Custome Authorization Scheme
Hello,
Is it possible to pass any parameters to my own Authorization Scheme? For example the name of the item. I would like to create my own auth. system, and to evaluate is the user has a specific right to "click" a button, or not I need the button name/id or anything to check with Authorization Scheme is the user authorizated or not.
Thanks,
András
Hi,
If I did understand corretly what you mean and you are talking about Authentication scheme, answer is no.
But for workaround you can refer items in your Authentication Function using v function
v('Px_MY_ITEM');Br,Jari
Similar Messages
-
Authorization Scheme - Getting handle on which object is calling the scheme
Hi
I'm currently trying to write a custom authorization scheme using a plsql returning boolean. What I'm wondering is whether there is a way to reference the application object (e.g. page, region, page item, button etc) that has triggered the authorization plsql to run.
What I'm ultimately wanting to do is to create a generic authorization scheme that can be applied to any object, and that auth scheme will look up a database table containing what users can access what object. I can only do this if I know at run-time which object the plsql is currently checking authorization for. (I can get the user from :APP_USER.
For example I have an authorization scheme "test_scheme". I have applied test_scheme to the button "CREATE" on page 1. This button has a button_id which I can find from APEX_APPLICATION_PAGE_BUTTONS view.
During page rendering the buttons authorization scheme will be checked (and so the plsql returning boolean will be triggered). When the plsql is triggered I want to reference the fact that the CREATE button on page 1 (or better the button_id) has triggered the plsql, from within the plsql itself.
I hope this makes sense.
Many thanks in advance.Hi Scott,
Looks like there are a few others out there encountering the limiatations of authorization schemes.
Hopefully there will be an enhancement at some point to enable referencing the component id which has triggered the authorization scheme to run.
Until then I will go down the route of creating an authorization scheme for each component that needs one.
Many thanks for pointing me to that discussion.
Jimbo -
Authorization Scheme Newbie Question
Hi,
For my Apex app I have custom authorization schemes which will help to show/hide elements throughout the app. There are three schemes in all; admin, pm and user. I'm setting up admin now and I chose expression 1 = to expression 2, which in my case is:
select lec_dash.f_auth_groups(:APP_USER) from dual;
admin
However, I'm not getting any love from this. Do I need to be doing a different type of check in this case or do I need to do a boolean select statement of some kind?
Thanks,
JonFor your admin schema try this an Exist SQL:
select lec_dash.f_auth_groups(:APP_USER) from dual
where lec_dash.f_auth_groups(:APP_USER) = 'admin';
For your pm:
select lec_dash.f_auth_groups(:APP_USER) from dual
where lec_dash.f_auth_groups(:APP_USER) ='pm';
For your user:
select lec_dash.f_auth_groups(:APP_USER) from dual
where lec_dash.f_auth_groups(:APP_USER) = 'user'; -
Hello All.
I have an application with a custom Authorization Scheme on it. This scheme is used on every page's Security option, with "Page Requires Authentication" set.
If I need to change or upgrade the scheme, I need to navigate to every page in the application to change it. Is there a better way to do so? I mean, is there a way to change or subistitute the authorization scheme on all pages on an application without the need to navigate on every page?
Thanks in advance.Thanks for the reply.
That would be great, but I need to change the Authorization Scheme's name as well, since I work with different ones for different apps.
What I need to do is import a different Authorization Scheme And then use it on all my pages.
If this is not possible, I will have to deal with the database side, but I would like to have another option.
Thanks again -
Custom handling of authorization scheme failed errors
Is there a way I can catch when someone goes to a page they are not authorized to be on (Authorization Scheme used to enforce it) then instead of stopping cold redirect them to the public page of the application and use global notification to inform the user of the fact he or she is not authorized into the selected page instead of going to the red stop sign X page? I have used global notifications before but I am unsure if there is a way to keep my page secure applying the authorization scheme at the page level and do what I am talking about. Any ideas?
This only happens when the user tampers with the URL, but that does happen.
You can code your authorization scheme to return true when it detects unauthorized access to a page but first have it use owa_util.redirect_url to go to the notification page of your choosing.
Scott -
Authorization scheme for users stored in a database table?
Hello!
I'm trying to find out how to make an authorization scheme for database users.
I first made an authentication scheme for my current application, I named it "Authentication for database accounts", and the scheme type is "Database Accounts".
A word of explanation:_
I have a table in my database, named "USERS". Inside this table, I have the following columns:
- USERID (NUMBER)
- USERNAME (VARCHAR2(50))
- PASSWORD (VARCHAR2(50))
- EMAIL (VARCHAR2(200))
For this question, I'll take an example user. The username is USER and the password is USER. Email and UserID don't matter here, but let's just say the UserID is 1.
What I want:_
When you go to the application, and you are requested to log in (page 101), then I want a user to be able to log in with the data that has been stored in the USERS table.
So, on the login page, the user will enter USER as username, and USER as password. The authorization scheme then needs to check whether or not this username and password match the data in the USERS table. If it does, then it must sign the user in with the credentials the user entered (those being USER and USER).
I also want the UserID to be stored somewhere in the application (if possible, in an application item).
How do I do this? I've never made an authorization scheme before... I'm not too good with PL/SQL either, but I'm working on that part.
Any help is greatly appreciated.I'm trying to find out how to make an authorization scheme for database users. I think there may be some confusion here. An authorization scheme gives the user access to different parts of an Apex Application. Database users are the users that you use to login to the database, for example with sqlplus.
From the rest of your post it sounds like you need a custom authentication scheme to validate users against a custom table. For this you need to create a custom authentication scheme and select use my custom function to authenticate. Exactly how you set up the authentication scheme depends on the version of Apex you are using. But an example of validate user function you could use is given below:
function validate_login (
p_username in varchar2
, p_password in varchar2) return boolean
is
v_result varchar2(1);
begin
select null into v_result
from USERS
where userid = p_username
and password = p_password;
return true;
when no_data_found then return false;
end validate_login;Once the user has successfully logged on the userid will be in the APP_USER apex substitution string.
And for Application Express Account Credentials, does this mean an admin must make each new user by hand?If you using Apex account credentials the user details are stored within the Apex tables. You can create users using the Apex admin application or by using the APEX_UTIL.create_user api.
Rod West -
Hi I'm using custom authenitication scheme sso with ntlm_page_sentry function.
I've an authorization scheme 'Admin control" like this :
declare
v_role varchar2(55);
begin
select role into v_role from user_roles where lower(userid) = lower(:APP_USER);
if v_role = 'ADMIN' then
return true;
else
return false;
end if;
exception
when NO_DATA_FOUND then return false;
end;
In a login page(page:101) :I've a process like this with process point as onload before header:
declare
v_role varchar2(55);
v_nextpage number;
begin
select upper(role) into v_role from sales_inq.user_roles where lower(userid) = lower(:APP_USER);
case v_role
when 'ADMIN' then v_nextpage := 9;
when 'EDIT' then v_nextpage := 1;
when 'VIEW' then v_nextpage := 2;
end case;
owa_util.redirect_url('f?p=' || :APP_ID || ':' || v_nextpage);
exception
when NO_DATA_FOUND then
owa_util.redirect_url('f?p=' || :APP_ID || ':101');
end;
I've assigned "admin control" authorization scheme to page9 and changed authentication to "page requires authentication"
After loginto my system through networkid which is assigned to ADMIN role when I run login page(101) I'm unable to access page 9.Can't I test this in standalone mode in dev instance?For ex:my userid is in user_role table with a role of admin why I can't see that page?
Thanks,
Mahender.
Edited by: user518071 on Oct 8, 2009 12:44 PMHi Scott,
How does the login page get invoked?
I'm trying to implement this authorization scheme for the first time for this UI.
Previous scenario:User needs to login so login page will be displayed automatically
Current scenario:User comes to login screen which is a dummy page without any items or regions and I've created process (on load before header process code mentioned above)which will check the network user's role and branch to corresponding page
Why is there a login page if you have an sso facility?
There is no login page as such but it's common intermediary page for all users which is not displayed but automatically directed to their corresponding page based on the process (on load before header process code mentioned above)
Is there a login page designated as the Session Not Valid Page in the authentication scheme?
No
or let me know how we can do this ?
I've three roles for users :admin,edit,view and it's stored in user_roles table,user with role view can access only his page and user with edit can access all view pages as well as his pages,admin can access all pages.Then next issue is how to test this without using active directory in dev instance by adding security to corresponding pages(ex:admin control,page requires authentication)
Thanks,
Mahender. -
Custom authorization provider for WL7 problem (not getting all parameters from ContextHandler)
I'm implementing a custom authorization provider for WebLogic 7.
In my Access Decision isAccessAllowed method I need to check values of
the parameters passed to an EJB method. Now, if an EJB method I have
two parameters of the same type, for example int, when I get
ContextElement array from ContextHandler and iterate through it to get
names and values of the parameters I get the same value (value of the
first int parameter) from both ContextElement's.
Here is the code:
String [] names = ch.getNames();
for (int i = 0; i < names.length; i++)
String name = names;
System.out.println("name = " + name);//here it gets array of
Strings, which contains two parameter names: "int","int",
which are the types of EJB method parameters
ContextElement[] ces= ch.getValues(names);
for (int j = 0; j < ces.length; j++)
ContextElement ce = ces[j];
System.out.println(ce.getName()+ " = " + ce.getValue());
//here if the value of the first int was 2 and the second 0,
it would get 2 from both ContextElements (each of ContextElements will
have name "int"
If I try this with method parameters of different types, for example
int with value 2 and long with value 0, then this code work fine -
first ContextEleement has name int and value 2 and the second has name
long and value 0.
Thanks,
-Oleg Kozlov.I'm implementing a custom authorization provider for WebLogic 7.
In my Access Decision isAccessAllowed method I need to check values of
the parameters passed to an EJB method. Now, if an EJB method I have
two parameters of the same type, for example int, when I get
ContextElement array from ContextHandler and iterate through it to get
names and values of the parameters I get the same value (value of the
first int parameter) from both ContextElement's.
Here is the code:
String [] names = ch.getNames();
for (int i = 0; i < names.length; i++)
String name = names;
System.out.println("name = " + name);//here it gets array of
Strings, which contains two parameter names: "int","int",
which are the types of EJB method parameters
ContextElement[] ces= ch.getValues(names);
for (int j = 0; j < ces.length; j++)
ContextElement ce = ces[j];
System.out.println(ce.getName()+ " = " + ce.getValue());
//here if the value of the first int was 2 and the second 0,
it would get 2 from both ContextElements (each of ContextElements will
have name "int"
If I try this with method parameters of different types, for example
int with value 2 and long with value 0, then this code work fine -
first ContextEleement has name int and value 2 and the second has name
long and value 0.
Thanks,
-Oleg Kozlov. -
Report Link + Authorization Scheme
I have an authorization scheme that checks whether a certain person has privileges to edit a record on Page 2 by referring to the :P2_ID in the authorization scheme. Page 1 has a report with a report link, but the user can see both items they are able to edit and items they are not. I know I can make the link dynamically in the sql but wanted to see if there was an easy way to use an authorization scheme, but pass the #REPORT_COL# value in the report over to an authorization scheme to show or hide the icon for me so I can get the link out of the sql.
Great example Scott! However, I'd would caution the other Sc0tt that calling functions in a SQL statement is fine for a small number of rows, but can CRUSH performance for medium to large result sets. Even if the function is fast, you're still context-switching between SQL and PL/SQL for every row. Make sure you test this with the volume of data you expect your users to encounter. If it's a problem, you might force the user to apply some filters before running the query.
If you're running 11g you can at least minimize the hit of the function with "Function Result Cache". Even if you're not on 11g yet, you can use the following code in 10g and it will switch-on result cache when you compile it in 11g:
create or replace function auth_user(p_key in number)
return varchar2
$IF not dbms_db_version.ver_le_10_2 $THEN
result_cache
$END
as
begin
pkg.g_value := p_key;
if apex_application.public_security_check (p_security_scheme => 'AUTH_USER_COLUMN') then
return '1';
else
return '0';
end if;
end;
/ If it is a reasonable result set, Scott's solution is perfect.
Thanks,
Tyler -
Display page items based on Authorization Scheme...
I have a report form that shows all my columns, but I have two columns that I only want "Admin" and "Edit" from my authorization scheme to be able to edit; but I would like for "User" to view.
Currently I have "authorization" enabled for the two items, and set for "Edit". This works, except the "User" logins cannot view the items.
I thought of two possibilities, both I think I'd need help on though!:
1. Create a duplicate page item for these two items. One would show as "Text" only (cannot edit). The other would be "Text Field". The "Text Field" column would only be
accessible by "Edit" or "Admin".
The problem, though, is now "Edit" or "Admin" users will see both columns
2. Set up something in "Conditions" that would show as "text" for "User", and as "Text Field" for "Admin" or "Edit"?
I would have no clue how to do this...
Any thoughts?
Kevin L.Kevin
You can create two items and in the Authorization Scheme you can set one as Users and second as Edit. Also You can do something using small JS. Create a variable P_USR_TYPE to hold the value of User group lets say 1 for Users and 2 for Edit. Then on the HTML header or footer of the region you can add a javascript call
function UsrCustomization()
if ( P_USR_TYPE == 1 )
// mark the item as readonly
// document.getElementById('P1_FIELD_QUESTION').disabled = true;
document.getElementById('P1_FIELD_QUESTION').readOnly="readonly"
UsrCustomization();Thanks,
Manish -
How to add custom authorization object to a SAP standard transaction
Hi All,
I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
- tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
- tcode SU21 - creation of a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
- tcode SU24 - insert of new authorization field e check indicator (green)
- tcode SU22 - check indicator - check (green)
After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
It seems new authorization object was not checked.
My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
Thanks
Maurizio> My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
>
No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
Regards,
Dipanjan -
How to create and configure a custom authorization service
Anyone has any idea how to create a custom authorization module? Can anyone tell me where can I find a documentation or some example how to do it?
I appreciate any idea.
Regards.The Access Manager developer guide on the Authentication SPI should be all you need to get started
http://docs.sun.com/app/docs/doc/819-4675/6n6qfk0nf?a=view -
HR ABAP Custom Authorization Check
Hi all,
We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
GET PERNR.
I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
Thanks in Advance.There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
Some special differences are:
- The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
- Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
- Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
Cheers,
Julius
Edited by: Julius Bussche on Apr 27, 2009 9:03 PM -
Error in executing authorization scheme code
I run my application on APEX.ORACLE.COm and I immediatly get the following error:
ORA-06550: line 13, column 28: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line 12, column 14: PL/SQL: SQL Statement ignored ORA-06550: line 16, column 19: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 16, column 5: PL/SQL: Statement ignored ORA-06550: line 17, column 15: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 17, column 5: PL/SQL: Statement ignored ORA-06550: line 25, column 28: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line
Error ERR-1082 Error in executing authorization scheme code.
Here are the login credentials:
Workspace: RGWORK
Application: Online Certification Application Prototype - 21405
User: TESTER
Password: test123
The application s/b public . I am not able to identify the invalid authorization scheme. I checked all the authorization schemes in the Shared Components > Security > Authorization Schemes and can't find the culprit.
Can someone assist please?
Thank you,
Robert
My Blog: http://apexjscss.blogspot.comYour Authorization Scheme "Access control - administrator" has this line of code that uses a table that isn't there (or RGTEST has no access to):
select id, application_mode
from apex_adm.apex_access_setup
This Authorization Scheme is used in the Admin tab.
If you run the page in debug mode you'll see (amongst a lot of other stuff):
0.19: Authorization Check: "11204012643155257465" User: "nobody" Component: "tab"
0.20: Show ERROR page...
That pointed me to the Tab section...and there it was! -
Using Page Text Item in an Authorization Scheme
Hello,
I will be having a text item is every page say, Px_RESP_ID (hidden and its value set in an earlier page), and want to use its value in an authorization scheme to verify if the user has an access to the page.
I'm using the following SQL in the authorization scheme -
Apex Version: Apex 3.2
Scheme Type: Exists SQL Query
SQL:
SELECT 1
FROM zs_users zu
, zs_responsibilities zr
, zs_user_resp_groups zur
WHERE
zu.user_name = :APP_USER
AND zr.resp_id = '&P'||:APP_PAGE_ID||'_RESP_ID.'
AND zu.user_id = zur.user_id
AND zr.resp_id = zur.resp_id
For some reason this approach is not working. Any ideas to help me move forward will be greatly appreciated.
Regards,
SeshuAFAIK an application item, or maybe a page 0 item, is the only way to do this (as those items effectively exist across all pages of an application). Unfortunately since authorization schemes are application-level, you can't really effectively reference page items at runtime since you aren't necessarily on that page.
The other option is an ugly one. Instead of creating one auth scheme (e.g.: "user_has_whatever_authority"), create one for every page (e.g.: "user_has_whatever_authority_1", "user_has_whatever_authority_2", etc.) and attach each auth scheme to each page by matching up the number in the name with the page. But this is a maintenance nightmare and terrible style IMHO, but it'll work. Your colleagues will hate you for it when you're gone though.
Maybe you are looking for
-
Apple mail not working after upgrading to maverics
I installed maverics on my mac a couple months ago. I noticed that all of my accounts in apple mail have not worked properly since. first of all, i cant tell if mail is retrieving my email anymore. there used to be a spiral next to the account letti
-
JasperReports - how to save as PDF from Print Preview page?
Hi all! How can I save reports created with JasperReperts (with iReport tool) as PDF? On print preview, when I select it is as PDF, and click on "save", nothing is saved. Also, I get NoClassDefFoundError despite I included all nessesry classes (did I
-
First, I'm on Windows Vista ... not a mac ... and I do not own MobleMe ... my wife and I are already users of iTunes ... so we're talking about going from where we are now to where we want to be - which will involve changes. Thanks in advance for sh
-
Hello, I'm trying to understand whether I'm the one who's crazy, doing something wrong, or whether Windows Firewall was designed to be broken (and stay that way through Windows Server 2008 R2!) When I go to Windows Firewall with Advanced Security fro
-
Multiple kernel panic errors after upgrading to snow leopard 10.6.8 on my MacBook Pro.
After upgrading to 10.6.8, I almost immediately began experiencing multiple random kernel panic errors. I reinstalled the operating system that came with my notebook from the cd (10.6?) and the problem went away. I upgraded again to 10.6.8 and agai