Authorization schemes & verifing roles

Similar Messages

• WSUS Role on Server 2012 R2 fails - SQL Server Error "Schema Verification Failed SUSDB"

  Server is Windows Server 2012R2
  After installing the WSUS role with WID, when running the post installation task it installs the SUSDB in single user mode, runs all its scripts but then when it tries to set it it MULTI mode it fails with the error:
  Schema Verification Failed SUSDB
  If I log onto SQL Management Studio and try to set the database SUSDB to MULTI user mode manually it fails with the same error.
  Detaching, deleting the susdb.mdf and .ldf files and re-running the post-installation task fails on the same error.
  Uninstalling the WSUS and WID roles, deleting the C:\Windows\WID folder and reinstalling everything once again gives the same error during post installation.
  Seems like a nasty bug.
  Does anyone have any ideas? Perhaps there is a way to debug "Schema Verification Failed" errors in SQL Server?

  Hi,
  If the WID can't access "C:\Windows\WID\Binn\DBVerify\SUSDBVerify.dll", this issue may occur.
  Please change the account of WID to local system account in services.msc, then restart the WID service.
  Then try to start the post-install again.
  If issue persists, please check the detailed information of WID log.
  Best Regards. 
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Authorization Scheme problem using query

  Greetings:
  I have an application with 4 different roles in my application. Depending on the user role, the access to different pages within the application are filtered. We have 4 group types: admin, general, transactional and read_only; each, with descending levels of authorization.
  The application utilizes a two-level tab navigation system in which I hide the tabs that the users are not supposed to see, depending on the level of authorization that they have. I have implemented three authorization schemes for three different types of access depending on the pages within my application. The only page without any auhorization is the login page.
  The three created authorization schemes are as follows.
  My first scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  APP_GROUP_TYPE != 'READ_ONLY'
  This one is supposed to negate access to the READ_ONLY group, but allow access to all other groups.
  My Second scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  and
  APP_GROUP_TYPE != 'transactional')
  The second one, I have added the transactional group as to be explicitly negated access.
  My Third scheme
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  AND
  APP_GROUP_TYPE != 'transactional'
  AND
  APP_GROUP_TYPE != 'general')
  the last one, I have added the general group as to be explicitly negated access.
  I am thinking that, logically, this would work, but the pages do not display properly. I am always getting the failed authorization page, even with my admin user. Is there something wrong with my methodology? Should I be white-listing instead of black-listing in my queries? Thanks for your support.

  I appreciate your help Jeff, you helped me a great deal, but not in the way you may think. In your link, there was a post that offered a solution with a simple query. There was one person that posted a query using (upper) to bring the username to uppercase so it can be properly compared to :APP_USER. Yes, the users were entered as lowercase, the logic was ok. I changed the query logic to a white list as to avoid possible users that may be able to authenticate into the application without a proper group configured.
  Thanks for your support. Maybe this can help someone on the forums out.

• Page Authorization Scheme OK button not working

  Hi All,
  I have a Page Level Authorization scheme, which makes a PL/SQL Function call to determine whether the logged in user should have access to the Page. This works well and displays an 'Access denied by Page security check' error message, but the OK Hyperlink that is displayed does not work as I would expect as I am not returned to the calling page.
  The pages in question are Popups and when I hover over the OK Hyperlink, the Javascript in the Taskbar shows javascript:window.history.go(-1). Is this the route of my problem, and is there any way around this when using Popup windows?
  Thanks,
  Mike

  Scott,
  Thanks for your response. Yes you have the sequence right: "User clicks on link to popup page from base page and the link is to a forbidden page"
  "The basic question is why would you ever show a link to a forbidden page to the user?"
  The main reason is time, ideally yes we would like to hide links to forbidden pages but it will take time to implement due to complexity of role combinations and number of pages. So for now, we are confident in our method for denying access to forbidden pages.
  The error message that is displayed on the forbidden page is set in the Authorization Scheme, but how do I alter the OK link? Isn't this generated 'behind the scenes'?
  Thanks,
  Mike

• Authorization scheme issues

  Hi I'm using custom authenitication scheme sso with ntlm_page_sentry function.
  I've an authorization scheme 'Admin control" like this :
  declare
  v_role varchar2(55);
  begin
  select role into v_role from user_roles where lower(userid) = lower(:APP_USER);
  if v_role = 'ADMIN' then
  return true;
  else
  return false;
  end if;
  exception
  when NO_DATA_FOUND then return false;
  end;
  In a login page(page:101) :I've a process like this with process point as onload before header:
  declare
  v_role varchar2(55);
  v_nextpage number;
  begin
  select upper(role) into v_role from sales_inq.user_roles where lower(userid) = lower(:APP_USER);
  case v_role
  when 'ADMIN' then v_nextpage := 9;
  when 'EDIT' then v_nextpage := 1;
  when 'VIEW' then v_nextpage := 2;
  end case;
  owa_util.redirect_url('f?p=' || :APP_ID || ':' || v_nextpage);
  exception
  when NO_DATA_FOUND then
  owa_util.redirect_url('f?p=' || :APP_ID || ':101');
  end;
  I've assigned "admin control" authorization scheme to page9 and changed authentication to "page requires authentication"
  After loginto my system through networkid which is assigned to ADMIN role when I run login page(101) I'm unable to access page 9.Can't I test this in standalone mode in dev instance?For ex:my userid is in user_role table with a role of admin why I can't see that page?
  Thanks,
  Mahender.
  Edited by: user518071 on Oct 8, 2009 12:44 PM

  Hi Scott,
  How does the login page get invoked?
  I'm trying to implement this authorization scheme for the first time for this UI.
  Previous scenario:User needs to login so login page will be displayed automatically
  Current scenario:User comes to login screen which is a dummy page without any items or regions and I've created process (on load before header process code mentioned above)which will check the network user's role and branch to corresponding page
  Why is there a login page if you have an sso facility?
  There is no login page as such but it's common intermediary page for all users which is not displayed but automatically directed to their corresponding page based on the process (on load before header process code mentioned above)
  Is there a login page designated as the Session Not Valid Page in the authentication scheme?
  No
  or let me know how we can do this ?
  I've three roles for users :admin,edit,view and it's stored in user_roles table,user with role view can access only his page and user with edit can access all view pages as well as his pages,admin can access all pages.Then next issue is how to test this without using active directory in dev instance by adding security to corresponding pages(ex:admin control,page requires authentication)
  Thanks,
  Mahender.

• Authorization scheme for display/read only conditions on item level

  Hi All,
  I have question. I want to use an authorization scheme to manage if users with a certain role have the permission to either update an item or have the persmission to only see the item or that they don't have permission to see it at all.
  So, the input for the scheme would be: 1. user role 2. the current page 3. the current item.
  The output would be: 0 (update) 1 (read only) 2 (not displayed).
  I think I can manage that.
  And I can attach this schema to the items.
  So far so good.
  But how can I make it so that the 0,1 and the 2 will actually do what they need to do?
  I have been thinking about making a function like GET_AUTHORISATON(ROLE,PAGE,ITEM) output: 0,1,2 but I still can't figure out how to connect this with the functionality I want to achieve.
  Can somebody give me a hint?
  Andre

  Thanks Hari,
  Thanks, it works, almost, but what if items are mandatory on a page, but not always mandatory?
  If a user has a certain role, some fields are manadatory, otherwise not.
  Again, a function would do the trick as far as the input and output information
  something like IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) but how can I make it work?
  I guess a PL/SQL validation like:
  IF IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) THEN ITEM IS NOT NULL
  END IF;
  Andre
  PS: personally I think item level security is not something you wish to implement in your system. I prefer different screens for different roles.
  Far more straightforeward. Easy for maintenance. When something disfunctions, it's far more easy to pinpoint the location of the cause.

• Trying to use authorization schema but getting ORA-00907: missing right par

  Hi,
  I am fairly new to HMTLDB. I am busy going through the Issue Tracker Tutorial. I am on the last part of Tutorial. This part involves authorizing a user based on their roles in the company.
  I now keep getting the following when I load my pages
  ORA-00907: missing right parenthesis
  Error ERR-1082 Error in executing authorization scheme code.
  How do I go about debugging this error not sure where to start?

  if this helps I am using this PDF
  http://www.oracle.com/technology/products/database/application_express/pdf/issue_tracking_tutorial_1.6_0.pdf
  if you open the PDF file I am stuck on page 72-74. The page I am trying to open while i am logged on as FUNKYMONKEY is Page 4 which is in the documentation

• Authorization Scheme vs. "Authorization Scheme"

  Hi,
  I've just completed building four Authorization Schemes for my app; is_admin, is_pm, is_user, is_read mapping to my concept of roles for admin, pm, user and read-only. Pretty self-explanatory and I set them up across my app so they could perform their various duties. For example, I have a page that all four roles can view, but each role sees a subset of the entire page. Most of what gets hidden as you go down the line of authorization are buttons to add/edit/delete content and some small regions of specialized content.
  Each scheme calls a function which in turns make a query to get the appropriate result. So for my main page there are 24 checks to see if the current user has the rights to view certain things. 24? Wow!
  So I started thinking (and searching this blog) to find a better way to do that. I didn't really come up with a "better way" but I did have an idea that I'm sure isn't new. I create four sessions variables and set their values ahead of time using the Authorization Scheme code and I'm good to go! Right?
  So, some questions:
  1. Do I create these variables as Items on a page 0?
  2. Are these region level items or page level items?
  3. Is my original way of using the Authorization Schemes the right way to do what I'm doing?
  Thanks in advance for any advice here!
  Cheers,
  Jon

  Jon,
  I assume you have a 'employee' table which has columns
  username varchar2(50);
  emp_role varchar2(1);
  Take emp_role as say,'A' for admin,'M' for pm,'U' for user etc...So each user will have a role associated to him.
  So you can define the authorization schemes in the application's shared components as
  AUTH_PM ->scheme type :Exists sql query ->Evaluation point ->once per page view
  select 1 from employee where username = lower(:app_user) and emp_role ='M'
  AUTH_ADMIN->scheme type :Exists sql query ->Evaluation point ->once per page view
  select 1 from employee where username = lower(:app_user) and emp_role ='A'
  AUTH_AD_PM->scheme type :Exists sql query ->Evaluation point ->once per page view
  select 1 from employee where username = lower(:app_user) and emp_role in ('A','M) ......etc for all the combinations you are looking for.
  Now,AUTH_PM on "delete" button will allow only the users with pm roles only to view the delete button.
  Similarly,AUTH_AD_PM on a region will make the region visible to the users with pm and admin roles only.
  Thanks,
  Anandi

• Authorization scheme problem

  Hi all,
  I have implemented ACL authorization (Restricted only), and have just created a new ACL scheme in my app is the name of "Registration" same copy of EDIT scheme, I have set following users with these roles:
  USERS with roles
  =============
  1. Admin with Administrator.
  2. Guest with Registration.
  3. Frank with Edit.
  I have create a Navigation List entries (for redirection) on my home page with following entries with restricted roles:
  Navigation List :
  ============
  Administration (for Administrator only ) assigned 'ADMIN' role
  New Registration (for 1 time user registration) assigned 'REGISTRATION' role
  Student Schedule (for existing users) assigned 'EDIT' role
  Student Semester Result (for existing users) assigned 'EDIT' role
  Student Attendance (for existing users) assigned 'EDIT' role
  Problem:
  ========
  When I set REGIS role to guest user , all entries of navigation list ( i mentioned above) except Administration Entry are shown on this page.
  I want to restrict guest user, who can only see Registration Link only. How can I do this ??
  help me out
  waiting for your prompt reply
  regards n thanks
  qamar

  Thanks for your reply scott, at least someone is there to understand it :).
  Well ok just forget everything and focus on it, I am using apex version Apex 3.0.1 with Oracle 9.2.0.1.0, my question is simple as i had stated above long time ago, I have added a new scheme/role 'REGIS' as same as EDIT role and changed EDIT to REGIS on that scheme/role, through this I just want to access only guest user to log in temporarily and create its account in our application and log out, and when he registered in our application, a role EDIT will assigned him automatically and he will be able connect our portal with EDIT role now.
  I had created a simple HTML page and created a Navigation List on it.
  there are 5 list entries on this page .
  1. Administration
  2. New User Registration.
  3. Student schedule.
  4. Student results
  5. Student attendance.
  -Administration
  (assigned ADMIN , so only administrator can see this link and all the entries)
  -New User Registration
  (only guest user with REGIS role can see this link)
  -3,4,5
  (only registered users with EDIT role can see these links)
  I have set these authorization in every list entry with authorization schemes mentioned above.
  Q. But the problem in this situation is that when I assign REGIS scheme to my 2 list entry, all other entries (3,4,5) including 2nd entry are also visible to guest user who has REGIS scheme assigned.
  I hope now you can understand clearly what I am trying to say and understand it.
  Hoping for your prompt reply.
  regards
  qamarsyed

• Authorization scheme (using {not} Scheme)

  I have build a change password page and every user, except user with a Guest role (= GUEST SCHEME) have access to that page.
  I defined a scheme GUEST for users with the GUEST role. When I define the page with Authorization scheme {not}GUEST this isn't working everyone has access to the page, also the guest users.
  am I misunderstanding the {not}scheme choice or is something else wrong.
  Fred.

  Fred,
  I have solved it with the work around I mentioned before:I read what you said very carefully but thought it reckless to conclude that the workaround was successful because you just said "To work around the problem, I did xyz" without indicating the outcome.
  The authorization schemes on navigation tabs fire also on the default login pageYes they do, they fire on every page whether or not the page template accommodates a navigation bar. This looks like a bug to me.
  Is there a "authorization scheme report" which shows all the objects where the authorization scheme is defined.Shared Components > Authorization Schemes > Utilization (slightly different in each version).
  Scott

• Authorization scheme methods/techniques

  Hi all,
  I'm currently using the Authorization Scheme that came with the Build a Menu Framework Application. Unfortunately, it doesn't work the way I want it to.
  Can someone share any other techniques on how to set up a authorization scheme. My application has users divided in different roles where some pages are accessible by 1 role then other pages by another role.
  Any suggestions will be appreciated.
  Thanks and Regards,
  Allen

  Hi,
  Let me give you my thoughts on this thread.
  You need to be very careful about the use of the term Authentication and Authorization.
  Authentication deals with making sure the user is who they say they are (normally by requesting a password).
  Authorization deals with making sure a user can only do what they are allowed to do.
  For Authentication you have a number of options. If none of the standard ApEx Authentication schemes work for you then you can create your own:
  Create a database function that accepts a username and a password and returns TRUE or FALSE. For testing our applications we use a very simple function:
  create or replace function "TESTING_SIGNON_FNC"
  (p_username in VARCHAR2,
  p_password in VARCHAR2)
  return BOOLEAN
  is
  CURSOR c_valid_password
  IS
  SELECT 1 FROM DUAL
  WHERE UPPER(p_username) = UPPER(p_password);
  l_valid_password NUMBER;
  BEGIN
  OPEN c_valid_password;
  FETCH c_valid_password INTO l_valid_password;
  IF c_valid_password%FOUND THEN
  CLOSE c_valid_password;
  RETURN TRUE;
  END IF;
  CLOSE c_valid_password;
  RETURN FALSE;
  END;
  Change the select to use whatever method you like.
  Then Create an Authentization Scheme with an 'Authentication Function' of 'return TESTING_SIGNON_FNC;'
  For Authorization you need to decide how you will control who can do what and how you maintain this. In our applications we need users (Administrators) of the application to be able to grant / revoke access to certain areas via the application UI.
  The solution we have developed has five database tables:
  SEC_PERSON
  SEC_ROLES
  SEC_FUNCTIONS
  SEC_ROLE_FUNCTIONS
  SEC_PERSON_ROLES
  SEC_PERSON holds the Person Details
  SEC_FUNCTIONS has the functions that we want to be able to grant ('create project' for instance)
  SEC_ROLES has the roles that we want to be able to Grant to people ('Project Manager' for instance)
  SEC_ROLE_FUNCTIONS has the functions assigned to a Role ('Project Manager' can 'Create Project')
  SEC_PERSON_ROLES has the roles a person has ('Fred' is a 'Project Manager')
  We have pages on each table to allow users to maintain the data.
  In ApEx we then define Authorization Schemes for each function we want to control:
  TPA-PRJ-PRJ-FED (TPA Application - Projects - Project Control - Full Edit) with the following SQL:
  select
  1
  from
  sec_person p,
  sec_person_roles pr,
  sec_roles r,
  sec_role_functions rf,
  sec_functions f
  where
  f.function_code = 'TPA-PRJ-PRJ-FED'
  and
  p.person_id = pr.person_id and
  pr.role_id = r.role_id and
  r.role_id = rf.role_id and
  rf.function_id = f.function_id and
  p.delete_flag = 'N' and
  pr.delete_flag = 'N' and
  r.delete_flag = 'N' and
  rf.delete_flag = 'N' and
  r.delete_flag = 'N' and
  sysdate between p.start_date and nvl(p.end_date,sysdate) and
  sysdate between pr.start_date and nvl(pr.end_date,sysdate) and
  sysdate between r.start_date and nvl(r.end_date,sysdate) and
  sysdate between rf.start_date and nvl(rf.end_date,sysdate) and
  sysdate between f.start_date and nvl(f.end_date,sysdate) and
  p.username = :APP_USER
  This Authorization scheme can then be applied to Tabs, Pages, Buttons, Columns etc. as required.
  Difficult to explain all this without pictures but I hope this helps.
  Martin

• Parameters to authorization schemes

  I apologize for the fact that this question is so so so like a number of others..
  I want to build an application that allows for a half a dozen or so different roles and that easily allows roles to be added. An individual page or component may allow access to a subset of these roles. To allow any combination of roles to be specified would seem to require the creation of 64 authorization schemes. A number which doubles for every additional role created.
  I appreciate that in practice I will only need to create authorization schemes for those combinations I actually use but this does nevertheless seem rather cumbersome. An authorization scheme can easily determine the user and the current page but can it determine the component that is being authorized? If it could I might be able to build a drive table and have a single authorization scheme that did a lookup. If only I could just pass an argument to the authorization scheme...
  Any advice welcome

  I took a somewhat different approach. I also needed to provide a menu of applications that a given person could access, and I needed to accomodate a number of existing authorization techniques already in use in my pre-APEX world. Most of these use Oracle Roles, but in some cases more complex, task specific PL/SQL functions.
  I stepped outside of the APEX world and built a table of applications (that tie back into the apex application world), and each of my apex applications call the same authentication function:
  begin
  return apex_registry_maint.validate;
  end;
  Which really looks like:
  function Validate
  return boolean
  is
  app_id number;
  uname varchar2(32);
  app_page_id number;
  begin
  app_page_id := v('APP_PAGE_ID');
  app_id := v('APP_ID');
  if app_page_id = 101 then return true; end if;
  uname := v('APP_USER');
  return check_access(app_id, uname);
  end Validate;
  This essentially lets me call my authorization function with parameters such as the application id and page number, but still live "outside" of the APEX space.
  The full package can be seen at:
  http://www.rpi.edu/campus/rpi/simon/misc/Tables/SIMON_APEX.APEX_REGISTRY_MAINT.html
  (I have 15 years of legacy applications I am moving into APEX, lots of history and inexperience with APEX are driving this approach. I am not claiming it to be a good approach, just one that works for me)

• Order of evaluation - Authorization scheme or application computation

  APEX 4.2.2
  A page has a Evaluate for every page view authorizaton scheme of the type Value of item in Expression 1 = Expression 2 with Expression 1=G_ITEM and Expression 2=1. G_ITEM is set using  a Before-Header application computation conditioned to fire when G_ITEM is null.
  What I see is that the authorization scheme always returns false and the page is not rendered. Inspecting wwv_flow_data shows that G_ITEM is not there. So it would appear that the authorization scheme is evaluated before the application computation and since it returns false, the engine stops.
  Does that sound right? Is this order of evaluation of components documented anywhere? There is a Utilities > Page Events screen but that doesn't include Authorization schemes.
  Thanks

  Hi Christian - I am referring to a page-level authorization scheme set to be evaluated For each page view
  Here are some more details...the application has only one UI (Desktop) and Application XX > User Interfaces > User Interface Details > Home URL is set to f?p=&APP_ID.:30:&SESSION.
  When I launch the app using f?p=181::::LEVEL9 this is what I get in apex_debug_messages
  init cgi_var_name.count=>29
  CGI: PATH_INFO = /f
  HTTP://xxx/pls/xxx
  QUERY_STRING=p=181::::LEVEL9
  REQUEST_METHOD=GET
  REMOTE_ADDR=xx.xx.xx.xx
  REMOTE_USER=foobar
  APEX_LISTENER_VERSION=
  REFERER=
  Cookies:
  S H O W: application="181" page="" workspace="" request="" session=""
  Reset NLS settings
  alter session set NLS_LANGUAGE="AMERICAN"
  alter session set NLS_TERRITORY="AMERICA"
  alter session set NLS_CALENDAR="GREGORIAN"
  alter session set NLS_SORT="BINARY"
  alter session set NLS_COMP="BINARY"
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  no characterset conversion needed
  ...Setting session time_zone to -04:00
  reset_nls_environment
  reset
  reset
  Processing page view with session ID = 0
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
  alter session set nls_language="AMERICAN"
  alter session set nls_territory="AMERICA"
  NLS: CSV charset=WE8MSWIN1252
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
  ...NLS: Set g_nls_date_format="mm/dd/yyyy"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  NLS: Language=en-us
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
  authenticate_and_init_session p_app_id=>181
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
  does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
  detect_user_interface p_application_id=>181
  ... "Desktop" is the only UI - no autodetection necessary
  ... setting ui to "DESKTOP"
  ... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
  ... page is public:null
  Authentication check: Login (NATIVE_CUSTOM)
  ... no page specified: failure
  ...fetch session state from database
  get_current
  ... DOES NOT EXIST - ignore
  fetch items (exact)
  Redirecting to f?p=181:30:
  Stop APEX Engine detected
  Final commit
  I am not sure why the engine stops rendering but I get the Access denied by Page security check error on the screen
  Next experiment...launch f?p=181:30:::LEVEL9:
  That gets me the following debug stack
  init cgi_var_name.count=>28
  CGI: PATH_INFO = /f
  HTTP://xxx/pls/xxx.xx
  QUERY_STRING=p=181:30:::LEVEL9:
  REQUEST_METHOD=GET
  REMOTE_ADDR=xx.xx.xx.xx
  REMOTE_USER=foobar
  APEX_LISTENER_VERSION=
  REFERER=
  Cookies:
  S H O W: application="181" page="30" workspace="" request="" session=""
  Reset NLS settings
  alter session set NLS_LANGUAGE="AMERICAN"
  alter session set NLS_TERRITORY="AMERICA"
  alter session set NLS_CALENDAR="GREGORIAN"
  alter session set NLS_SORT="BINARY"
  alter session set NLS_COMP="BINARY"
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  no characterset conversion needed
  ...Setting session time_zone to -04:00
  reset_nls_environment
  reset
  reset
  Processing page view with session ID = 0
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
  alter session set nls_language="AMERICAN"
  alter session set nls_territory="AMERICA"
  NLS: CSV charset=WE8MSWIN1252
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
  ...NLS: Set g_nls_date_format="mm/dd/yyyy"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  NLS: Language=en-us
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
  authenticate_and_init_session p_app_id=>181
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
  does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
  get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  ... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
  ... page is public:false
  Authentication check: Login (NATIVE_CUSTOM)
  get_current
  ... DOES NOT EXIST - ignore
  builtin_cookie_sentry p_cookie_name=>ORA_WWV_APP_181
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=
  ... cookie is not set
  ... failure, session not found
  set_db_session_info
  ...fetch session state from database
  get_current
  ... DOES NOT EXIST - ignore
  fetch items (exact)
  execute_native_session_sentry p_type=>NATIVE_CUSTOM
  ...Execute Statement: begin declare
  begin
  wwv_flow.g_boolean := htmldb_public_user.Modntlm_Page_Sentry;
  end;
  ~
  get_cookie_properties 181 -> ORA_WWV_APP_181, ,
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=
  ... cookie is not set
  get_cookie_properties 181 -> ORA_WWV_APP_181, ,
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=
  ... cookie is not set
  generate_unique_session_id
  remember_deep_link p_url=>f?p=181:30:::LEVEL9:
  get_current
  ... DOES NOT EXIST - ignore
  ... insert into wwv_flow_sessions$: 7781513768577
  create_new
  Session created: 7781513768577 user: foobar
  save_by_name p_item_name=>FSP_AFTER_LOGIN_URL,p_item_value=>***
  set_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_value=>f?p=181:30:7781513768577::LEVEL9:
  ...Session State: Saved Item "FSP_AFTER_LOGIN_URL" New Value="f?p=181:30:7781513768577::LEVEL9:"
  login p_uname=>foobar,p_password=>...,p_session_id=>7781513768577,p_flow_page=>181:30,p_entry_point=>POST-LOGIN,p_preserve_case=>false,p_use_secure_cookie=>false
  execute_login p_username=>foobar,p_password=>...,p_current_app_id=>181,p_next_app_id=>181,p_next_page_id=>30,p_post_login=>true,p_builder_login_for_workspace=>
  ...delaying unrecoverable error to the end of execute_login
  create_or_reuse_session
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from db)
  ...Session ID 7781513768577 can be used
  ...New Instance Detected -
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  ... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
  ... page is public:false
  ... POST LOGIN shortcut, no pre-auth and auth process
  ... Authentication success
  ... running post_auth_240111674424380819
  ...Execute Statement: begin declare
  procedure post_auth_240111674424380819 is
  begin
  post_auth_240111674424380819;
  end;
  end;
  Collection - Begin create_collection_from_query_b, Collection Name: AD_GROUPS
  Collection - Begin Create Collection, Collection Name: EM_ROLES
  save_by_name p_item_name=>G_APP_USER,p_item_value=>***
  find_item_by_name p_name=>G_APP_USER
  set_substitution_cache p_id=>8993704979413505,p_value=>***,p_name=>G_APP_USER,p_filter=>Y,p_encrypted=>N
  ...Session State: Saved Item "G_APP_USER" New Value="foobar"
  get_item_value  p_item=>FSP_AFTER_LOGIN_URL,p_flow=>181,p_instance=>7781513768577
  ... l_instance=7781513768577,l_flow_id=181,l_sgid=634111608319703,p_item=FSP_AFTER_LOGIN_URL
  get_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_session_id=>7781513768577
  ...value="f?p=181:30:7781513768577::LEVEL9:"
  save_by_name p_item_name=>FSP_AFTER_LOGIN_URL,p_item_value=>***
  set_builtin_global_item_value p_item_name=>FSP_AFTER_LOGIN_URL,p_value=>
  ...Session State: Saved Item "FSP_AFTER_LOGIN_URL" New Value=""
  log_login p_username=>foobar,p_security_group_id=>634111608319703,p_owner=>foobar,p_application_id=>181,p_authentication_method=>Login,p_authentication_result=>0,p_custom_status_text=>
  ... update session user (foobar) and auth result ()
  reset_cache
  update_hashed_id -> ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1, sqlrowcount=1
  send name=>ORA_WWV_APP_181,value=>ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1,expires=>,path=>,domain=>,secure=>,httponly=>HTTPONLY
  Redirecting to f?p=181:30:7781513768577::LEVEL9:
  ...setting g_unrecoverable_error:=true again
  Stop APEX Engine detected
  Stop APEX Engine detected
  Final commit
  init cgi_var_name.count=>29
  CGI: PATH_INFO = /f
  HTTP://xxx/pls/xxx.xx
  QUERY_STRING=p=181:30:7781513768577::LEVEL9:
  REQUEST_METHOD=GET
  REMOTE_ADDR=xx.xx.xx.xx
  REMOTE_USER=foobar
  APEX_LISTENER_VERSION=
  REFERER=
  Cookies:
  S H O W: application="181" page="30" workspace="" request="" session="7781513768577"
  Reset NLS settings
  alter session set NLS_LANGUAGE="AMERICAN"
  alter session set NLS_TERRITORY="AMERICA"
  alter session set NLS_CALENDAR="GREGORIAN"
  alter session set NLS_SORT="BINARY"
  alter session set NLS_COMP="BINARY"
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  no characterset conversion needed
  ...Setting session time_zone to -04:00
  reset_nls_environment
  reset
  reset
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Language derived from: FLOW_PRIMARY_LANGUAGE, current browser language: en-us
  alter session set nls_language="AMERICAN"
  alter session set nls_territory="AMERICA"
  NLS: CSV charset=WE8MSWIN1252
  ...NLS: Set Decimal separator="."
  ...NLS: Set NLS Group separator=","
  ...NLS: Set g_nls_date_format="DD-MON-RR"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  Setting NLS_DATE_FORMAT to application date format: mm/dd/yyyy
  ...NLS: Set g_nls_date_format="mm/dd/yyyy"
  ...NLS: Set g_nls_timestamp_format="DD-MON-RR HH.MI.SSXFF AM"
  ...NLS: Set g_nls_timestamp_tz_format="DD-MON-RR HH.MI.SSXFF AM TZR"
  NLS: Language=en-us
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  Application 181, Authentication: PLUGIN, Page Template: 12902619543947292
  authenticate_and_init_session p_app_id=>181
  fetch_flow_info
  set_html_escaping_mode p_mode=>E
  set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
  does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
  get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  ... authentication id=252985691712777759, sgid=634111608319703, curr flow sgid=634111608319703
  ... page is public:false
  Authentication check: Login (NATIVE_CUSTOM)
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from db)
  builtin_cookie_sentry p_cookie_name=>ORA_WWV_APP_181
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  ... success, session id and security group id matches
  ... set user and session id in package globals
  set_g_security_group_id p_security_group_id=>634111608319703,p_check_host_prefix=>true
  does_host_prefix_match p_security_group_id=>634111608319703,p_host_prefix=>,c_path_info=>/f
  set_db_session_info
  ...fetch session state from database
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  fetch items (exact)
  ... fetched 8993704979413505: name=G_APP_USER, value=foobar
  execute_native_session_sentry p_type=>NATIVE_CUSTOM
  ...Execute Statement: begin declare
  begin
  wwv_flow.g_boolean := htmldb_public_user.Modntlm_Page_Sentry;
  end;
  ~
  get_cookie_properties 181 -> ORA_WWV_APP_181, ,
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  get_cookie_properties 181 -> ORA_WWV_APP_181, ,
  get_by_cookie_name p_cookie_name=>ORA_WWV_APP_181
  session cookie value for ORA_WWV_APP_181=ORA_WWV-PqmZTwhNdxkMTTqPlY88APZ1
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  ... sentry success, no verification specified
  ... sentry+verification success
  create_or_reuse_session
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  ...Session ID 7781513768577 can be used
  ...New Instance Detected -
  get_by_cookie_name p_cookie_name=>ORA_WWV_USER_61814286625969
  session cookie value for ORA_WWV_USER_61814286625969=
  ... cookie is not set
  get_builder_session_id: builder session=null
  ...Setting session time_zone to -04:00
  ...Check for session expiration:
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  get_builtin_global_item_value p_item_name=>FSP_SESSION_TIME,p_session_id=>7781513768577
  NO_DATA_FOUND!
  set_builtin_global_item_value p_item_name=>FSP_SESSION_TIME,p_value=>20130925091227::
  ...Session State: Saved Item "FSP_SESSION_TIME" New Value="20130925091227::"
  Session: Fetch session header information
  get_current
  ... session=7781513768577, user=foobar, sgid=634111608319703 (from cache)
  fetch_step_info p_mode=>SHOW
  get_home_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  get_login_url p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  get_theme_id p_user_interface_id=>12942041779151719,p_application_id=>181,p_security_group_id=>634111608319703
  Branch point: Before Header
  Authorization Check: "Administrator" Caching: "BY_USER_BY_PAGE_VIEW" Component: "PAGE"
  ...  failed
  setting g_primary_language := en-us
  Add error onto error stack
  ...Error data:
  ......message: Must be Administrator
  ......additional_info: Access denied by Page security check
  ......display_location: ON_ERROR_PAGE
  ......is_internal_error: true
  ......apex_error_code: APEX.AUTHORIZATION.ACCESS_DENIED
  ......error_backtrace: ----- PL/SQL Call Stack -----
    object      line  object
    handle    number  name
  0x2d7325bc0       556  package body APEX_040200.WWV_FLOW_ERROR
  0x2d7325bc0       607  package body APEX_040200.WWV_FLOW_ERROR
  0x2d7325bc0       911  package body APEX_040200.WWV_FLOW_ERROR
  0x211e95470       488  package body APEX_040200.WWV_FLOW_AUTHORIZATION
  0x2dbf01138      6000  package body APEX_040200.WWV_FLOW
  0x2db632be8       249  procedure APEX_040200.F
  0x267d27130        31  anonymous block
  ......component.type: APEX_APPLICATION_AUTHORIZATION
  ......component.id: 19813621888498766
  ......component.name: Administrator
  ...Show Error on Error Page
  ......Performing rollback
  render_error_page
  wwv_flow_init_htp_buffer
  reset
  reset
  get_grid_template p_page_template_id=>12901127353947285
  emit_page_header
  Show page template header
  handle_common_placeholders p_placeholder=>#TITLE#
  get_title
  handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
  handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
  handle_common_placeholders p_placeholder=>#APEX_CSS#
  is_desktop_ui p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
  get_ui_type p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
  ...initialize cache
  ... ui type name=DESKTOP
  ... true
  handle_common_placeholders p_placeholder=>#TEMPLATE_CSS#
  handle_common_placeholders p_placeholder=>#THEME_CSS#
  handle_common_placeholders p_placeholder=>#PAGE_CSS#
  handle_common_placeholders p_placeholder=>#APEX_JAVASCRIPT#
  is_desktop_ui p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
  get_ui_type p_application_id=>181,p_page_id=>30,p_security_group_id=>634111608319703
  ...use cache
  ... ui type name=DESKTOP
  ... true
  handle_common_placeholders p_placeholder=>#TEMPLATE_JAVASCRIPT#
  handle_common_placeholders p_placeholder=>#APPLICATION_JAVASCRIPT#
  handle_common_placeholders p_placeholder=>#PAGE_JAVASCRIPT#
  handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
  handle_common_placeholders p_placeholder=>#IMAGE_PREFIX#
  handle_common_placeholders p_placeholder=>#ONLOAD#
  handle_common_placeholders p_placeholder=>#OUTDATED_BROWSER#
  handle_common_placeholders p_placeholder=>#FORM_OPEN#
  Rendering form open tag and internal values
  clear_page_checksum
  generate_unique_session_id
  perform p_process_point=>AFTER_ERROR_HEADER
  Processes - point: AFTER_ERROR_HEADER
  handle_common_placeholders p_placeholder=>#REGION_POSITION_07#
  handle_common_placeholders p_placeholder=>#HOME_LINK#
  handle_common_placeholders p_placeholder=>#LOGO#
  handle_common_placeholders p_placeholder=>#NAVIGATION_BAR#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_08#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_04#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_01#
  handle_common_placeholders p_placeholder=>#SUCCESS_MESSAGE#
  handle_common_placeholders p_placeholder=>#NOTIFICATION_MESSAGE#
  handle_common_placeholders p_placeholder=>#GLOBAL_NOTIFICATION#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_02#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_03#
  perform p_process_point=>BEFORE_ERROR_FOOTER
  Processes - point: BEFORE_ERROR_FOOTER
  emit_footer
  Show page footer
  Show page tempate footer
  handle_common_placeholders p_placeholder=>#CUSTOMIZE#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_05#
  handle_common_placeholders p_placeholder=>#APP_VERSION#
  handle_common_placeholders p_placeholder=>#REGION_POSITION_08#
  handle_common_placeholders p_placeholder=>#FORM_CLOSE#
  Rendering form close tag and page checksum
  handle_common_placeholders p_placeholder=>#DEVELOPER_TOOLBAR#
  handle_common_placeholders p_placeholder=>#GENERATED_CSS#
  handle_common_placeholders p_placeholder=>#GENERATED_JAVASCRIPT#
  emit_generated_javascript
  Logging exception in final_exception_handler:
  Sqlerrm: ORA-20987: APEX - Must be Administrator - Access denied by Page security check
  Backtrace: ORA-06512: at "APEX_040200.WWV_FLOW_ERROR", line 861
  ORA-06512: at "APEX_040200.WWV_FLOW_ERROR", line 896
  ORA-06512: at "APEX_040200.WWV_FLOW_AUTHORIZATION", line 501
  ORA-06512: at "APEX_040200.WWV_FLOW", line 6000
  Seems to me that the authorization scheme (which uses the value of the application item) is evaluated before the before-header/unconditional application computation sets the value of the application item and since the authorization scheme fails, show processing stops with an error.
  What say you?

• Report Link + Authorization Scheme

  I have an authorization scheme that checks whether a certain person has privileges to edit a record on Page 2 by referring to the :P2_ID in the authorization scheme. Page 1 has a report with a report link, but the user can see both items they are able to edit and items they are not. I know I can make the link dynamically in the sql but wanted to see if there was an easy way to use an authorization scheme, but pass the #REPORT_COL# value in the report over to an authorization scheme to show or hide the icon for me so I can get the link out of the sql.

  Great example Scott! However, I'd would caution the other Sc0tt that calling functions in a SQL statement is fine for a small number of rows, but can CRUSH performance for medium to large result sets. Even if the function is fast, you're still context-switching between SQL and PL/SQL for every row. Make sure you test this with the volume of data you expect your users to encounter. If it's a problem, you might force the user to apply some filters before running the query.
  If you're running 11g you can at least minimize the hit of the function with "Function Result Cache". Even if you're not on 11g yet, you can use the following code in 10g and it will switch-on result cache when you compile it in 11g:
  create or replace function auth_user(p_key in number)
       return varchar2
       $IF not dbms_db_version.ver_le_10_2 $THEN
            result_cache
       $END
  as
  begin
      pkg.g_value := p_key;
      if apex_application.public_security_check (p_security_scheme => 'AUTH_USER_COLUMN') then
          return '1';
      else
          return '0';
      end if;
  end;
  / If it is a reasonable result set, Scott's solution is perfect.
  Thanks,
  Tyler

• Display page items based on Authorization Scheme...

  I have a report form that shows all my columns, but I have two columns that I only want "Admin" and "Edit" from my authorization scheme to be able to edit; but I would like for "User" to view.
  Currently I have "authorization" enabled for the two items, and set for "Edit". This works, except the "User" logins cannot view the items.
  I thought of two possibilities, both I think I'd need help on though!:
  1. Create a duplicate page item for these two items. One would show as "Text" only (cannot edit). The other would be "Text Field". The "Text Field" column would only be
  accessible by "Edit" or "Admin".
  The problem, though, is now "Edit" or "Admin" users will see both columns
  2. Set up something in "Conditions" that would show as "text" for "User", and as "Text Field" for "Admin" or "Edit"?
  I would have no clue how to do this...
  Any thoughts?
  Kevin L.

  Kevin
  You can create two items and in the Authorization Scheme you can set one as Users and second as Edit. Also You can do something using small JS. Create a variable P_USR_TYPE to hold the value of User group lets say 1 for Users and 2 for Edit. Then on the HTML header or footer of the region you can add a javascript call
  function UsrCustomization()
       if ( P_USR_TYPE == 1 )
            // mark the item as readonly
            // document.getElementById('P1_FIELD_QUESTION').disabled = true;
            document.getElementById('P1_FIELD_QUESTION').readOnly="readonly"
  UsrCustomization();Thanks,
  Manish