Authorization scheme problem

Similar Messages

• Authorization Scheme problem using query

  Greetings:
  I have an application with 4 different roles in my application. Depending on the user role, the access to different pages within the application are filtered. We have 4 group types: admin, general, transactional and read_only; each, with descending levels of authorization.
  The application utilizes a two-level tab navigation system in which I hide the tabs that the users are not supposed to see, depending on the level of authorization that they have. I have implemented three authorization schemes for three different types of access depending on the pages within my application. The only page without any auhorization is the login page.
  The three created authorization schemes are as follows.
  My first scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  APP_GROUP_TYPE != 'READ_ONLY'
  This one is supposed to negate access to the READ_ONLY group, but allow access to all other groups.
  My Second scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  and
  APP_GROUP_TYPE != 'transactional')
  The second one, I have added the transactional group as to be explicitly negated access.
  My Third scheme
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  AND
  APP_GROUP_TYPE != 'transactional'
  AND
  APP_GROUP_TYPE != 'general')
  the last one, I have added the general group as to be explicitly negated access.
  I am thinking that, logically, this would work, but the pages do not display properly. I am always getting the failed authorization page, even with my admin user. Is there something wrong with my methodology? Should I be white-listing instead of black-listing in my queries? Thanks for your support.

  I appreciate your help Jeff, you helped me a great deal, but not in the way you may think. In your link, there was a post that offered a solution with a simple query. There was one person that posted a query using (upper) to bring the username to uppercase so it can be properly compared to :APP_USER. Yes, the users were entered as lowercase, the logic was ok. I changed the query logic to a white list as to avoid possible users that may be able to authenticate into the application without a proper group configured.
  Thanks for your support. Maybe this can help someone on the forums out.

• Unexpected problem with authorization scheme of type plsql function

  Hi,
  I have created one authorization scheme of type plsql function returning boolean. Authorization scheme is for pages only. p2_user_priviledge is a textbox on home page which extract privilege (list of pagenos) for login user from database. Home page has no authorization required. AUTHORIZATION SCHEME always returns false. I am not able to trace problem in my code. same code works fine for a textbox's default returning 'c'.
  ----- CODE FOR AUTHORIZATION SCHEME------------------------------------------------------------
  declare
  pageid varchar2(10);
  privilege varchar2(300);
  c number(3);
  begin
  pageid := ':P'||to_char(:app_page_id)||':' ; ---Pageno get stored in format  *:P2:*
  privilege := trim(:p2_user_priviledge); ++------Contain list of privilege like    :P2:P13:P67:P23:  etc+++ select instr(privilege,pageid) into c from dual;
  if c>0 then
  return true;
  else
  return false;
  end if;
  end;
  One more problem is again related to authorization scheme.
  I created one application and one authorization scheme (auth_aug) which worked finely. Then after some days i added 10 more pages to same application, But now autho_aug was always returning false for new pages. So i copied code from 'autho_aug' to new scheme 'autho_sept', & it worked for new pages. I don't understand if code is same for both scheme, why required to use two different schemes.
  Now i have added few more pages to application, and facing problem mentioned earlier.
  any solution for both the problems.....

  Hi,
  Let me clear my problem once again.
  -->Home page i.e. P2 does not use authorization, So it is displayed along with text item :p2_user_privilege.
  -->Then user click on one of the links , Now page :P70: should get displayed.
  P70 is using authorization scheme.
  -->But :p2_user_priviledge value is not accessible at authorization scheme, I dont know why.
  I could not find out where to create Application item , as suggested by you.
  & not able to find Developer menu , session at home page as suggested earlier.
  And one more question, my application at runtime display
  X en us
  at bottom
  How to make it
  USER: X Language: en us
  Like in development environment.
  Hope I have cleared my problem, waiting for reply.
  Edited by: TEJU on Nov 17, 2008 9:25 AM

• Problem calling a packaged function from an authorization scheme

  I wrote a package and body called pkg_auth with a function returning a boolean called is_authorized with 2 parameters (username and functional area).
  i.e.
  CREATE OR REPLACE PACKAGE pkg_auth
  AS
  FUNCTION is_authorized(p_username VARCHAR2, p_functional_area VARCHAR2) RETURN BOOLEAN;
  END;
  additionally i created a public synonym for it and granted execute access on it to apex_public_user and htmldb_public_user;
  i then created an authorization scheme called 'access_control_db' defined as Scheme Type 'PLSQL Function Returning Boolean' and placed the following:
  pkg_auth.is_authorized(v('APP_USER'),'DATABASE')
  in the Expression 1 field.
  and the following:
  Not permitted to edit database information.
  in the error field.
  However when I apply this authorization scheme to a buton I receive the following error when I go to the page containing that button:
  ORA-06550: line 1, column 44: PLS-00221: 'IS_AUTHORIZED' is not a procedure or is undefined ORA-06550: line 1, column 44: PL/SQL: Statement ignored
       Error      ERR-1082 Error in executing authorization scheme code.
  Any help would be most appreciated.

  Hello,
  Does putting 'return' infront -
  return pkg_auth.is_authorized(v('APP_USER'),'DATABASE')fix your problem?
  John.
  Blog: http://jes.blogs.shellprompt.net
  Work: http://www.apex-evangelists.com
  Author of Pro Application Express: http://tinyurl.com/3gu7cd
  REWARDS: Please remember to mark helpful or correct posts on the forum, not just for my answers but for everyone!

• Problem with branch authorization scheme

  Hello,
  I am trying to use 2 non-conditional branches (onsubmit after processing) with different authorization schemes (the first one should be executed for USER, the second - for ADMIN). But it doesn't work - the branch with smaller sequence number is executed in spite of the fact that user has no right because of authorization scheme of this branch (the second one should be executed for this user).
  Why do this happens?
  Regards,
  Nikolay

  We use our own installation of HTML DB, so it is not on the Oracle site.
  The first branch (which is executed in spite of authorization) sets page-item using value of item which is not accessible for this user (using the same authorization scheme as branch). Therefore this value equels null (we don't setup this item for this user) instead of using another branch with another value.
  Thanks.
  Nikolay

• Report Link + Authorization Scheme

  I have an authorization scheme that checks whether a certain person has privileges to edit a record on Page 2 by referring to the :P2_ID in the authorization scheme. Page 1 has a report with a report link, but the user can see both items they are able to edit and items they are not. I know I can make the link dynamically in the sql but wanted to see if there was an easy way to use an authorization scheme, but pass the #REPORT_COL# value in the report over to an authorization scheme to show or hide the icon for me so I can get the link out of the sql.

  Great example Scott! However, I'd would caution the other Sc0tt that calling functions in a SQL statement is fine for a small number of rows, but can CRUSH performance for medium to large result sets. Even if the function is fast, you're still context-switching between SQL and PL/SQL for every row. Make sure you test this with the volume of data you expect your users to encounter. If it's a problem, you might force the user to apply some filters before running the query.
  If you're running 11g you can at least minimize the hit of the function with "Function Result Cache". Even if you're not on 11g yet, you can use the following code in 10g and it will switch-on result cache when you compile it in 11g:
  create or replace function auth_user(p_key in number)
       return varchar2
       $IF not dbms_db_version.ver_le_10_2 $THEN
            result_cache
       $END
  as
  begin
      pkg.g_value := p_key;
      if apex_application.public_security_check (p_security_scheme => 'AUTH_USER_COLUMN') then
          return '1';
      else
          return '0';
      end if;
  end;
  / If it is a reasonable result set, Scott's solution is perfect.
  Thanks,
  Tyler

• Display page items based on Authorization Scheme...

  I have a report form that shows all my columns, but I have two columns that I only want "Admin" and "Edit" from my authorization scheme to be able to edit; but I would like for "User" to view.
  Currently I have "authorization" enabled for the two items, and set for "Edit". This works, except the "User" logins cannot view the items.
  I thought of two possibilities, both I think I'd need help on though!:
  1. Create a duplicate page item for these two items. One would show as "Text" only (cannot edit). The other would be "Text Field". The "Text Field" column would only be
  accessible by "Edit" or "Admin".
  The problem, though, is now "Edit" or "Admin" users will see both columns
  2. Set up something in "Conditions" that would show as "text" for "User", and as "Text Field" for "Admin" or "Edit"?
  I would have no clue how to do this...
  Any thoughts?
  Kevin L.

  Kevin
  You can create two items and in the Authorization Scheme you can set one as Users and second as Edit. Also You can do something using small JS. Create a variable P_USR_TYPE to hold the value of User group lets say 1 for Users and 2 for Edit. Then on the HTML header or footer of the region you can add a javascript call
  function UsrCustomization()
       if ( P_USR_TYPE == 1 )
            // mark the item as readonly
            // document.getElementById('P1_FIELD_QUESTION').disabled = true;
            document.getElementById('P1_FIELD_QUESTION').readOnly="readonly"
  UsrCustomization();Thanks,
  Manish

• Public and Authenticated App with Authorization Scheme once per session

  I have a question . . .
  Let's say I have an application and at the application level I have an authorization scheme (auth1). If auth1 is set up to evaluate once per session, does it authenticate for the public user, then pass me back to the page and then check then evaluate the auth1 scheme. Or does it evaluate the auth1 scheme, then log in, then return to the page. Is it the same regardless of authentication scheme (e.g. Oracle SSO).
  It may make a big difference. If the authorization sheme is based upon the user (most will be) then setting it to evaluate once per session can be a real problem. If it evaluates before the user logs in, then it won't really work.
  This is an even bigger question when the application does not have a authorization scheme at the application level and allows public pages. If a page that is not public has an authorization scheme set, and the user goes directly to that page, it seems to authenticate the authorization scheme and then logs you in, but does not re-evaluate authorization scheme after you are logged in. Is this accurate? I realize that I could set it up to evaluate for every page view, but I really only need it once after login.
  Is this clear?

  Anton,
  It seems that all authorization schemes that are set to evaluate once per session are evaluated with the beginning establishment of a session.Sort of correct. Authorization schemes don't get evaluated until the component that uses them is considered for rendering or processing. So if the authorization scheme is attached to a page, it won't fire until the page is requested. If another component uses that scheme first, the evaluation will happen then and will not happen again during the session.
  What if I have another page that is not public. If it is the first page I go to, what happens. Obviously, I get redirected to login, then login. Do the authorization schemes get evaluated at this point?Yes, assuming the authorization scheme is used by the page, the scheme is evaluated during the first rendering or processing of the page in the session, after the authentication step.
  Now, what if I have a page that is public, but also has an auth scheme (odd, but could happen). Now what happens, does the auth scheme get evaluated before or after login?During the rendering or processing of the page after the authentication step. For a public page, the authentication step is performed up to the point where it determines that no authentication is required.
  OK, now let's add in Application level auth scheme. I can have public or private pages. If I go to a private page, when does the app level auth scheme kick in? How about for a public page?When an application uses an authorization scheme, it gets evaluated before the authorization scheme (if any) for the page that is being requested, so the public/private property of the page doesn't matter.
  General advice: when an authorization scheme uses :APP_USER, it doesn't work well to have it fire once per session because it'll get run before authentication to the application occurs, which sets APP_USER. You can have such schemes fire once per page view and for PL/SQL function-type schemes, have them give a "pass" when the current page is the login page, that kind of thing.
  In addition, if the overhead of running a scheme is high, one can set an application-level item to indicate that a once-per-page scheme has already run satisfactorily. The PL/SQL-type schemes can access the value of such an item to skip the expensive part of the evaluation and return true immediately.
  Finally, the htmldb_application.reset_security_check API can be called in order to reset the "fired" status of all authorization schemes in the session, allowing them to be re-evaluated if/when they are encountered again in the session.
  Hope this helps,
  Scott

• Page Authorization Scheme OK button not working

  Hi All,
  I have a Page Level Authorization scheme, which makes a PL/SQL Function call to determine whether the logged in user should have access to the Page. This works well and displays an 'Access denied by Page security check' error message, but the OK Hyperlink that is displayed does not work as I would expect as I am not returned to the calling page.
  The pages in question are Popups and when I hover over the OK Hyperlink, the Javascript in the Taskbar shows javascript:window.history.go(-1). Is this the route of my problem, and is there any way around this when using Popup windows?
  Thanks,
  Mike

  Scott,
  Thanks for your response. Yes you have the sequence right: "User clicks on link to popup page from base page and the link is to a forbidden page"
  "The basic question is why would you ever show a link to a forbidden page to the user?"
  The main reason is time, ideally yes we would like to hide links to forbidden pages but it will take time to implement due to complexity of role combinations and number of pages. So for now, we are confident in our method for denying access to forbidden pages.
  The error message that is displayed on the forbidden page is set in the Authorization Scheme, but how do I alter the OK link? Isn't this generated 'behind the scenes'?
  Thanks,
  Mike

• ERR-1082 Error in executing authorization scheme code.

  Hi All,
  i have a different problem in apex....
  I am using below function to authenticate the apex users after SSO login. I have created authentication schemes for admin and users separately depending on that users will have access to the specific tabs.
  Now users are facing below error
  ORA-01403: no data found Error ERR-1082 Error in executing authorization scheme code.
  while they log in or submit the page. And the weired thing is randomly they are getting this error. 2 or 3 times in a week. and when i compile the authentication function that error will be resolved.
  this is function structure. Inside the function validation code is written.
  function F_auth_user( muser_name in varchar2, mauth_level in number, mgroup_name in varchar2) return boolean
  Some of the details: application users : 200 application size : 30MB
  May i know that how can i prevent this occurrence of error.

  Yes that is authorization schemes .
  Evidence is user can be able to login properly after compiling the function. otherwise the same error happening while navigating through out the applications.
  Function code:
  create or replace function F_auth_user(
  muser_name in varchar2,
  mauth_level in number,
  mgroup_name in varchar2) return boolean is
  ct number;
  muser_id number;
  begin
  select id into muser_id from t_employees where upper(email)=upper(muser_name);
  if muser_id is null or mauth_level is null or mgroup_name is null then
  return false;
  end if;
  if upper(mgroup_name) = 'ANY' then
  select count(*) into ct from t_employees emp, t_positions pos,
  t_employee_groups eg
  where emp.position = pos.id and
  pos.MgtLevel >= mauth_level and
  emp.position = pos.id and
  emp.id = muser_id;
  elsif upper(mgroup_name) = 'USER' then
  select count(*) into ct from t_employees emp, t_positions pos,
  t_employee_groups eg
  where emp.position = pos.id and
  pos.MgtLevel >= mauth_level and pos.MgtLevel!=6 and pos.MgtLevel!=4 and
  emp.position = pos.id and
  emp.id = muser_id ;
  elsif upper(mgroup_name) = 'ADMIN' then
  select count(*) into ct from t_employees emp, t_positions pos,
  t_employee_groups eg
  where emp.position = pos.id and
  pos.MgtLevel >= mauth_level and pos.MgtLevel!=6 and
  emp.position = pos.id and
  emp.id = muser_id ;
  else
  select count(*) into ct from T_employees emp, T_positions pos,
  t_emp_group_mapping egm, t_employee_groups eg
  where emp.position = pos.id and
  emp.id = egm.employee_id and
  pos.MgtLevel >= mauth_level and
  emp.position = pos.id and
  emp.id = muser_id and
  egm.group_id = eg.id and
  trim(eg.group_name) = mgroup_name;
  end if;
  if ct > 0 then
  return true;
  end if;
  return false;

• Create Authorization Scheme for LDAP Groups

  I have installed APEX 4.0 in my staging environment and got the LDAPS to finally work. I can now login to the application with my LAN user name and password. The only problem is so can everyone else on the LAN. So I wanted to create an authorization scheme that would only allow a certain group or groups of LDAP users into the application rather than everyone.
  I am at the Create Authorization Scheme page and am kind of stuck. Has anyone done this before and can share some SQL or knowledge?

  hi larosejh
  If you want to do that you must write your own procedures using the dbms_ldap package. I found some code a while back that searches the LDAP. Maybe you can use this to create a function for your authentication.
  DECLARE
  retval PLS_INTEGER;
  my_session DBMS_LDAP.session;
  my_attrs DBMS_LDAP.string_collection;
  my_message DBMS_LDAP.message;
  my_entry DBMS_LDAP.message;
  entry_index PLS_INTEGER;
  my_dn VARCHAR2(256);
  my_attr_name VARCHAR2(256);
  my_ber_elmt DBMS_LDAP.ber_element;
  attr_index PLS_INTEGER;
  i PLS_INTEGER;
  my_vals      DBMS_LDAP.STRING_COLLECTION ;
  ldap_host VARCHAR2(256);
  ldap_port VARCHAR2(256);
  ldap_user VARCHAR2(256);
  ldap_passwd VARCHAR2(256);
  ldap_base VARCHAR2(256);
  BEGIN
  retval := -1;
  -- Please customize the following variables as needed
  ldap_host := 'host';
  ldap_port := '389';
  -- In case of update/insert/delete need change ldap_user to other.
       -- ldap_user := 'cn=orcladmin';
       -- ldap_passwd:= 'welcome';
  -- set User and password to NULL for anonymous user.
  ldap_user := 'user';
  ldap_passwd:= 'password';
  ldap_base := 'CN=Users,DC=ee,DC=intern';
  -- end of customizable settings
  -- Start output Header--
  DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
  DBMS_OUTPUT.PUT('> DBMS_LDAP Search Example ');
  DBMS_OUTPUT.PUT_LINE('');
  DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Host ',25,' ') || ': ' || ldap_host);
  DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Port ',25,' ') || ': ' || ldap_port);
  -- Choosing exceptions to be raised by DBMS_LDAP library.
  DBMS_LDAP.USE_EXCEPTION := TRUE;
  my_session := DBMS_LDAP.init(ldap_host,ldap_port);
  DBMS_OUTPUT.PUT_LINE (RPAD('> Ldap session ',25,' ') || ': ' ||
  RAWTOHEX(SUBSTR(my_session,1,8)) ||
  '(returned from init)');
  -- bind to the directory
  retval := DBMS_LDAP.simple_bind_s(my_session,
  ldap_user, ldap_passwd);
  DBMS_OUTPUT.PUT_LINE(RPAD('> simple_bind_s Returns ',25,' ') || ': '
  || TO_CHAR(retval));
  -- issue the search
  my_attrs(1) := 'dn'; -- retrieve all attributes
  retval := DBMS_LDAP.search_s(my_session, ldap_base,
  DBMS_LDAP.SCOPE_SUBTREE,
  'objectclass=*',
  my_attrs,
  0,
  my_message);
  DBMS_OUTPUT.PUT_LINE(RPAD('> search_s Returns ',25,' ') || ': '
  || TO_CHAR(retval));
  DBMS_OUTPUT.PUT_LINE (RPAD('> LDAP message ',25,' ') || ': ' ||
  RAWTOHEX(SUBSTR(my_message,1,8)) ||
  '(returned from search_s)');
  -- count the number of entries returned
  retval := DBMS_LDAP.count_entries(my_session, my_message);
  DBMS_OUTPUT.PUT_LINE(RPAD('> Number of Entries ',25,' ') || ': '
  || TO_CHAR(retval));
  DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
  -- End output Heading --
  -- get the first entry
  my_entry := DBMS_LDAP.first_entry(my_session, my_message);
  entry_index := 1;
  -- Loop through each of the entries one by one
  while my_entry IS NOT NULL loop
  -- print the current entry
  my_dn := DBMS_LDAP.get_dn(my_session, my_entry);
  -- DBMS_OUTPUT.PUT_LINE (' entry #' || TO_CHAR(entry_index) ||
  -- ' entry ptr: ' || RAWTOHEX(SUBSTR(my_entry,1,8)));
  DBMS_OUTPUT.PUT_LINE (' dn: ' || my_dn);
  my_attr_name := DBMS_LDAP.first_attribute(my_session,my_entry,
  my_ber_elmt);
  attr_index := 1;
  while my_attr_name IS NOT NULL loop
  my_vals := DBMS_LDAP.get_values (my_session, my_entry,
  my_attr_name);
  if my_vals.COUNT > 0 then
  FOR i in my_vals.FIRST..my_vals.LAST loop
  DBMS_OUTPUT.PUT_LINE(' ' || my_attr_name || ' : ' ||
  SUBSTR(my_vals(i),1,200));
  end loop;
  end if;
  my_attr_name := DBMS_LDAP.next_attribute(my_session,my_entry,
  my_ber_elmt);
  attr_index := attr_index+1;
  end loop;
  my_entry := DBMS_LDAP.next_entry(my_session, my_entry);
  DBMS_OUTPUT.PUT_LINE(' --------------------------------------------------- ');
  entry_index := entry_index+1;
  end loop;
  -- unbind from the directory
  retval := DBMS_LDAP.unbind_s(my_session);
  DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||
  TO_CHAR(retval));
  -- Start Output Footer --
  DBMS_OUTPUT.PUT_LINE('Directory operation Successful .. exiting');
  -- Start Output Footer --
  -- Handle Exceptions
  EXCEPTION
  WHEN OTHERS THEN
  DBMS_OUTPUT.PUT_LINE(' Error code : ' || TO_CHAR(SQLCODE));
  DBMS_OUTPUT.PUT_LINE(' Error Message : ' || SQLERRM);
  DBMS_OUTPUT.PUT_LINE(' Exception encountered .. exiting');
  END;
  /

• APEX - Authorization Scheme

  Hi
  i have a app developed in apex.... i'm getting a problem because on the Authorization Scheme. i create a view in oracle that shows if certain user may run the app, however i can't put this working, on apex.
  I'm wearing a Authorization Scheme based on PL/SQL Function returning boolean...bust i'm lost to doing that. i make a function in oracle and it works fine.... e also can set the result of that function to a variable, but i can't return no value... e tried to make all function on apex side...but it's not permited... so...
  what can i do for the function returns a value!
  PS - sorry for the bad english....i'm a newbie in PLSQL, and i'm usig the code:
  declare
  n number;
  begin
  n:=usr_system.f_teste('jose.lopes');
  end;
  I also tried to return n...but gives error
  thanks

  José,
  The function must return true or false (boolean). So if your f_teste function returns 1 for true and 0 for false, just do something like:declare
    n number;
  begin
    n:=usr_system.f_teste('jose.lopes');
    if n = 1 then
      return true;
    else
      return false;
    end if;
  end;Scott

• Ultimate Authorization Scheme

  Hello
  I want to create Ultimate Authorization Scheme :)
  One scheme for all regions
  I've got table with regions Id - "regions" and table with relationship of region and user "user_region_auth"
  if user has a authority to region than he could see the region :)
  The scheme could be something like that:
  Type: Exists SQL Query
  select id from user_region_auth r
  where reg_id = #REGION_ID#
  and usr_id = :APP_ID
  and flag = 1
  the problem is that i can't reference to region id dynamically
  my Q: How to reference to region Id dynamically ??
  thx for every reply
  regards
  piotry

  Duh, yes, it is indeed being set to the page being rendered but now that I think about it that's not what I need.
  Say I have 2 pages, each with it's own tab. Tab T1 points to Page 1 and should be visible only to User U1 and Tab T2 points to Page 2 and should be visible only to user U2. I create my auth scheme and attach it to both pages and tabs. Now when User U1 launches the direct link to Page 1, APP_PAGE_ID is set to 1 so the auth scheme returns true which ends up making Tab T2 visible (not what I want)
  I guess what I was hoping is that when the engine evaluates the auth scheme for a Tab, it sets APP_PAGE_ID to the primary "tab page" for that tab for use by the auth scheme logic.
  Oh well, I guess I will have to come up with a different type of auth. scheme for tabs that doesn't rely upon the page being rendered. Thanks for your help.

• Authorization scheme (using {not} Scheme)

  I have build a change password page and every user, except user with a Guest role (= GUEST SCHEME) have access to that page.
  I defined a scheme GUEST for users with the GUEST role. When I define the page with Authorization scheme {not}GUEST this isn't working everyone has access to the page, also the guest users.
  am I misunderstanding the {not}scheme choice or is something else wrong.
  Fred.

  Fred,
  I have solved it with the work around I mentioned before:I read what you said very carefully but thought it reckless to conclude that the workaround was successful because you just said "To work around the problem, I did xyz" without indicating the outcome.
  The authorization schemes on navigation tabs fire also on the default login pageYes they do, they fire on every page whether or not the page template accommodates a navigation bar. This looks like a bug to me.
  Is there a "authorization scheme report" which shows all the objects where the authorization scheme is defined.Shared Components > Authorization Schemes > Utilization (slightly different in each version).
  Scott

• Authorization Scheme using the APEX Authentication Scheme

  How would you build an authentication scheme that is using the APEX Authorization scheme. All users are belonging to a group which could be Oracle, External or Developer and I'd like to hide certain pages from the External users.
  I am not sure if I can grab the group name from some V('..') function and make something work?
  Cheers,
  Andy

  I'll give it a try again, sorry for not being able to describe the problem better!
  I am using the APEX built in authorization and authentication to make my life simple with regards to user mgmt. So all the users are managed using the Home>Administration>Manage Application Express Users. Every user belongs to an APEX group (Home>Administration>Manage Application Express Users>User Groups). For example:
  User A belongs to Group External
  User B belongs to Group Oracle
  User C belongs to Group Admin
  Now, there are certaing pages in my application that I want to restrict from the Group External (but the Group Admin and Group Oracle can see them).
  So my question is really how would I build such an Authorization Scheme to accomplish this? Not suer about which APEX API functions I should use to get this data and how to build the function.
  I hope this makes more sense?
  Andy