization schemes that are set to evaluate once per session are evaluated with the beginning establishment of a session.Sort of correct. Authorization schemes don't get evaluated until the component that uses them is considered for rendering or processing. So if the authorization scheme is attached to a page, it won't fire until the page is requested. If another component uses that scheme first, the evaluation will happen then and will not happen again during the session.
  What if I have another page that is not public. If it is the first page I go to, what happens. Obviously, I get redirected to login, then login. Do the authorization schemes get evaluated at this point?Yes, assuming the authorization scheme is used by the page, the scheme is evaluated during the first rendering or processing of the page in the session, after the authentication step.
  Now, what if I have a page that is public, but also has an auth scheme (odd, but could happen). Now what happens, does the auth scheme get evaluated before or after login?During the rendering or processing of the page after the authentication step. For a public page, the authentication step is performed up to the point where it determines that no authentication is required.
  OK, now let's add in Application level auth scheme. I can have public or private pages. If I go to a private page, when does the app level auth scheme kick in? How about for a public page?When an application uses an authorization scheme, it gets evaluated before the authorization scheme (if any) for the page that is being requested, so the public/private property of the page doesn't matter.
  General advice: when an authorization scheme uses :APP_USER, it doesn't work well to have it fire once per session because it'll get run before authentication to the application occurs, which sets APP_USER. You can have such schemes fire once per page view and for PL/SQL function-type schemes, have them give a "pass" when the current page is the login page, that kind of thing.
  In addition, if the overhead of running a scheme is high, one can set an application-level item to indicate that a once-per-page scheme has already run satisfactorily. The PL/SQL-type schemes can access the value of such an item to skip the expensive part of the evaluation and return true immediately.
  Finally, the htmldb_application.reset_security_check API can be called in order to reset the "fired" status of all authorization schemes in the session, allowing them to be re-evaluated if/when they are encountered again in the session.
  Hope this helps,
  Scott

• Authorization Scheme problem using query

  Greetings:
  I have an application with 4 different roles in my application. Depending on the user role, the access to different pages within the application are filtered. We have 4 group types: admin, general, transactional and read_only; each, with descending levels of authorization.
  The application utilizes a two-level tab navigation system in which I hide the tabs that the users are not supposed to see, depending on the level of authorization that they have. I have implemented three authorization schemes for three different types of access depending on the pages within my application. The only page without any auhorization is the login page.
  The three created authorization schemes are as follows.
  My first scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  APP_GROUP_TYPE != 'READ_ONLY'
  This one is supposed to negate access to the READ_ONLY group, but allow access to all other groups.
  My Second scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  and
  APP_GROUP_TYPE != 'transactional')
  The second one, I have added the transactional group as to be explicitly negated access.
  My Third scheme
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  AND
  APP_GROUP_TYPE != 'transactional'
  AND
  APP_GROUP_TYPE != 'general')
  the last one, I have added the general group as to be explicitly negated access.
  I am thinking that, logically, this would work, but the pages do not display properly. I am always getting the failed authorization page, even with my admin user. Is there something wrong with my methodology? Should I be white-listing instead of black-listing in my queries? Thanks for your support.

  I appreciate your help Jeff, you helped me a great deal, but not in the way you may think. In your link, there was a post that offered a solution with a simple query. There was one person that posted a query using (upper) to bring the username to uppercase so it can be properly compared to :APP_USER. Yes, the users were entered as lowercase, the logic was ok. I changed the query logic to a white list as to avoid possible users that may be able to authenticate into the application without a proper group configured.
  Thanks for your support. Maybe this can help someone on the forums out.

• Unexpected problem with authorization scheme of type plsql function

  Hi,
  I have created one authorization scheme of type plsql function returning boolean. Authorization scheme is for pages only. p2_user_priviledge is a textbox on home page which extract privilege (list of pagenos) for login user from database. Home page has no authorization required. AUTHORIZATION SCHEME always returns false. I am not able to trace problem in my code. same code works fine for a textbox's default returning 'c'.
  ----- CODE FOR AUTHORIZATION SCHEME------------------------------------------------------------
  declare
  pageid varchar2(10);
  privilege varchar2(300);
  c number(3);
  begin
  pageid := ':P'||to_char(:app_page_id)||':' ; ---Pageno get stored in format  *:P2:*
  privilege := trim(:p2_user_priviledge); ++------Contain list of privilege like    :P2:P13:P67:P23:  etc+++ select instr(privilege,pageid) into c from dual;
  if c>0 then
  return true;
  else
  return false;
  end if;
  end;
  One more problem is again related to authorization scheme.
  I created one application and one authorization scheme (auth_aug) which worked finely. Then after some days i added 10 more pages to same application, But now autho_aug was always returning false for new pages. So i copied code from 'autho_aug' to new scheme 'autho_sept', & it worked for new pages. I don't understand if code is same for both scheme, why required to use two different schemes.
  Now i have added few more pages to application, and facing problem mentioned earlier.
  any solution for both the problems.....

  Hi,
  Let me clear my problem once again.
  -->Home page i.e. P2 does not use authorization, So it is displayed along with text item :p2_user_privilege.
  -->Then user click on one of the links , Now page :P70: should get displayed.
  P70 is using authorization scheme.
  -->But :p2_user_priviledge value is not accessible at authorization scheme, I dont know why.
  I could not find out where to create Application item , as suggested by you.
  & not able to find Developer menu , session at home page as suggested earlier.
  And one more question, my application at runtime display
  X en us
  at bottom
  How to make it
  USER: X Language: en us
  Like in development environment.
  Hope I have cleared my problem, waiting for reply.
  Edited by: TEJU on Nov 17, 2008 9:25 AM

• Generic Authorization Scheme for items?

  I have created a generic authorization scheme for our application pages, and I would like to extend that to items if possible.
  The page one was easy enough as I could identify the calling page through :APP_PAGE_ID in the authorization scheme. Unfortunately, I do not know of any built in variables that would identify a calling item on a page.
  Is there such a variable or some other way of identifying the item?
  thanks!
  John

  John,
  No, currently you cannot pass any parameters to an Authorization Scheme. I have requested that this be a new feature in a future release of APEX, as it makes all the sense in the world. It would be a lot easier to have 1 scheme that can take a parameter for 100 items vs. 100 schemes, one for each of 100 items.
  In the mean time, you'll have to default to using a condition to determine if an item should be rendered or not. The trick here is that conditions are often used for business rules (such as not showing the SAVE button when you're inserting). Thus, you'll have to account for that when creating your conditions, and thus check both.
  Hope this helps.
  Thanks,
  - Scott -
  http://spendolini.blogspot.com/
  http://sumnertechnologies.com/

• Authorization Scheme - Getting handle on which object is calling the scheme

  Hi
  I'm currently trying to write a custom authorization scheme using a plsql returning boolean. What I'm wondering is whether there is a way to reference the application object (e.g. page, region, page item, button etc) that has triggered the authorization plsql to run.
  What I'm ultimately wanting to do is to create a generic authorization scheme that can be applied to any object, and that auth scheme will look up a database table containing what users can access what object. I can only do this if I know at run-time which object the plsql is currently checking authorization for. (I can get the user from :APP_USER.
  For example I have an authorization scheme "test_scheme". I have applied test_scheme to the button "CREATE" on page 1. This button has a button_id which I can find from APEX_APPLICATION_PAGE_BUTTONS view.
  During page rendering the buttons authorization scheme will be checked (and so the plsql returning boolean will be triggered). When the plsql is triggered I want to reference the fact that the CREATE button on page 1 (or better the button_id) has triggered the plsql, from within the plsql itself.
  I hope this makes sense.
  Many thanks in advance.

  Hi Scott,
  Looks like there are a few others out there encountering the limiatations of authorization schemes.
  Hopefully there will be an enhancement at some point to enable referencing the component id which has triggered the authorization scheme to run.
  Until then I will go down the route of creating an authorization scheme for each component that needs one.
  Many thanks for pointing me to that discussion.
  Jimbo