Change Authorization Schemes

Similar Messages

• Authorization Scheme problem using query

  Greetings:
  I have an application with 4 different roles in my application. Depending on the user role, the access to different pages within the application are filtered. We have 4 group types: admin, general, transactional and read_only; each, with descending levels of authorization.
  The application utilizes a two-level tab navigation system in which I hide the tabs that the users are not supposed to see, depending on the level of authorization that they have. I have implemented three authorization schemes for three different types of access depending on the pages within my application. The only page without any auhorization is the login page.
  The three created authorization schemes are as follows.
  My first scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  APP_GROUP_TYPE != 'READ_ONLY'
  This one is supposed to negate access to the READ_ONLY group, but allow access to all other groups.
  My Second scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  and
  APP_GROUP_TYPE != 'transactional')
  The second one, I have added the transactional group as to be explicitly negated access.
  My Third scheme
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  AND
  APP_GROUP_TYPE != 'transactional'
  AND
  APP_GROUP_TYPE != 'general')
  the last one, I have added the general group as to be explicitly negated access.
  I am thinking that, logically, this would work, but the pages do not display properly. I am always getting the failed authorization page, even with my admin user. Is there something wrong with my methodology? Should I be white-listing instead of black-listing in my queries? Thanks for your support.

  I appreciate your help Jeff, you helped me a great deal, but not in the way you may think. In your link, there was a post that offered a solution with a simple query. There was one person that posted a query using (upper) to bring the username to uppercase so it can be properly compared to :APP_USER. Yes, the users were entered as lowercase, the logic was ok. I changed the query logic to a white list as to avoid possible users that may be able to authenticate into the application without a proper group configured.
  Thanks for your support. Maybe this can help someone on the forums out.

• Page Restriction - Authorization Scheme

  I have an application 8736 this application as 3 tabs
  TAB1: information  TAB2: department   TAB3: Admin
  TAB3 as a form in which SHOULD be only be view by users which authorisation rights. I have been trying to do this for sometimes now and it is not work. I have a table called users
  TABLE:users
  username    access_level      
  john919             2
  sarah765           0
  For the page in TAB3 if you have an access level of 2. You should be able to view this page and if not they you should get an error message saying "sorry you cant view this page".
  In this case "john919" should be able to view the page in tab "Tab3" and "sarah765 " SHOULD NOT.
  I have this query in the Authorization Scheme and the scheme type: pl/sql function returning boolean
  DECLARE
     v_access_level   NUMBER (2);
  BEGIN
     IF (:APP_PAGE_ID = 61)
     THEN
        SELECT MAX (ADMIN_LEVEL)
          INTO v_access_level
          FROM USERS
         WHERE USER_NAME = :APP_USER;
        IF v_access_level = 2
        THEN
           RETURN TRUE;
        ELSE
           RETURN FALSE;
        END IF;
     ELSE
        RETURN TRUE;
     END IF;
  END
  I have never try this before and I have being asking around and alot of people tell me this should check the admin_level in the USERS table using the current username of the person looking in to see if they have access to this page. SO far this is as fail me. Please help

  If you only have one access level per user then try changing your authorization scheme code to
  DECLARE
     v_access_level   NUMBER (2);
  BEGIN
        SELECT ADMIN_LEVEL
          INTO v_access_level
          FROM USERS
         WHERE USER_NAME = :APP_USER;
        IF v_access_level = 2
        THEN
           RETURN TRUE;
        ELSE
           RETURN FALSE;
        END IF;
  END;
  now apply this scheme to tab3

• Authorization scheme issues

  Hi I'm using custom authenitication scheme sso with ntlm_page_sentry function.
  I've an authorization scheme 'Admin control" like this :
  declare
  v_role varchar2(55);
  begin
  select role into v_role from user_roles where lower(userid) = lower(:APP_USER);
  if v_role = 'ADMIN' then
  return true;
  else
  return false;
  end if;
  exception
  when NO_DATA_FOUND then return false;
  end;
  In a login page(page:101) :I've a process like this with process point as onload before header:
  declare
  v_role varchar2(55);
  v_nextpage number;
  begin
  select upper(role) into v_role from sales_inq.user_roles where lower(userid) = lower(:APP_USER);
  case v_role
  when 'ADMIN' then v_nextpage := 9;
  when 'EDIT' then v_nextpage := 1;
  when 'VIEW' then v_nextpage := 2;
  end case;
  owa_util.redirect_url('f?p=' || :APP_ID || ':' || v_nextpage);
  exception
  when NO_DATA_FOUND then
  owa_util.redirect_url('f?p=' || :APP_ID || ':101');
  end;
  I've assigned "admin control" authorization scheme to page9 and changed authentication to "page requires authentication"
  After loginto my system through networkid which is assigned to ADMIN role when I run login page(101) I'm unable to access page 9.Can't I test this in standalone mode in dev instance?For ex:my userid is in user_role table with a role of admin why I can't see that page?
  Thanks,
  Mahender.
  Edited by: user518071 on Oct 8, 2009 12:44 PM

  Hi Scott,
  How does the login page get invoked?
  I'm trying to implement this authorization scheme for the first time for this UI.
  Previous scenario:User needs to login so login page will be displayed automatically
  Current scenario:User comes to login screen which is a dummy page without any items or regions and I've created process (on load before header process code mentioned above)which will check the network user's role and branch to corresponding page
  Why is there a login page if you have an sso facility?
  There is no login page as such but it's common intermediary page for all users which is not displayed but automatically directed to their corresponding page based on the process (on load before header process code mentioned above)
  Is there a login page designated as the Session Not Valid Page in the authentication scheme?
  No
  or let me know how we can do this ?
  I've three roles for users :admin,edit,view and it's stored in user_roles table,user with role view can access only his page and user with edit can access all view pages as well as his pages,admin can access all pages.Then next issue is how to test this without using active directory in dev instance by adding security to corresponding pages(ex:admin control,page requires authentication)
  Thanks,
  Mahender.

• Is there a quick way of listing all Authorization Schemes?

  Is there a quick way of listing all Authorization Schemes of all pages/items/tabs/etc of a particular application? V4.1.

  Perhaps with a combination of queries from the dictionary views
  SELECT * FROM APEX_DICTIONARY
  WHERE APEX_VIEW_NAME LIKE '%AUTH%'
  OR COLUMN_NAME LIKE 'AUTHORIZATION_SCHEME';
  SELECT * FROM APEX_APPLICATION_AUTHORIZATION;
  SELECT ITEM_NAME, AUTHORIZATION_SCHEME FROM APEX_APPLICATION_PAGE_ITEMS;Would you please change your username to something more friendly to the forum?
  Scott

• Customise Authorization Scheme web page

  Hi
  APEX - 4.1
  Oracle - 11gr2
  I have added an Authorization Scheme to my application whereby a check is performed to determine whether or not a user is allowed to access a webpage. If a user tries to access a restricted webpage a new webpage is displayed with
  'Access denied by Application security check' and a red exclamation
  My question is how can I customise this webpage as it differs from my application template (The log out disappears at the top and the topbar moves about between the restriction error webpage and the page it returns back to)?
  Is this possible?
  Thanks
  Rob

  Hi
  Thanks for the help. I located the 'Error Page Template Control' section.
  I am not looking to customise that section, but what I have noticed in firebug is that when I switch to this error page the BODY of the HTML document changes.
  So on a ordinary page you would normally have
    <div id="navbar">
      <div class="app-user">#WELCOME_USER#</div>
      <div class="app-user">Client: Internal</div> -- This is customised be me
      #NAVIGATION_BAR#
      #REGION_POSITION_08#
    </div>whereas on this error page you will have
    <div id="navbar">
      <div class="app-user">#WELCOME_USER#</div>
      <div class="app-user">Client: Internal</div> -- This is customised be me
    </div>Also the topbar seems to change from
     <div id="topbar">#REGION_POSITION_01##REGION_POSITION_04#</div>to
     <div id="topbar"></div>Is this normally? It is these adjustments I want to fix as navbar has the logout link which disappears and the topbar has my menu which messes with the page format on the error page
  Cheers
  Rob

• Create Authorization Scheme for LDAP Groups

  I have installed APEX 4.0 in my staging environment and got the LDAPS to finally work. I can now login to the application with my LAN user name and password. The only problem is so can everyone else on the LAN. So I wanted to create an authorization scheme that would only allow a certain group or groups of LDAP users into the application rather than everyone.
  I am at the Create Authorization Scheme page and am kind of stuck. Has anyone done this before and can share some SQL or knowledge?

  hi larosejh
  If you want to do that you must write your own procedures using the dbms_ldap package. I found some code a while back that searches the LDAP. Maybe you can use this to create a function for your authentication.
  DECLARE
  retval PLS_INTEGER;
  my_session DBMS_LDAP.session;
  my_attrs DBMS_LDAP.string_collection;
  my_message DBMS_LDAP.message;
  my_entry DBMS_LDAP.message;
  entry_index PLS_INTEGER;
  my_dn VARCHAR2(256);
  my_attr_name VARCHAR2(256);
  my_ber_elmt DBMS_LDAP.ber_element;
  attr_index PLS_INTEGER;
  i PLS_INTEGER;
  my_vals      DBMS_LDAP.STRING_COLLECTION ;
  ldap_host VARCHAR2(256);
  ldap_port VARCHAR2(256);
  ldap_user VARCHAR2(256);
  ldap_passwd VARCHAR2(256);
  ldap_base VARCHAR2(256);
  BEGIN
  retval := -1;
  -- Please customize the following variables as needed
  ldap_host := 'host';
  ldap_port := '389';
  -- In case of update/insert/delete need change ldap_user to other.
       -- ldap_user := 'cn=orcladmin';
       -- ldap_passwd:= 'welcome';
  -- set User and password to NULL for anonymous user.
  ldap_user := 'user';
  ldap_passwd:= 'password';
  ldap_base := 'CN=Users,DC=ee,DC=intern';
  -- end of customizable settings
  -- Start output Header--
  DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
  DBMS_OUTPUT.PUT('> DBMS_LDAP Search Example ');
  DBMS_OUTPUT.PUT_LINE('');
  DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Host ',25,' ') || ': ' || ldap_host);
  DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Port ',25,' ') || ': ' || ldap_port);
  -- Choosing exceptions to be raised by DBMS_LDAP library.
  DBMS_LDAP.USE_EXCEPTION := TRUE;
  my_session := DBMS_LDAP.init(ldap_host,ldap_port);
  DBMS_OUTPUT.PUT_LINE (RPAD('> Ldap session ',25,' ') || ': ' ||
  RAWTOHEX(SUBSTR(my_session,1,8)) ||
  '(returned from init)');
  -- bind to the directory
  retval := DBMS_LDAP.simple_bind_s(my_session,
  ldap_user, ldap_passwd);
  DBMS_OUTPUT.PUT_LINE(RPAD('> simple_bind_s Returns ',25,' ') || ': '
  || TO_CHAR(retval));
  -- issue the search
  my_attrs(1) := 'dn'; -- retrieve all attributes
  retval := DBMS_LDAP.search_s(my_session, ldap_base,
  DBMS_LDAP.SCOPE_SUBTREE,
  'objectclass=*',
  my_attrs,
  0,
  my_message);
  DBMS_OUTPUT.PUT_LINE(RPAD('> search_s Returns ',25,' ') || ': '
  || TO_CHAR(retval));
  DBMS_OUTPUT.PUT_LINE (RPAD('> LDAP message ',25,' ') || ': ' ||
  RAWTOHEX(SUBSTR(my_message,1,8)) ||
  '(returned from search_s)');
  -- count the number of entries returned
  retval := DBMS_LDAP.count_entries(my_session, my_message);
  DBMS_OUTPUT.PUT_LINE(RPAD('> Number of Entries ',25,' ') || ': '
  || TO_CHAR(retval));
  DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
  -- End output Heading --
  -- get the first entry
  my_entry := DBMS_LDAP.first_entry(my_session, my_message);
  entry_index := 1;
  -- Loop through each of the entries one by one
  while my_entry IS NOT NULL loop
  -- print the current entry
  my_dn := DBMS_LDAP.get_dn(my_session, my_entry);
  -- DBMS_OUTPUT.PUT_LINE (' entry #' || TO_CHAR(entry_index) ||
  -- ' entry ptr: ' || RAWTOHEX(SUBSTR(my_entry,1,8)));
  DBMS_OUTPUT.PUT_LINE (' dn: ' || my_dn);
  my_attr_name := DBMS_LDAP.first_attribute(my_session,my_entry,
  my_ber_elmt);
  attr_index := 1;
  while my_attr_name IS NOT NULL loop
  my_vals := DBMS_LDAP.get_values (my_session, my_entry,
  my_attr_name);
  if my_vals.COUNT > 0 then
  FOR i in my_vals.FIRST..my_vals.LAST loop
  DBMS_OUTPUT.PUT_LINE(' ' || my_attr_name || ' : ' ||
  SUBSTR(my_vals(i),1,200));
  end loop;
  end if;
  my_attr_name := DBMS_LDAP.next_attribute(my_session,my_entry,
  my_ber_elmt);
  attr_index := attr_index+1;
  end loop;
  my_entry := DBMS_LDAP.next_entry(my_session, my_entry);
  DBMS_OUTPUT.PUT_LINE(' --------------------------------------------------- ');
  entry_index := entry_index+1;
  end loop;
  -- unbind from the directory
  retval := DBMS_LDAP.unbind_s(my_session);
  DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||
  TO_CHAR(retval));
  -- Start Output Footer --
  DBMS_OUTPUT.PUT_LINE('Directory operation Successful .. exiting');
  -- Start Output Footer --
  -- Handle Exceptions
  EXCEPTION
  WHEN OTHERS THEN
  DBMS_OUTPUT.PUT_LINE(' Error code : ' || TO_CHAR(SQLCODE));
  DBMS_OUTPUT.PUT_LINE(' Error Message : ' || SQLERRM);
  DBMS_OUTPUT.PUT_LINE(' Exception encountered .. exiting');
  END;
  /

• Display region based on authorization scheme

  I have a region on a page that is displayed based on the 'SFD' authorization scheme.
  I log in as a user who matches the 'SFD' authorization scheme. This scheme queries a table called gnt_authorization to determine if the app user does indeed satisfy the condition, and I do.
  But when I open the page, the region is not displayed.
  Does anyone have any idea why?

  varad wrote:
  Does the region render if you logged in using an account other than 'myloginid' ?
  I just took another existing account and updated its authorization in gillnet_tag_authorization so that it now says department SFD and startup_page 15. I committed the change. Then I logged in as this user and the region did not display.
  But I wonder if I had to close the browser first before this takes effect because the authorization scheme is checked once per session and I had previously already logged in as that user before making the authorization change.
  varad wrote:
  Has the right Authorization Scheme been specified for the region ?
  Yes, it's set to SFD.

• Authorization scheme problem

  Hi all,
  I have implemented ACL authorization (Restricted only), and have just created a new ACL scheme in my app is the name of "Registration" same copy of EDIT scheme, I have set following users with these roles:
  USERS with roles
  =============
  1. Admin with Administrator.
  2. Guest with Registration.
  3. Frank with Edit.
  I have create a Navigation List entries (for redirection) on my home page with following entries with restricted roles:
  Navigation List :
  ============
  Administration (for Administrator only ) assigned 'ADMIN' role
  New Registration (for 1 time user registration) assigned 'REGISTRATION' role
  Student Schedule (for existing users) assigned 'EDIT' role
  Student Semester Result (for existing users) assigned 'EDIT' role
  Student Attendance (for existing users) assigned 'EDIT' role
  Problem:
  ========
  When I set REGIS role to guest user , all entries of navigation list ( i mentioned above) except Administration Entry are shown on this page.
  I want to restrict guest user, who can only see Registration Link only. How can I do this ??
  help me out
  waiting for your prompt reply
  regards n thanks
  qamar

  Thanks for your reply scott, at least someone is there to understand it :).
  Well ok just forget everything and focus on it, I am using apex version Apex 3.0.1 with Oracle 9.2.0.1.0, my question is simple as i had stated above long time ago, I have added a new scheme/role 'REGIS' as same as EDIT role and changed EDIT to REGIS on that scheme/role, through this I just want to access only guest user to log in temporarily and create its account in our application and log out, and when he registered in our application, a role EDIT will assigned him automatically and he will be able connect our portal with EDIT role now.
  I had created a simple HTML page and created a Navigation List on it.
  there are 5 list entries on this page .
  1. Administration
  2. New User Registration.
  3. Student schedule.
  4. Student results
  5. Student attendance.
  -Administration
  (assigned ADMIN , so only administrator can see this link and all the entries)
  -New User Registration
  (only guest user with REGIS role can see this link)
  -3,4,5
  (only registered users with EDIT role can see these links)
  I have set these authorization in every list entry with authorization schemes mentioned above.
  Q. But the problem in this situation is that when I assign REGIS scheme to my 2 list entry, all other entries (3,4,5) including 2nd entry are also visible to guest user who has REGIS scheme assigned.
  I hope now you can understand clearly what I am trying to say and understand it.
  Hoping for your prompt reply.
  regards
  qamarsyed

• Authorization scheme (using {not} Scheme)

  I have build a change password page and every user, except user with a Guest role (= GUEST SCHEME) have access to that page.
  I defined a scheme GUEST for users with the GUEST role. When I define the page with Authorization scheme {not}GUEST this isn't working everyone has access to the page, also the guest users.
  am I misunderstanding the {not}scheme choice or is something else wrong.
  Fred.

  Fred,
  I have solved it with the work around I mentioned before:I read what you said very carefully but thought it reckless to conclude that the workaround was successful because you just said "To work around the problem, I did xyz" without indicating the outcome.
  The authorization schemes on navigation tabs fire also on the default login pageYes they do, they fire on every page whether or not the page template accommodates a navigation bar. This looks like a bug to me.
  Is there a "authorization scheme report" which shows all the objects where the authorization scheme is defined.Shared Components > Authorization Schemes > Utilization (slightly different in each version).
  Scott

• Authorization scheme violation message not translatable?

  Hello team,
  could you please confirm that the authorization scheme violation message is not included in the translatable text for some reason?
  I can't find it in the list of texts to be translated even after seeding the application.
  Bye,
  Flavio
  http://oraclequirks.blogspot.com/search/label/Apex

  Hello gents,
  it's curious because after doing some tests i was almost convinced it was a sort of "feature".
  From the behavior of the application i see that the authorization code is not duplicated in a translated application as it happens for most other components, as a result if i modify the authorization violation message, the change becomes effective immediately across all translations.
  In view of this fact i developed the fancy theory that this was a security measure to prevent that a non-updated translated application could serve as a "trojan horse" to access a restricted page in virtue of the lack of control...
  Anyway, i'm glad to hear that my theory is a nonsense :-D
  Bye,
  Flavio
  http://oraclequirks.blogspot.com/search/label/Apex

• Authorization scheme methods/techniques

  Hi all,
  I'm currently using the Authorization Scheme that came with the Build a Menu Framework Application. Unfortunately, it doesn't work the way I want it to.
  Can someone share any other techniques on how to set up a authorization scheme. My application has users divided in different roles where some pages are accessible by 1 role then other pages by another role.
  Any suggestions will be appreciated.
  Thanks and Regards,
  Allen

  Hi,
  Let me give you my thoughts on this thread.
  You need to be very careful about the use of the term Authentication and Authorization.
  Authentication deals with making sure the user is who they say they are (normally by requesting a password).
  Authorization deals with making sure a user can only do what they are allowed to do.
  For Authentication you have a number of options. If none of the standard ApEx Authentication schemes work for you then you can create your own:
  Create a database function that accepts a username and a password and returns TRUE or FALSE. For testing our applications we use a very simple function:
  create or replace function "TESTING_SIGNON_FNC"
  (p_username in VARCHAR2,
  p_password in VARCHAR2)
  return BOOLEAN
  is
  CURSOR c_valid_password
  IS
  SELECT 1 FROM DUAL
  WHERE UPPER(p_username) = UPPER(p_password);
  l_valid_password NUMBER;
  BEGIN
  OPEN c_valid_password;
  FETCH c_valid_password INTO l_valid_password;
  IF c_valid_password%FOUND THEN
  CLOSE c_valid_password;
  RETURN TRUE;
  END IF;
  CLOSE c_valid_password;
  RETURN FALSE;
  END;
  Change the select to use whatever method you like.
  Then Create an Authentization Scheme with an 'Authentication Function' of 'return TESTING_SIGNON_FNC;'
  For Authorization you need to decide how you will control who can do what and how you maintain this. In our applications we need users (Administrators) of the application to be able to grant / revoke access to certain areas via the application UI.
  The solution we have developed has five database tables:
  SEC_PERSON
  SEC_ROLES
  SEC_FUNCTIONS
  SEC_ROLE_FUNCTIONS
  SEC_PERSON_ROLES
  SEC_PERSON holds the Person Details
  SEC_FUNCTIONS has the functions that we want to be able to grant ('create project' for instance)
  SEC_ROLES has the roles that we want to be able to Grant to people ('Project Manager' for instance)
  SEC_ROLE_FUNCTIONS has the functions assigned to a Role ('Project Manager' can 'Create Project')
  SEC_PERSON_ROLES has the roles a person has ('Fred' is a 'Project Manager')
  We have pages on each table to allow users to maintain the data.
  In ApEx we then define Authorization Schemes for each function we want to control:
  TPA-PRJ-PRJ-FED (TPA Application - Projects - Project Control - Full Edit) with the following SQL:
  select
  1
  from
  sec_person p,
  sec_person_roles pr,
  sec_roles r,
  sec_role_functions rf,
  sec_functions f
  where
  f.function_code = 'TPA-PRJ-PRJ-FED'
  and
  p.person_id = pr.person_id and
  pr.role_id = r.role_id and
  r.role_id = rf.role_id and
  rf.function_id = f.function_id and
  p.delete_flag = 'N' and
  pr.delete_flag = 'N' and
  r.delete_flag = 'N' and
  rf.delete_flag = 'N' and
  r.delete_flag = 'N' and
  sysdate between p.start_date and nvl(p.end_date,sysdate) and
  sysdate between pr.start_date and nvl(pr.end_date,sysdate) and
  sysdate between r.start_date and nvl(r.end_date,sysdate) and
  sysdate between rf.start_date and nvl(rf.end_date,sysdate) and
  sysdate between f.start_date and nvl(f.end_date,sysdate) and
  p.username = :APP_USER
  This Authorization scheme can then be applied to Tabs, Pages, Buttons, Columns etc. as required.
  Difficult to explain all this without pictures but I hope this helps.
  Martin

• Create Authorization Schemes with plsql

  Hello
  I´d like to create an Application, which has many "Authorization Schemes".
  The source of this schemes is a permission-table in the database.
  How could i create the schemes automaticly by script?
  That would save many time for creation and changes by hand.
  Thanks.
  Edited by: Scubus on Mar 13, 2009 2:36 PM

  Scubus,
  I found the syntax in the export file as well. By omitting p_id, APEX will generate an unique one.
  You have to run the sample as FLOWS or owner (with apex_administrator_role) with security group id set. You can find the security group ID from the export file (right below big APEX text), or run select &WORKSPACE_ID. from dual within application.
  The p_flow_id is the application ID.
  SQL > exec wwv_flow_api.set_security_group_id(p_security_group_id=>858728211457679);
  PL/SQL procedure successfully completed.
  SQL > begin
  wwv_flow_api.create_security_scheme(
  p_flow_id => 114,
  p_name=>'Check EMP4',
  p_scheme_type=>'EXISTS',
  p_scheme=>'select 1 from emp',
  p_caching=>'BY_USER_BY_PAGE_VIEW',
  p_error_message=>'EMP must exists');
  end;
  PL/SQL procedure successfully completed.
  SQL > commit;
  Commit complete.Ittichai

• Conditional Authorization Schemes?

  Can you implement conditional authorization schemes? For example, I have an application that a handful of users will need to be able to edit and a handful of users will need to be able to look through the screens of the app, but not modify data. Can you have a default authorization scheme of say "read-only" where the page items are not editable, and if you belong to the "read-write" scheme, then the fields are editable? Is there an easier way?

  Hi "Potter_geek",
  unfortunately there is no such "read-only" authorization scheme which automatically switches your page items to read-only.
  I see 3 possible workarounds:
  1) Add code to the "Read-Only condition" for each item.
  2) Add a condition/authorization just to your submit/create/... buttons, so that they are not displayed in case of read-only. All the items are still modifiable, but the user can't submit it.
  3a) Just create an "Application Level Process" (before computation/validation) where you check if a user has write access, if not trow an error that he isn't allowed to change anything. => not so user friendly
  3b) Create a page 0 region of type HTML with display point "After footer" and which has the authorization scheme read-only. It should contain a small javascript script which loops through all the INPUT/... elements of your page and set's them to readonly="readonly".
  Just some thoughts...
  Patrick
  Check out my APEX-blog: http://inside-apex.blogspot.com
  Check out the ApexLib Framework: http://apexlib.sourceforge.net

• Restricting Purchase order's payment terms change authorization

  Hi,
  While changing the PO payment terms, system does not reset the release strategy of the released PO. Is there any way we can restrict to PO change with Payment terms change authorizations?
  Regards,
  Sattuj

  Hi,
  Then make the release indicator as 1 then you cannot change any thing first you have to unrelease and then make the required change and then release the same
  regards