Authorization Scheme using the APEX Authentication Scheme

How would you build an authentication scheme that is using the APEX Authorization scheme. All users are belonging to a group which could be Oracle, External or Developer and I'd like to hide certain pages from the External users.
I am not sure if I can grab the group name from some V('..') function and make something work?
Cheers,
Andy

I'll give it a try again, sorry for not being able to describe the problem better!
I am using the APEX built in authorization and authentication to make my life simple with regards to user mgmt. So all the users are managed using the Home>Administration>Manage Application Express Users. Every user belongs to an APEX group (Home>Administration>Manage Application Express Users>User Groups). For example:
User A belongs to Group External
User B belongs to Group Oracle
User C belongs to Group Admin
Now, there are certaing pages in my application that I want to restrict from the Group External (but the Group Admin and Group Oracle can see them).
So my question is really how would I build such an Authorization Scheme to accomplish this? Not suer about which APEX API functions I should use to get this data and how to build the function.
I hope this makes more sense?
Andy

Similar Messages

  • Why we use the LDAP Authentication over the DB authentication?

    Hi All,
    Why we use the LDAP Authentication over the DB authentication?
    Any specific region is for that?
    When we use LDAP do we need DB authentication again or it will be optional?
    In same case in ADSI do the DB authentication is optional or compulsory .
    Thanks in advance
    Tusar

    LDAP / AD authentication is useful if you already use it in your organisation and you'll find that most orgs have some form of user authentication already in place.
    Do users in your company have to log into to their machines every morning? If so, why not use those credentials to control access to Siebel? It's a way of providing a single directory of employee authentication information available across applications, keeping maintenance and change costs down.
    When you use LDAP authentication, you specify an AD object that contains a set of DB authentication details so that the component can access the Siebel database. In Siebel 8, you can directly specify those details in the security profile. As such, you only then have to maintain a single set of DB specific authentication details: much easier to manage. You can always switch back to DB authentication if you want to, but you'd have to go through all users accounts and create them with the same login and password specified in AD.

  • Unable to start several servers using the custom. authentication and authorization Provider

    I downloaded the Sample Security Providers (http://developer.bea.com/managed_content/direct/SampleSecurityProvidersUnmanaged.zip)
    and followed the user guide for installation.
    We have following configuration:
    - One domain with 3 servers :
    - ADM: admin, console
    - WTL_1 : WebTool server 1
    - WTL_2 : WebTool server 2
    WTL_1 and WT_2 are member of cluster WTL_Cluster
    I try to restart all servers. It worked fine for the first one (ADM), but for
    the other two I got followinf exception:
    ####<Nov 13, 2002 10:29:02 AM CET> <Emergency> <WebLogicServer> <isoit652.bbn.hp.com>
    <WTL_1> <main> <kernel i
    dentity> <> <000342> <Unable to initialize the server: Fatal initialization exception
    Throwable: java.lang.SecurityException: Authentication denied: Boot identity not
    valid
    java.lang.SecurityException: Authentication denied: Boot identity not valid
    at weblogic.security.service.SecurityServiceManager.doBootAuthorization(SecurityServiceManager.java:1024)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1166)
    at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:697)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:589)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:277)
    at weblogic.Server.main(Server.java:32)
    Do you have any idea why it worked only for one server?
    Thanks for any help
    My Chi

    Hi John,
    Actually, thanks to your examples, I have my Authentication Scheme setup using a custom authentication function that first checks that the Username/Password are valid, and if so, then validates that the user has also been setup in AD with one of the groups used by my application. What I'm wondering is, when I replace the built-in Authentication Function it appears that the function that I code must have the correct signature (accepts UserName and Password, and returns a boolean)... but I really want to be able to also return the actual AD Group that the user is assigned to for use within my Authorization Schemes. I'm not sure if/how I can do this from my authentication function, or if I just need to re-query AD again in my Authorization Schemes to get the AD group that the user is assigned to.
    Appreciate the help,
    Lori

  • Transport-Cockpit: No authorization for using the vehicle-resource

    Hi everyone
    In my planning profile I determined a sprinter as vehicle resource. As soon as I start the Transport Cockpit the freight orders appear, indeed, but TM claims that there's no authorization for my sprinter. The sprinter does not appear in the frame "resource". Selecting this vehicle manually TM post the message: vehicle not found. As far as I can estimate my master data are correct assigned.
    Does anyone of you has been confronted with this problem?
    Thank's for your help.
    Michael

    Hello Mike
    I created the vehicle under Master Data / Resources / Define Resource.
    Resource Category: T
    Time Zone: CET
    Means of Transport: 4 (the same number as I choosed in the freight order)
    Planning Parameters: Finite Scheduling
    Owner: the carrier of my freight order
    Auth. Resource: the same carrier above mentioned
    Template: Resource Template, Means of Transport: 4
    Resource Validity: 1.1.1970 to 31.12.9999
    Physical Properties: Mass = 1.000 kg, Volume = 4,5 m3
    Time-cont. Capacity = 3 Pal (it does not make sense but I have not opportunity to change this value)
    The other fields don't have any values.
    In the forwarding order or rather freight order I determined the vehicle which is suitable to the selected carrier. I assume that there is a connection between the error message and the planning profile. I define in my planning profile the sprinter as vehicle:
    Planning Profile / Capacity
    VEHICLERES_ID inclusive = [and my vehicle]
    I tried, too:
    OWNER inclusive = [and my carrier]
    What Transportation Cockpit is doing now, is EXCLUDING exact that vehicle (or rather carrier) I want to dispatch. It seems to work vice versa.
    A sprinter is just another name for a small bus. I linked you to a photo of mercedes. Sprinter or long truck - regardless of which of them I use: the error remains.
    Regards,
    Michael

  • How to migrate users, which have been using the Windows Authentication method

    Hi everybody,
    I have to migrate a productive SQL Server 2008 Database from one to another different server. The problem is that a lot of users have been using this DB throught the Windows Authentication method. Because the migration should be faster as possible, I would
    like to use a SQL script in order to streamline the process. Does anyone know if it is possible to do it?
    Thank you in advance,
    Regards

    Apart from transfer logins scripts Ashwin and Stan mentioned, I usually run following script in order to re-establish orphan users to establish if any SQL logins.
    set nocount on
    declare @username    sysname,
            @errcode     int
    select @errcode = 0
    select @username = min(name)
    from sysusers (nolock)
    where uid <> gid and
          name not in ('guest', 'sys', 'INFORMATION_SCHEMA') and
          suser_sname(sid) is null and
          issqlrole = 0
    while @username is not null
    begin
       if exists (select 1
                  from master.dbo.syslogins (nolock)
                  where name = @username)
       begin
          exec sp_change_users_login @Action = 'Update_One',
                                     @UserNamePattern = @username,
                                     @LoginName = @username
          select @errcode = @@error
          if @errcode = 0
             print 'The user ''' + @username + ''' was re-established in database!'
          else
             print 'Failed to re-establish user ''' + @username + ''' in database!'
       end
       else
       begin
          print 'The user ''' + @username + ''' does not have login ID. So, drop it from database!'
          exec sp_dropuser @username
       end
       select @username = min(name)
       from sysusers (nolock)
       where uid <> gid and
             name not in ('guest', 'sys', 'INFORMATION_SCHEMA') and
             suser_sname(sid) is null and
             issqlrole = 0 and
             name > @username
    end
    go

  • Using the windows authentication

    In my application , I would like use Windows authentication .Currently I am using basic authentication in which the application will get the user details from a file.The file will contains users password and access right(read write permissions). I would like to enhance it with windows authentication in which my application take the windows user and allows him to use the application. Is it possible? If possible , can I set some attributes(like for xxxx value is 1, yyyy value is 2 ) for windows users. Kindly help me if it is possible in Java.

    Apart from transfer logins scripts Ashwin and Stan mentioned, I usually run following script in order to re-establish orphan users to establish if any SQL logins.
    set nocount on
    declare @username    sysname,
            @errcode     int
    select @errcode = 0
    select @username = min(name)
    from sysusers (nolock)
    where uid <> gid and
          name not in ('guest', 'sys', 'INFORMATION_SCHEMA') and
          suser_sname(sid) is null and
          issqlrole = 0
    while @username is not null
    begin
       if exists (select 1
                  from master.dbo.syslogins (nolock)
                  where name = @username)
       begin
          exec sp_change_users_login @Action = 'Update_One',
                                     @UserNamePattern = @username,
                                     @LoginName = @username
          select @errcode = @@error
          if @errcode = 0
             print 'The user ''' + @username + ''' was re-established in database!'
          else
             print 'Failed to re-establish user ''' + @username + ''' in database!'
       end
       else
       begin
          print 'The user ''' + @username + ''' does not have login ID. So, drop it from database!'
          exec sp_dropuser @username
       end
       select @username = min(name)
       from sysusers (nolock)
       where uid <> gid and
             name not in ('guest', 'sys', 'INFORMATION_SCHEMA') and
             suser_sname(sid) is null and
             issqlrole = 0 and
             name > @username
    end
    go

  • WLS Console doesnt display all AD users using the AD Authenticator Provider

    I've set up an AD Authenticator Provider from WLS.
    The trouble is we have two sets of users in different branches on the AD directory. This major problem as you can just set the User Base DN higher up the tree and it picks up both sets of users, and it works.
    The problem comes when trying to view both sets of users in the WebLogic admin console under the "Users" tab. Only one branch comes up, so you can only see one set of users.
    Is there a way to making the WLS admin console see both branches and both sets of users from a viewing problem point of view??
    This doesn't stop both sets of users being used as it all works, its just viewing them under the users tab which is the problem.

    Please check this thread
    http://forums.asp.net/t/1274419.aspx?Get+Last+Logon+date+from+the+active+directory+using+C+
    There are two attributes for this in Active Directory:
    lastLogon refers to the last logon for the specific server you're querying. This date may be different for different servers (domain controllers), and for some it may be null/empty. This attribute is not replicated.
    lastLogonTimestamp refers to the last logon for all servers. This attribute is replicated, which means that all servers have the same value. Only problem is that the default synchronization is 14 days on this attribute which may be too long.

  • Authorization scheme for users stored in a database table?

    Hello!
    I'm trying to find out how to make an authorization scheme for database users.
    I first made an authentication scheme for my current application, I named it "Authentication for database accounts", and the scheme type is "Database Accounts".
    A word of explanation:_
    I have a table in my database, named "USERS". Inside this table, I have the following columns:
    - USERID (NUMBER)
    - USERNAME (VARCHAR2(50))
    - PASSWORD (VARCHAR2(50))
    - EMAIL (VARCHAR2(200))
    For this question, I'll take an example user. The username is USER and the password is USER. Email and UserID don't matter here, but let's just say the UserID is 1.
    What I want:_
    When you go to the application, and you are requested to log in (page 101), then I want a user to be able to log in with the data that has been stored in the USERS table.
    So, on the login page, the user will enter USER as username, and USER as password. The authorization scheme then needs to check whether or not this username and password match the data in the USERS table. If it does, then it must sign the user in with the credentials the user entered (those being USER and USER).
    I also want the UserID to be stored somewhere in the application (if possible, in an application item).
    How do I do this? I've never made an authorization scheme before... I'm not too good with PL/SQL either, but I'm working on that part.
    Any help is greatly appreciated.

    I'm trying to find out how to make an authorization scheme for database users. I think there may be some confusion here. An authorization scheme gives the user access to different parts of an Apex Application. Database users are the users that you use to login to the database, for example with sqlplus.
    From the rest of your post it sounds like you need a custom authentication scheme to validate users against a custom table. For this you need to create a custom authentication scheme and select use my custom function to authenticate. Exactly how you set up the authentication scheme depends on the version of Apex you are using. But an example of validate user function you could use is given below:
    function validate_login (
       p_username   in   varchar2
    , p_password   in   varchar2) return boolean
    is
    v_result varchar2(1);
    begin
    select null into v_result
    from USERS
    where userid = p_username
    and password = p_password;
    return true;
    when no_data_found then return false;
    end validate_login;Once the user has successfully logged on the userid will be in the APP_USER apex substitution string.
    And for Application Express Account Credentials, does this mean an admin must make each new user by hand?If you using Apex account credentials the user details are stored within the Apex tables. You can create users using the Apex admin application or by using the APEX_UTIL.create_user api.
    Rod West

  • Forms based authentication + Basic authentication = no way to use the basic auth!!!!

    Hi,
    I setup a test sharepoint site, claims mode, with both the forms and basic authentication  enabled.
    I expect to see the page asking me which authentication method I want to use, but I never see this page!!!
    I have to select the windows authentication (NTLM or Kerberos) to see this page!
    why using only the Basic authentication did not prompt the user?
    and how to be authenticated using the basic authentication rather than the forms auth when both are enable for the same site?
    >I do NOT want to extend my site to have 2 zones... my question is ONLY with 1 zone configured.

    What is the business purpose for using Basic Auth over NTLM/Kerberos?
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • APEX 3.2:  Switching between APEX authentication and LDAP?

    I'm building an APEX 3.2 application that has to be deployed automatically to the target environments (by executing the APEX export SQL in the relevant parsing schema).
    One problem is that different environments will have to use different authentication mechanisms:
    Development and System Test will use simple APEX authentication (i.e. APEX users).
    Acceptance Test and Production will use LDAP via OID for single sign-on.
    So how do I set the application up so that it can switch from APEX authentication to LDAP authentication if it is in the Acceptance Test or Production environments?
    My customers seem very reluctant to have a manual step in the process e.g. to switch the authentication scheme for the application after installation, so I need to find a way to do this automatically if possible.
    Any suggestions?
    Thanks.
    Chris

    Chris,
    We do something similar, in that we dynamically switch authentication based on the application you're trying to log in to. Basically, you need to set up a custom authentication procedure which checks which system you're in, and then validates the user appropriately.
    Does that help?
    -David

  • Need help in creating Aria using Oracle APEX

    Hi,
    I am trying to develop an employee lookup using DBCON's PDF(http://www.dbcon.com/oracle_apex_ebook_aria.html).
    I downloaded the Oracle XE, version 11.0.0.28844 and used the APEX from this. But, the files provided by DBCON seem to be old. I tried using the AriaTheme.sql file in the APEX, but, it errors out complaining that the file is not compatible.
    As this did not work, I downloaded the APEX(apex_4.0.1) and am trying to proceed with this. This comes with a large package and it is not clear on how to install and where to start off to build ARIA.
    Please help me out with the latest compatible theme or suggest the XE version that I need to download.
    Thanks,
    Divya.

    I downloaded it from: http://www.oracle.com/technetwork/database/express-edition/downloads/102xewinsoft-090667.html(Oracle Database 10g Express Edition (Universal) )
    Could you please comment on the 'Aria' setup, if you are aware?

  • Get CGI env variables in a database procedure using new APEX Listener

    I already posted this question in the Apex Listener forum and still no replies after one week. The original post is here:
    Get CGI environment from APEX Listener within database procedure
    So please forgive me for posting in this forum as well, but there is a lot more activity here.
    I'd like to know how I can get the CGI environment from the APEX Listener. For example, if I want to write a procedure that inserts into a table the originating IP Address of the client making the web request, how do I get it?
    I am familiar with the Oracle Http Server and mod_plsql, and I know how to call OWA_UTIL.GET_CGI_ENV to get this sort of information. How do I do it using the APEX Listener?
    In particular, how do I do this when calling a custom procedure (not in an Apex workspace)? When I try it now, I get an error from owa_util. The cgi env seems to be empty or not initiated (owa.num_cgi_vars is null or zero).
    Specific set-up:
    I have a web server running the latest JDK, Glassfish, and 1.1.4 Apex Listener. It connects to another server running the latest 11.2 database. Apex is installed and running, but I am not really developing a traditional Apex application in a workspace. I mainly use it like you would use mod_plsql. In other words, I have custom pl/sql packages that are called directly via URL. The requests are forwarded by the listener to the database, and the DB executes the procedure and returns output using htp.p to send text back to the browser. And it works just fine for this purpose. But if I want to call GET_CGI_ENV to get information like the IP Address, web browser making the request, etc. I can't seem to get it with the OWA packages.
    Can anyone shed some light on this? If Apex Listener is not designed to do this, is there some kind of workaround I can use to forward this sort of information to the database for each request?

    I have not tried owa_util.print_cgi_env from SQL Workshop yet, as I have not created an APEX workspace. I have had no need for a workspace because of the way I am using APEX as a method for calling custom packages and stored procedures. In other words, I am using APEX strictly for the mod_plsql functionality. I just use it to forward requests to the database to execute pl/sql code, but I don't develop anything in APEX. My application is a web service with no screens and no direct user interface, which is why I did not need to create APEX forms. The front end is a mobile app that makes calls to the web service.
    But I have tried calling owa_util.print_cgi_env in one of my stored procedures and it returns no data, even when calling it from the web front-end.
    So I am beginning to believe that if the OWA toolkit works with APEX, then it must only be enabled when invoked within a workspace. Stand-alone procedures can be called via APEX, but apparently doing so does not initiate the CGI env variables. This set-up used to work under the OHS with mod_plsql. The embedded pl/sql gateway also works this way.
    Is there a procedure call that APEX is making to set the environment before each SQL Workshop request?
    My security model currently blocks access to all packages and procedures except for my custom packages. I am using the APEX Listener configuration to allow only the packages listed by name in a white list. But I thought I allowed all access when I first tried calling the OWA packages. I'll have to try that again.

  • How to export the Apex web page to PDF with click of a button?

    How to export the Apex web page to PDF with click of a button?
    Am looking at exporting the Form view on APEX to be exported to PDF.

    In order to get a PDF, you need to generate a Report....in PDF format.
    If you are using the APEX Listener, you can initiate the download of the PDF by calling APEX_UTILS.download_print_document()  (I normally place this in a Process)
    BUT -- You have to create the Report (under Shared Components) and a Template (also under Shared Components).
    The white paper in my first post gives you the HOWTO "[Create] Custom PDF Reports with Oracle Application Express and the APEX Listener".
    Start by creating a Report (in Shared Components, bottom right) that uses a simple SQL statement like:
    Select * from emp where empno = :P15_EMPNO
    You may need to hard code the parameter before you hit "Download XML" button.
    The XML that you get from clicking "Download XML" satisfies the "Step 1 - Create an XML Data Source" found on Page 11 of the document.
    The rest of the instructions is in that whitepaper.
    MK

  • Disabling regions in the APEX interface

    Using APEX 2.2.1 we would like to create a reporting system where we (IT) create the views and users can create the report pages (selecting the columns and where clause).
    1. Is there a way to hide/disable the regions in the APEX interface (for users only) so that for instance, only the Region Report is available to the user when creating a page. So that all they have to do is enter a SQL statement and optionally change column names or order. The idea is to use the APEX interface as much as possible without us having to create a new interface.
    2. If the above is not possible how feasible/recommendable would it be to create our own interface so that using the APEX API it creates new pages/regions dynamically.
    Regards,
    /Cafetero

    Hi Dennis,
    Will Deleting the controls solve the purpose ? I tried moving the controls from the visible part of the front panel. but when the code was run the controls came back to their original position. Then I discovered that the full featured user interface has some code to set the position,size etc of the controls. This part of the code also checks the number of controls present. So I was wondering if just editing the configuration alone could disable the controls.
    Thanks 

  • Error while using the 'Form and Report' wizard

    Hello,
    I’m trying to create a form and report on EMP, using the APEX wizards, but I’m getting the following error message:
    ORA-20001: Unable to create query and update page. ORA-20001: Unable to create query and update page. ORA-20001: Unable to create form on table. ORA-20001: Error creating shortcut id="" ORA-00001: unique constraint (FLOWS_030100.WWV_FLOW_SHORTCUT_IDX1) violated
    This is something local, on my APEX instance only, but any ideas what is wrong here?
    Thanks,
    Arie.

    Hi Scott,
    >> Do you happen to know where that PL/SQL shortcut came from? Created by you or an apex wizard?
    The original shortcut was probably created by an APEX wizard, but then I changed its type to ‘PL/SQL Function Body’. The shortcuts are not included in the translatable components, so I need a function to determine the application language, and issue the message accordingly.
    >> The type of the shortcut is not part of that constraint
    So changing the shortcut type back to the type I need, after the wizard finished its job, should not have any side effects. Correct?
    >> and the sequence always seems to be 1
    And we don’t have access to it, so we can’t change it manually.
    >> Our bug
    Can you please fill a bug report on that?
    I will post an enhancement request about including shortcuts in the translatable components, but I’ll appreciate you mention this issue also.
    Appreciate your time and efforts,
    Arie.

Maybe you are looking for

  • Commitment item updated wrongly

    Hi friends I have a doubt in funds management budget control suystem at the time of creating PO - No problem (FM account assignment is providing me correct commitment item and Fundscenter) Below is the scenario I have assigned commitment item - "INV"

  • Using iTV Link

    The cable MONSTER iTV Link is compatible with the iPOD Classic 80GB to view videos and photos on a TV?

  • How to access the e-mails which are stored in different folders via Mac

    Hi guys, I am new to Mac. My problem is about the setting of Mac Mail. There are 8 folders with my hotmail account in order to automatically sort e-mail into folders. I only can get the e-mails of inbox folder via Mac Mail software. I am wondering ho

  • About Topology Edge's sign problem

    I found that sign(+ or -) of edges has different meaning in different context, such as in Edge information table, in SDO_TOPO_OBJECT (-10, 2) with SDO_TOPO_GEOMETRY constructor, etc. What's the meaning of sign with edges in this example? Comes from T

  • Buying new imac ? with iphone

    ok so i have decided to purchase the new imac.. does anyone know the steps i have to take in order to tell my iPhone to sync to the new computer?... and what is the best way to sync old G4 with new imac?