Authorization Scheme Newbie Question

Hi,
For my Apex app I have custom authorization schemes which will help to show/hide elements throughout the app. There are three schemes in all; admin, pm and user. I'm setting up admin now and I chose expression 1 = to expression 2, which in my case is:
select lec_dash.f_auth_groups(:APP_USER) from dual;
admin
However, I'm not getting any love from this. Do I need to be doing a different type of check in this case or do I need to do a boolean select statement of some kind?
Thanks,
Jon

For your admin schema try this an Exist SQL:
select lec_dash.f_auth_groups(:APP_USER) from dual
where lec_dash.f_auth_groups(:APP_USER) = 'admin';
For your pm:
select lec_dash.f_auth_groups(:APP_USER) from dual
where lec_dash.f_auth_groups(:APP_USER) ='pm';
For your user:
select lec_dash.f_auth_groups(:APP_USER) from dual
where lec_dash.f_auth_groups(:APP_USER) = 'user';

Similar Messages

  • Authorization scheme for users stored in a database table?

    Hello!
    I'm trying to find out how to make an authorization scheme for database users.
    I first made an authentication scheme for my current application, I named it "Authentication for database accounts", and the scheme type is "Database Accounts".
    A word of explanation:_
    I have a table in my database, named "USERS". Inside this table, I have the following columns:
    - USERID (NUMBER)
    - USERNAME (VARCHAR2(50))
    - PASSWORD (VARCHAR2(50))
    - EMAIL (VARCHAR2(200))
    For this question, I'll take an example user. The username is USER and the password is USER. Email and UserID don't matter here, but let's just say the UserID is 1.
    What I want:_
    When you go to the application, and you are requested to log in (page 101), then I want a user to be able to log in with the data that has been stored in the USERS table.
    So, on the login page, the user will enter USER as username, and USER as password. The authorization scheme then needs to check whether or not this username and password match the data in the USERS table. If it does, then it must sign the user in with the credentials the user entered (those being USER and USER).
    I also want the UserID to be stored somewhere in the application (if possible, in an application item).
    How do I do this? I've never made an authorization scheme before... I'm not too good with PL/SQL either, but I'm working on that part.
    Any help is greatly appreciated.

    I'm trying to find out how to make an authorization scheme for database users. I think there may be some confusion here. An authorization scheme gives the user access to different parts of an Apex Application. Database users are the users that you use to login to the database, for example with sqlplus.
    From the rest of your post it sounds like you need a custom authentication scheme to validate users against a custom table. For this you need to create a custom authentication scheme and select use my custom function to authenticate. Exactly how you set up the authentication scheme depends on the version of Apex you are using. But an example of validate user function you could use is given below:
    function validate_login (
       p_username   in   varchar2
    , p_password   in   varchar2) return boolean
    is
    v_result varchar2(1);
    begin
    select null into v_result
    from USERS
    where userid = p_username
    and password = p_password;
    return true;
    when no_data_found then return false;
    end validate_login;Once the user has successfully logged on the userid will be in the APP_USER apex substitution string.
    And for Application Express Account Credentials, does this mean an admin must make each new user by hand?If you using Apex account credentials the user details are stored within the Apex tables. You can create users using the Apex admin application or by using the APEX_UTIL.create_user api.
    Rod West

  • Public and Authenticated App with Authorization Scheme once per session

    I have a question . . .
    Let's say I have an application and at the application level I have an authorization scheme (auth1). If auth1 is set up to evaluate once per session, does it authenticate for the public user, then pass me back to the page and then check then evaluate the auth1 scheme. Or does it evaluate the auth1 scheme, then log in, then return to the page. Is it the same regardless of authentication scheme (e.g. Oracle SSO).
    It may make a big difference. If the authorization sheme is based upon the user (most will be) then setting it to evaluate once per session can be a real problem. If it evaluates before the user logs in, then it won't really work.
    This is an even bigger question when the application does not have a authorization scheme at the application level and allows public pages. If a page that is not public has an authorization scheme set, and the user goes directly to that page, it seems to authenticate the authorization scheme and then logs you in, but does not re-evaluate authorization scheme after you are logged in. Is this accurate? I realize that I could set it up to evaluate for every page view, but I really only need it once after login.
    Is this clear?

    Anton,
    It seems that all authorization schemes that are set to evaluate once per session are evaluated with the beginning establishment of a session.Sort of correct. Authorization schemes don't get evaluated until the component that uses them is considered for rendering or processing. So if the authorization scheme is attached to a page, it won't fire until the page is requested. If another component uses that scheme first, the evaluation will happen then and will not happen again during the session.
    What if I have another page that is not public. If it is the first page I go to, what happens. Obviously, I get redirected to login, then login. Do the authorization schemes get evaluated at this point?Yes, assuming the authorization scheme is used by the page, the scheme is evaluated during the first rendering or processing of the page in the session, after the authentication step.
    Now, what if I have a page that is public, but also has an auth scheme (odd, but could happen). Now what happens, does the auth scheme get evaluated before or after login?During the rendering or processing of the page after the authentication step. For a public page, the authentication step is performed up to the point where it determines that no authentication is required.
    OK, now let's add in Application level auth scheme. I can have public or private pages. If I go to a private page, when does the app level auth scheme kick in? How about for a public page?When an application uses an authorization scheme, it gets evaluated before the authorization scheme (if any) for the page that is being requested, so the public/private property of the page doesn't matter.
    General advice: when an authorization scheme uses :APP_USER, it doesn't work well to have it fire once per session because it'll get run before authentication to the application occurs, which sets APP_USER. You can have such schemes fire once per page view and for PL/SQL function-type schemes, have them give a "pass" when the current page is the login page, that kind of thing.
    In addition, if the overhead of running a scheme is high, one can set an application-level item to indicate that a once-per-page scheme has already run satisfactorily. The PL/SQL-type schemes can access the value of such an item to skip the expensive part of the evaluation and return true immediately.
    Finally, the htmldb_application.reset_security_check API can be called in order to reset the "fired" status of all authorization schemes in the session, allowing them to be re-evaluated if/when they are encountered again in the session.
    Hope this helps,
    Scott

  • Unexpected problem with authorization scheme of type plsql function

    Hi,
    I have created one authorization scheme of type plsql function returning boolean. Authorization scheme is for pages only. p2_user_priviledge is a textbox on home page which extract privilege (list of pagenos) for login user from database. Home page has no authorization required. AUTHORIZATION SCHEME always returns false. I am not able to trace problem in my code. same code works fine for a textbox's default returning 'c'.
    ----- CODE FOR AUTHORIZATION SCHEME------------------------------------------------------------
    declare
    pageid varchar2(10);
    privilege varchar2(300);
    c number(3);
    begin
    pageid := ':P'||to_char(:app_page_id)||':' ; ---Pageno get stored in format  *:P2:*
    privilege := trim(:p2_user_priviledge); ++------Contain list of privilege like    :P2:P13:P67:P23:  etc+++ select instr(privilege,pageid) into c from dual;
    if c>0 then
    return true;
    else
    return false;
    end if;
    end;
    One more problem is again related to authorization scheme.
    I created one application and one authorization scheme (auth_aug) which worked finely. Then after some days i added 10 more pages to same application, But now autho_aug was always returning false for new pages. So i copied code from 'autho_aug' to new scheme 'autho_sept', & it worked for new pages. I don't understand if code is same for both scheme, why required to use two different schemes.
    Now i have added few more pages to application, and facing problem mentioned earlier.
    any solution for both the problems.....

    Hi,
    Let me clear my problem once again.
    -->Home page i.e. P2 does not use authorization, So it is displayed along with text item :p2_user_privilege.
    -->Then user click on one of the links , Now page :P70: should get displayed.
    P70 is using authorization scheme.
    -->But :p2_user_priviledge value is not accessible at authorization scheme, I dont know why.
    I could not find out where to create Application item , as suggested by you.
    & not able to find Developer menu , session at home page as suggested earlier.
    And one more question, my application at runtime display
    X en us
    at bottom
    How to make it
    USER: X Language: en us
    Like in development environment.
    Hope I have cleared my problem, waiting for reply.
    Edited by: TEJU on Nov 17, 2008 9:25 AM

  • Page Authorization Scheme OK button not working

    Hi All,
    I have a Page Level Authorization scheme, which makes a PL/SQL Function call to determine whether the logged in user should have access to the Page. This works well and displays an 'Access denied by Page security check' error message, but the OK Hyperlink that is displayed does not work as I would expect as I am not returned to the calling page.
    The pages in question are Popups and when I hover over the OK Hyperlink, the Javascript in the Taskbar shows javascript:window.history.go(-1). Is this the route of my problem, and is there any way around this when using Popup windows?
    Thanks,
    Mike

    Scott,
    Thanks for your response. Yes you have the sequence right: "User clicks on link to popup page from base page and the link is to a forbidden page"
    "The basic question is why would you ever show a link to a forbidden page to the user?"
    The main reason is time, ideally yes we would like to hide links to forbidden pages but it will take time to implement due to complexity of role combinations and number of pages. So for now, we are confident in our method for denying access to forbidden pages.
    The error message that is displayed on the forbidden page is set in the Authorization Scheme, but how do I alter the OK link? Isn't this generated 'behind the scenes'?
    Thanks,
    Mike

  • Authorization Scheme based on a group in LDAP?

    Hi,
    I would like to write an Authorization Scheme that checks whether a user (authenticated via a Authentication scheme based on LDAP) is a member of a specific group in LDAP, for access control.
    I can't seem to find documentation or an example of this. Would appreciate any tips or links to docs and examples....
    Thanks!

    I came across this nice example from the docs for the authorization scheme using the "IS_MEMBER Function".
    http://download.oracle.com/docs/cd/E17556_01/doc/apirefs.40/e15519/apex_ldap.htm#CDEJAAEI
    Very straightforward....
    However, my question now is, how would I tie this in to my authentication scheme?
    One Page Secured by > Authorization scheme (APEX_LDAP.IS_MEMBER) > From a user authenticated by my Authentication Scheme From LDAP directory?
    How would I tie these two schemes together?
    Thanks in advance for any help offered....

  • Best Approach to create Security / Authorization Schema for an APEX Apps

    Hi,
    I am planning to create a Security / Authorization Schema for an APEX Application.
    Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
    I am looking for following features...
    1. users LOGIN and then user's name is stored in APEX_USER...
    2. Based on the user, I want to restrict the Application on following levels.
    - TABS
    - TABS - Page1 (Report
    - Page2 (Form)
    - Page2 (Region1)
    - Page2 (Region1, Button1)
    - Page2 (Region1, Items,....)
    AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
    I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
    My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
    Also what should be the FRONT end, we should have to enter these detail...
    SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
    Thanks,
    Deepak

    Hi Raghu,
    thanks for the detial info.
    so that means..I should have 2 table...
    master table (2 columns - username, password)
            username    password
       user1       xxxx
       user2       xxxx2nd table (2 columns - username, chq_disp_option)
    - In this table, we don't have Y/N Flag you mentioned..
    - If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
    - so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
    - suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
              username    chq_disp_option
       user1       re_region1
       user1       re_region2
       user1       tb_main
       user1       Page1
       user1       Page5
       ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
    - is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
    Thanks,
    Deepak

  • Authorization scheme for display/read only conditions on item level

    Hi All,
    I have question. I want to use an authorization scheme to manage if users with a certain role have the permission to either update an item or have the persmission to only see the item or that they don't have permission to see it at all.
    So, the input for the scheme would be: 1. user role 2. the current page 3. the current item.
    The output would be: 0 (update) 1 (read only) 2 (not displayed).
    I think I can manage that.
    And I can attach this schema to the items.
    So far so good.
    But how can I make it so that the 0,1 and the 2 will actually do what they need to do?
    I have been thinking about making a function like GET_AUTHORISATON(ROLE,PAGE,ITEM) output: 0,1,2 but I still can't figure out how to connect this with the functionality I want to achieve.
    Can somebody give me a hint?
    Andre

    Thanks Hari,
    Thanks, it works, almost, but what if items are mandatory on a page, but not always mandatory?
    If a user has a certain role, some fields are manadatory, otherwise not.
    Again, a function would do the trick as far as the input and output information
    something like IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) but how can I make it work?
    I guess a PL/SQL validation like:
    IF IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) THEN ITEM IS NOT NULL
    END IF;
    Andre
    PS: personally I think item level security is not something you wish to implement in your system. I prefer different screens for different roles.
    Far more straightforeward. Easy for maintenance. When something disfunctions, it's far more easy to pinpoint the location of the cause.

  • Logout fails Authorization Scheme

    I'm using the following logout url on the authentication scheme:
    wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=140:12
    On page 12 the authorization scheme is - No Page Authorization Required - and the Authentication is 'Page is Public'.
    Page 12 fails on authentication. I get Access denied by Application security check and the error message for the authentication scheme.
    I know it's happening because the authentication scheme is using a query to verify the user exists in a table:
    Exists SQL Query
    select 1
    from Personnel
    where upper(USERid) = :APP_USER
    :APP_USER is now empty because they logged out.
    My question is how can I get the application to skip the authentication scheme? I thought when I picked, 'no page authorization required' and 'page is public' the application no longer checks the authentication and authorization.
    Thanks, Elizabeth

    Sorry about that. I tried to write it from memory.
    I'm using the following logout url on the Authentication Scheme:
    wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=140:12
    On page 12 the Authorization Scheme is - No Page Authorization Required - and the Authentication is 'Page is Public'.
    Page 12 fails on authorization. I get Access denied by Application security check and the error message for the Authorization Scheme.
    I know it's happening because the Authorization Scheme is using a query to verify the user exists in a table:
    Exists SQL Query
    select 1
    from Personnel
    where upper(USERid) = :APP_USER
    :APP_USER is now empty because they logged out.
    My question is how can I get the application to skip the Authorization Scheme? I thought when I picked, 'no page authorization required' and 'page is public' the application no longer checks the authentication and authorization.
    Thanks, Elizabeth

  • Customise Authorization Scheme web page

    Hi
    APEX - 4.1
    Oracle - 11gr2
    I have added an Authorization Scheme to my application whereby a check is performed to determine whether or not a user is allowed to access a webpage. If a user tries to access a restricted webpage a new webpage is displayed with
    'Access denied by Application security check' and a red exclamation
    My question is how can I customise this webpage as it differs from my application template (The log out disappears at the top and the topbar moves about between the restriction error webpage and the page it returns back to)?
    Is this possible?
    Thanks
    Rob

    Hi
    Thanks for the help. I located the 'Error Page Template Control' section.
    I am not looking to customise that section, but what I have noticed in firebug is that when I switch to this error page the BODY of the HTML document changes.
    So on a ordinary page you would normally have
      <div id="navbar">
        <div class="app-user">#WELCOME_USER#</div>
        <div class="app-user">Client: Internal</div> -- This is customised be me
        #NAVIGATION_BAR#
        #REGION_POSITION_08#
      </div>whereas on this error page you will have
      <div id="navbar">
        <div class="app-user">#WELCOME_USER#</div>
        <div class="app-user">Client: Internal</div> -- This is customised be me
      </div>Also the topbar seems to change from
       <div id="topbar">#REGION_POSITION_01##REGION_POSITION_04#</div>to
       <div id="topbar"></div>Is this normally? It is these adjustments I want to fix as navbar has the logout link which disappears and the topbar has my menu which messes with the page format on the error page
    Cheers
    Rob

  • Authorization Scheme vs. "Authorization Scheme"

    Hi,
    I've just completed building four Authorization Schemes for my app; is_admin, is_pm, is_user, is_read mapping to my concept of roles for admin, pm, user and read-only. Pretty self-explanatory and I set them up across my app so they could perform their various duties. For example, I have a page that all four roles can view, but each role sees a subset of the entire page. Most of what gets hidden as you go down the line of authorization are buttons to add/edit/delete content and some small regions of specialized content.
    Each scheme calls a function which in turns make a query to get the appropriate result. So for my main page there are 24 checks to see if the current user has the rights to view certain things. 24? Wow!
    So I started thinking (and searching this blog) to find a better way to do that. I didn't really come up with a "better way" but I did have an idea that I'm sure isn't new. I create four sessions variables and set their values ahead of time using the Authorization Scheme code and I'm good to go! Right?
    So, some questions:
    1. Do I create these variables as Items on a page 0?
    2. Are these region level items or page level items?
    3. Is my original way of using the Authorization Schemes the right way to do what I'm doing?
    Thanks in advance for any advice here!
    Cheers,
    Jon

    Jon,
    I assume you have a 'employee' table which has columns
    username varchar2(50);
    emp_role varchar2(1);
    Take emp_role as say,'A' for admin,'M' for pm,'U' for user etc...So each user will have a role associated to him.
    So you can define the authorization schemes in the application's shared components as
    AUTH_PM ->scheme type :Exists sql query ->Evaluation point ->once per page view
    select 1 from employee where username = lower(:app_user) and emp_role ='M'
    AUTH_ADMIN->scheme type :Exists sql query ->Evaluation point ->once per page view
    select 1 from employee where username = lower(:app_user) and emp_role ='A'
    AUTH_AD_PM->scheme type :Exists sql query ->Evaluation point ->once per page view
    select 1 from employee where username = lower(:app_user) and emp_role in ('A','M) ......etc for all the combinations you are looking for.
    Now,AUTH_PM on "delete" button will allow only the users with pm roles only to view the delete button.
    Similarly,AUTH_AD_PM on a region will make the region visible to the users with pm and admin roles only.
    Thanks,
    Anandi

  • APEX - Authorization Scheme

    Hi
    i have a app developed in apex.... i'm getting a problem because on the Authorization Scheme. i create a view in oracle that shows if certain user may run the app, however i can't put this working, on apex.
    I'm wearing a Authorization Scheme based on PL/SQL Function returning boolean...bust i'm lost to doing that. i make a function in oracle and it works fine.... e also can set the result of that function to a variable, but i can't return no value... e tried to make all function on apex side...but it's not permited... so...
    what can i do for the function returns a value!
    PS - sorry for the bad english....i'm a newbie in PLSQL, and i'm usig the code:
    declare
    n number;
    begin
    n:=usr_system.f_teste('jose.lopes');
    end;
    I also tried to return n...but gives error
    thanks

    José,
    The function must return true or false (boolean). So if your f_teste function returns 1 for true and 0 for false, just do something like:declare
      n number;
    begin
      n:=usr_system.f_teste('jose.lopes');
      if n = 1 then
        return true;
      else
        return false;
      end if;
    end;Scott

  • Authorization scheme problem

    Hi all,
    I have implemented ACL authorization (Restricted only), and have just created a new ACL scheme in my app is the name of "Registration" same copy of EDIT scheme, I have set following users with these roles:
    USERS with roles
    =============
    1. Admin with Administrator.
    2. Guest with Registration.
    3. Frank with Edit.
    I have create a Navigation List entries (for redirection) on my home page with following entries with restricted roles:
    Navigation List :
    ============
    Administration (for Administrator only ) assigned 'ADMIN' role
    New Registration (for 1 time user registration) assigned 'REGISTRATION' role
    Student Schedule (for existing users) assigned 'EDIT' role
    Student Semester Result (for existing users) assigned 'EDIT' role
    Student Attendance (for existing users) assigned 'EDIT' role
    Problem:
    ========
    When I set REGIS role to guest user , all entries of navigation list ( i mentioned above) except Administration Entry are shown on this page.
    I want to restrict guest user, who can only see Registration Link only. How can I do this ??
    help me out
    waiting for your prompt reply
    regards n thanks
    qamar

    Thanks for your reply scott, at least someone is there to understand it :).
    Well ok just forget everything and focus on it, I am using apex version Apex 3.0.1 with Oracle 9.2.0.1.0, my question is simple as i had stated above long time ago, I have added a new scheme/role 'REGIS' as same as EDIT role and changed EDIT to REGIS on that scheme/role, through this I just want to access only guest user to log in temporarily and create its account in our application and log out, and when he registered in our application, a role EDIT will assigned him automatically and he will be able connect our portal with EDIT role now.
    I had created a simple HTML page and created a Navigation List on it.
    there are 5 list entries on this page .
    1. Administration
    2. New User Registration.
    3. Student schedule.
    4. Student results
    5. Student attendance.
    -Administration
    (assigned ADMIN , so only administrator can see this link and all the entries)
    -New User Registration
    (only guest user with REGIS role can see this link)
    -3,4,5
    (only registered users with EDIT role can see these links)
    I have set these authorization in every list entry with authorization schemes mentioned above.
    Q. But the problem in this situation is that when I assign REGIS scheme to my 2 list entry, all other entries (3,4,5) including 2nd entry are also visible to guest user who has REGIS scheme assigned.
    I hope now you can understand clearly what I am trying to say and understand it.
    Hoping for your prompt reply.
    regards
    qamarsyed

  • Authorization Scheme using the APEX Authentication Scheme

    How would you build an authentication scheme that is using the APEX Authorization scheme. All users are belonging to a group which could be Oracle, External or Developer and I'd like to hide certain pages from the External users.
    I am not sure if I can grab the group name from some V('..') function and make something work?
    Cheers,
    Andy

    I'll give it a try again, sorry for not being able to describe the problem better!
    I am using the APEX built in authorization and authentication to make my life simple with regards to user mgmt. So all the users are managed using the Home>Administration>Manage Application Express Users. Every user belongs to an APEX group (Home>Administration>Manage Application Express Users>User Groups). For example:
    User A belongs to Group External
    User B belongs to Group Oracle
    User C belongs to Group Admin
    Now, there are certaing pages in my application that I want to restrict from the Group External (but the Group Admin and Group Oracle can see them).
    So my question is really how would I build such an Authorization Scheme to accomplish this? Not suer about which APEX API functions I should use to get this data and how to build the function.
    I hope this makes more sense?
    Andy

  • What are the tables & Views related to  Authorization Schemes

    Hi,
    I want to export all the Authorization Schemes into csv or excel.
    Thanks,
    Raj

    Hi Scott,
    thanks for the quick response.
    So my question is then...
    I want to create a APEX Report which will give me the following information.
    1. Application and all the Pages associated with it, which I am getting from apex_applications and
    apex_application_pages. This is OK
    2. List of all the Database Objects (Table/View) which the individual page is using, I mean relation between Page ID and database object. HOW to get that???.....(I want for each individual page, the list all the database objects (tables/views), which that page is using)
    Thanks,
    Deepak

Maybe you are looking for