Display region based on authorization scheme

Similar Messages

• Display page items based on Authorization Scheme...

  I have a report form that shows all my columns, but I have two columns that I only want "Admin" and "Edit" from my authorization scheme to be able to edit; but I would like for "User" to view.
  Currently I have "authorization" enabled for the two items, and set for "Edit". This works, except the "User" logins cannot view the items.
  I thought of two possibilities, both I think I'd need help on though!:
  1. Create a duplicate page item for these two items. One would show as "Text" only (cannot edit). The other would be "Text Field". The "Text Field" column would only be
  accessible by "Edit" or "Admin".
  The problem, though, is now "Edit" or "Admin" users will see both columns
  2. Set up something in "Conditions" that would show as "text" for "User", and as "Text Field" for "Admin" or "Edit"?
  I would have no clue how to do this...
  Any thoughts?
  Kevin L.

  Kevin
  You can create two items and in the Authorization Scheme you can set one as Users and second as Edit. Also You can do something using small JS. Create a variable P_USR_TYPE to hold the value of User group lets say 1 for Users and 2 for Edit. Then on the HTML header or footer of the region you can add a javascript call
  function UsrCustomization()
       if ( P_USR_TYPE == 1 )
            // mark the item as readonly
            // document.getElementById('P1_FIELD_QUESTION').disabled = true;
            document.getElementById('P1_FIELD_QUESTION').readOnly="readonly"
  UsrCustomization();Thanks,
  Manish

• Accessing an item on a page based on authorization scheme

  Hi,
  I've two authorization schemes :ADMIN and VIEW.I've created a public page which will be accessed by both schemes.But on that page in particular region I want to display an item only for ADMIN not for VIEW scheme.
  Thanks,
  Mahender.

  for that region properties , go to conditional display and use this bult in function (after you pick plsql function return boolean) : APEX_UTIL.PUBLIC_CHECK_AUTHORIZATION('your_auth_scheme');
  This function return true if current user is in that auth. scheme.
  Let me know if that helps,
  Sam K.

• Displaying region based on multiple selection list

  Hi,
  this is my scenario.
  i had 3 drop down selection lists A, B, C. based on A and/or B, C is populated. and when i select one from C, i display a report regions.
  i am able to achieve this, and when in the selection list C, I have a null value as "- All -"
  so when i select "- All -" then the report region should not show anything.
  so in my report region query this is what i gave
  DECLARE
  q varchar2(2000); --query
  w varchar2(2000); --where clause
  we varchar2(1) := 'N'; --where condition
  BEGIN
  q := 'SELECT * from SCCATCH';
  IF :P1_STATION != 'NULL' THEN
  w := 'COLLECTION = :P1_STATION';
  we := 'Y';
  END IF;
  IF we = 'Y' THEN
  q := q ||' WHERE '|| w ;
  END IF;
  RETURN q;
  END;
  where :P1_STATION is the item value of C.
  now what is not working is when i select A, B then C is populated and whne i select C, the report region is displayed.
  now when i go back and select A, B , then C is again populated with a different C list, but the report region still remains the same showing the previous result.
  what i really want to do is. when i select list A,B and then C, report get displayed. and when i go back and change sleection in A,B and then obviously C gets changed, then the report region should not show anything untill i select one from C.
  i understand that there is some basic things i need to do to fix this, but i am not able to fix this.
  Can you help me please.
  Thanks,
  Philip.

  user12943263 wrote:
  HiPlease update your forum profile with a real handle instead of "user12943263".
  I basically want to use the select below for my list but I do not know how to get the app and session no.
  select list_desc, 'f?p='||get_app_id|| ':' || page_no||':' || get_session_id
  from table_nameIn SQL use bind variable notation as described in the Understanding Substitution Strings section of the documentation:
  select
    ,  'f?p=' || :app_id || ':' || page_no || ':' || :app_session
  from
      ... Always consult the documentation before posting here.
  Dynamic Actions, JavaScript, and all "P.Ranish" posts above are all irrelevant to your question.

• Region based user authorizations

  Hi
  We are facing region specific security issue. Requirement is to restrict user access to CRM system, based upon region to which they belong.
  Please help me in resolving this issue.
  Regards
  Hits

  found a round about way to resolve this, using developments

• Authorization Scheme based on a group in LDAP?

  Hi,
  I would like to write an Authorization Scheme that checks whether a user (authenticated via a Authentication scheme based on LDAP) is a member of a specific group in LDAP, for access control.
  I can't seem to find documentation or an example of this. Would appreciate any tips or links to docs and examples....
  Thanks!

  I came across this nice example from the docs for the authorization scheme using the "IS_MEMBER Function".
  http://download.oracle.com/docs/cd/E17556_01/doc/apirefs.40/e15519/apex_ldap.htm#CDEJAAEI
  Very straightforward....
  However, my question now is, how would I tie this in to my authentication scheme?
  One Page Secured by > Authorization scheme (APEX_LDAP.IS_MEMBER) > From a user authenticated by my Authentication Scheme From LDAP directory?
  How would I tie these two schemes together?
  Thanks in advance for any help offered....

• Authorization scheme for display/read only conditions on item level

  Hi All,
  I have question. I want to use an authorization scheme to manage if users with a certain role have the permission to either update an item or have the persmission to only see the item or that they don't have permission to see it at all.
  So, the input for the scheme would be: 1. user role 2. the current page 3. the current item.
  The output would be: 0 (update) 1 (read only) 2 (not displayed).
  I think I can manage that.
  And I can attach this schema to the items.
  So far so good.
  But how can I make it so that the 0,1 and the 2 will actually do what they need to do?
  I have been thinking about making a function like GET_AUTHORISATON(ROLE,PAGE,ITEM) output: 0,1,2 but I still can't figure out how to connect this with the functionality I want to achieve.
  Can somebody give me a hint?
  Andre

  Thanks Hari,
  Thanks, it works, almost, but what if items are mandatory on a page, but not always mandatory?
  If a user has a certain role, some fields are manadatory, otherwise not.
  Again, a function would do the trick as far as the input and output information
  something like IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) but how can I make it work?
  I guess a PL/SQL validation like:
  IF IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) THEN ITEM IS NOT NULL
  END IF;
  Andre
  PS: personally I think item level security is not something you wish to implement in your system. I prefer different screens for different roles.
  Far more straightforeward. Easy for maintenance. When something disfunctions, it's far more easy to pinpoint the location of the cause.

• Conditional Display Authorization Scheme

  Is there a way that we can check for Authorization Scheme in the Conditional Display section?
  please help,

  See Re: Accessing auth. scheme in PL/SQL expression

• Read Only Form Field based on Authorization

  Hi there,
  I'd like to make a field in a tabular form read only based on an Authorization scheme, like you can for a region field by using a PL/SQL condition. Is there any way to do this?
  Cheers,
  Andrew.

  hi Andrew,
  please choose the REGION REPORT link and choose the column you like then see Authorization Scheme tab then select the option your named AS you want to give .
  Set DISPLAY AS TEXT (SAVE STATE) it will show only no edit action can perform by user.
  thanks
  Mark.
  Websoft solution
  http://www.go-websoft.com
  Edited by: Websoft on Sep 9, 2009 5:02 AM

• Authorization scheme issues

  Hi I'm using custom authenitication scheme sso with ntlm_page_sentry function.
  I've an authorization scheme 'Admin control" like this :
  declare
  v_role varchar2(55);
  begin
  select role into v_role from user_roles where lower(userid) = lower(:APP_USER);
  if v_role = 'ADMIN' then
  return true;
  else
  return false;
  end if;
  exception
  when NO_DATA_FOUND then return false;
  end;
  In a login page(page:101) :I've a process like this with process point as onload before header:
  declare
  v_role varchar2(55);
  v_nextpage number;
  begin
  select upper(role) into v_role from sales_inq.user_roles where lower(userid) = lower(:APP_USER);
  case v_role
  when 'ADMIN' then v_nextpage := 9;
  when 'EDIT' then v_nextpage := 1;
  when 'VIEW' then v_nextpage := 2;
  end case;
  owa_util.redirect_url('f?p=' || :APP_ID || ':' || v_nextpage);
  exception
  when NO_DATA_FOUND then
  owa_util.redirect_url('f?p=' || :APP_ID || ':101');
  end;
  I've assigned "admin control" authorization scheme to page9 and changed authentication to "page requires authentication"
  After loginto my system through networkid which is assigned to ADMIN role when I run login page(101) I'm unable to access page 9.Can't I test this in standalone mode in dev instance?For ex:my userid is in user_role table with a role of admin why I can't see that page?
  Thanks,
  Mahender.
  Edited by: user518071 on Oct 8, 2009 12:44 PM

  Hi Scott,
  How does the login page get invoked?
  I'm trying to implement this authorization scheme for the first time for this UI.
  Previous scenario:User needs to login so login page will be displayed automatically
  Current scenario:User comes to login screen which is a dummy page without any items or regions and I've created process (on load before header process code mentioned above)which will check the network user's role and branch to corresponding page
  Why is there a login page if you have an sso facility?
  There is no login page as such but it's common intermediary page for all users which is not displayed but automatically directed to their corresponding page based on the process (on load before header process code mentioned above)
  Is there a login page designated as the Session Not Valid Page in the authentication scheme?
  No
  or let me know how we can do this ?
  I've three roles for users :admin,edit,view and it's stored in user_roles table,user with role view can access only his page and user with edit can access all view pages as well as his pages,admin can access all pages.Then next issue is how to test this without using active directory in dev instance by adding security to corresponding pages(ex:admin control,page requires authentication)
  Thanks,
  Mahender.

• Best Approach to create Security / Authorization Schema for an APEX Apps

  Hi,
  I am planning to create a Security / Authorization Schema for an APEX Application.
  Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
  I am looking for following features...
  1. users LOGIN and then user's name is stored in APEX_USER...
  2. Based on the user, I want to restrict the Application on following levels.
  - TABS
  - TABS - Page1 (Report
  - Page2 (Form)
  - Page2 (Region1)
  - Page2 (Region1, Button1)
  - Page2 (Region1, Items,....)
  AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
  I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
  My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
  Also what should be the FRONT end, we should have to enter these detail...
  SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
  Thanks,
  Deepak

  Hi Raghu,
  thanks for the detial info.
  so that means..I should have 2 table...
  master table (2 columns - username, password)
          username    password
     user1       xxxx
     user2       xxxx2nd table (2 columns - username, chq_disp_option)
  - In this table, we don't have Y/N Flag you mentioned..
  - If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
  - so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
  - suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
            username    chq_disp_option
     user1       re_region1
     user1       re_region2
     user1       tb_main
     user1       Page1
     user1       Page5
     ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
  - is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
  Thanks,
  Deepak

• Authorization Scheme -- Best Practices?

  Hi All --
  We have a reporting application containing approximately 300 pages and 60 or so menu items all using authorization schemes (exists SQL method) as a means to determine whether or not a use can see the menu items and/or access the pages. We've been seeing an issue where a user logging into the application experiences poor performance upon login and have traced it to our access checks and the number of "exists" queries run when a user logs in and before our menu is displayed.
  What would be considered best practice in a case such as this? Does anyone have any ideas on how to increase the performance on these authorizaton checks?
  Thanks,
  Leigh Johnson
  Fastenal Company

  Leigh - No, the asktom post Joel referred to is posted above: http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:62048567543425
  We just want to know if this post if from you folks or not.
  About the authorization schemes for each page, I would think that whatever scheme you code to authorize a link to a page, e.g., on a menu, would be the same scheme you'd want to attach to the page itself.
  So the authorization has to take place first at the point you render (or suppress) a link to a page and again at the point the page is requested (the latter being necessary because a user can bypass the menu links and try to access pages directly by entering the page ID in the URL.
  So again, if you have X links on the menu page, each requiring a distinct query for authorization, you'll have to pay the price to do all that authorization once per session because of the design of the menu page. More precisely, the authorization scheme code, e.g., their EXISTS queries, have to be executed once per session per resource access attempted. For performance purposes, the results of these checks are cached for the duration of the session (because you set them up to be evaluated once per session and not on every page view).
  One thing that might help you is region caching (or page caching) for the menu. You'd use the Cache By User option, of course. Then if the same named user logged in and out numerous times during the "cache valid" period, which is adjustable, the user would see the cached menu "instantly". Authorization checks will not have been performed during these page requests however, so you'd want to be sure that it makes sense to present cached versions of these links. However, the corresponding authorization schemes that you'd attach to the pages themselves would be evaluated when the user clicked on a "cached" link, so you'll get the protection you need, ultimately.
  Scott

• Current Item for Authorization Scheme

  I would like to write a generic PL/SQL authorization scheme for each page item (including buttons). I can pass the user, the app and the page through substitution strings but I cannot seem to find how the pass the item for which the authorization scheme is being evaluated. Is there an undocumented string like APP_ITEM_ID or a way to access it through the globals in the WWV_FLOW package? If not, can this be an enhancement as I'm sure it could be useful for others as well?
  I realize I can accomplish this through the Conditional Display properties but my preference is to do it through the Authorization Scheme as this would allow for Conditional Display based on other criteria.

  Thanks for the quick reply. I can work around it.
  In spite of a few items such as this, I have become an evangelist for HTML DB. Great job!! Please pass on my appreciation to the others involved in its development and support.

• Conditional Authorization Schemes?

  Can you implement conditional authorization schemes? For example, I have an application that a handful of users will need to be able to edit and a handful of users will need to be able to look through the screens of the app, but not modify data. Can you have a default authorization scheme of say "read-only" where the page items are not editable, and if you belong to the "read-write" scheme, then the fields are editable? Is there an easier way?

  Hi "Potter_geek",
  unfortunately there is no such "read-only" authorization scheme which automatically switches your page items to read-only.
  I see 3 possible workarounds:
  1) Add code to the "Read-Only condition" for each item.
  2) Add a condition/authorization just to your submit/create/... buttons, so that they are not displayed in case of read-only. All the items are still modifiable, but the user can't submit it.
  3a) Just create an "Application Level Process" (before computation/validation) where you check if a user has write access, if not trow an error that he isn't allowed to change anything. => not so user friendly
  3b) Create a page 0 region of type HTML with display point "After footer" and which has the authorization scheme read-only. It should contain a small javascript script which loops through all the INPUT/... elements of your page and set's them to readonly="readonly".
  Just some thoughts...
  Patrick
  Check out my APEX-blog: http://inside-apex.blogspot.com
  Check out the ApexLib Framework: http://apexlib.sourceforge.net

• Public and Authenticated App with Authorization Scheme once per session

  I have a question . . .
  Let's say I have an application and at the application level I have an authorization scheme (auth1). If auth1 is set up to evaluate once per session, does it authenticate for the public user, then pass me back to the page and then check then evaluate the auth1 scheme. Or does it evaluate the auth1 scheme, then log in, then return to the page. Is it the same regardless of authentication scheme (e.g. Oracle SSO).
  It may make a big difference. If the authorization sheme is based upon the user (most will be) then setting it to evaluate once per session can be a real problem. If it evaluates before the user logs in, then it won't really work.
  This is an even bigger question when the application does not have a authorization scheme at the application level and allows public pages. If a page that is not public has an authorization scheme set, and the user goes directly to that page, it seems to authenticate the authorization scheme and then logs you in, but does not re-evaluate authorization scheme after you are logged in. Is this accurate? I realize that I could set it up to evaluate for every page view, but I really only need it once after login.
  Is this clear?

  Anton,
  It seems that all authorization schemes that are set to evaluate once per session are evaluated with the beginning establishment of a session.Sort of correct. Authorization schemes don't get evaluated until the component that uses them is considered for rendering or processing. So if the authorization scheme is attached to a page, it won't fire until the page is requested. If another component uses that scheme first, the evaluation will happen then and will not happen again during the session.
  What if I have another page that is not public. If it is the first page I go to, what happens. Obviously, I get redirected to login, then login. Do the authorization schemes get evaluated at this point?Yes, assuming the authorization scheme is used by the page, the scheme is evaluated during the first rendering or processing of the page in the session, after the authentication step.
  Now, what if I have a page that is public, but also has an auth scheme (odd, but could happen). Now what happens, does the auth scheme get evaluated before or after login?During the rendering or processing of the page after the authentication step. For a public page, the authentication step is performed up to the point where it determines that no authentication is required.
  OK, now let's add in Application level auth scheme. I can have public or private pages. If I go to a private page, when does the app level auth scheme kick in? How about for a public page?When an application uses an authorization scheme, it gets evaluated before the authorization scheme (if any) for the page that is being requested, so the public/private property of the page doesn't matter.
  General advice: when an authorization scheme uses :APP_USER, it doesn't work well to have it fire once per session because it'll get run before authentication to the application occurs, which sets APP_USER. You can have such schemes fire once per page view and for PL/SQL function-type schemes, have them give a "pass" when the current page is the login page, that kind of thing.
  In addition, if the overhead of running a scheme is high, one can set an application-level item to indicate that a once-per-page scheme has already run satisfactorily. The PL/SQL-type schemes can access the value of such an item to skip the expensive part of the evaluation and return true immediately.
  Finally, the htmldb_application.reset_security_check API can be called in order to reset the "fired" status of all authorization schemes in the session, allowing them to be re-evaluated if/when they are encountered again in the session.
  Hope this helps,
  Scott