EP 6.0 Security Authorization Scheme

Similar Messages

• Best Approach to create Security / Authorization Schema for an APEX Apps

  Hi,
  I am planning to create a Security / Authorization Schema for an APEX Application.
  Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
  I am looking for following features...
  1. users LOGIN and then user's name is stored in APEX_USER...
  2. Based on the user, I want to restrict the Application on following levels.
  - TABS
  - TABS - Page1 (Report
  - Page2 (Form)
  - Page2 (Region1)
  - Page2 (Region1, Button1)
  - Page2 (Region1, Items,....)
  AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
  I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
  My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
  Also what should be the FRONT end, we should have to enter these detail...
  SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
  Thanks,
  Deepak

  Hi Raghu,
  thanks for the detial info.
  so that means..I should have 2 table...
  master table (2 columns - username, password)
          username    password
     user1       xxxx
     user2       xxxx2nd table (2 columns - username, chq_disp_option)
  - In this table, we don't have Y/N Flag you mentioned..
  - If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
  - so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
  - suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
            username    chq_disp_option
     user1       re_region1
     user1       re_region2
     user1       tb_main
     user1       Page1
     user1       Page5
     ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
  - is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
  Thanks,
  Deepak

• Page 0 security: authorization scheme not applied to other pages

  the page 0 security: authorization scheme not applied to other pages (neither as an override for existing pages nor as a default for new pages).
  how is this intended to work?

  mcstock,
  Can you clarify your question please? Can you give specific steps to reproduce this issue that you are inquiring about?
  Thanks.
  Joel

• Error in executing authorization scheme code

  I run my application on APEX.ORACLE.COm and I immediatly get the following error:
  ORA-06550: line 13, column 28: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line 12, column 14: PL/SQL: SQL Statement ignored ORA-06550: line 16, column 19: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 16, column 5: PL/SQL: Statement ignored ORA-06550: line 17, column 15: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 17, column 5: PL/SQL: Statement ignored ORA-06550: line 25, column 28: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line
  Error ERR-1082 Error in executing authorization scheme code.
  Here are the login credentials:
  Workspace: RGWORK
  Application: Online Certification Application Prototype - 21405
  User: TESTER
  Password: test123
  The application s/b public . I am not able to identify the invalid authorization scheme. I checked all the authorization schemes in the Shared Components > Security > Authorization Schemes and can't find the culprit.
  Can someone assist please?
  Thank you,
  Robert
  My Blog: http://apexjscss.blogspot.com

  Your Authorization Scheme "Access control - administrator" has this line of code that uses a table that isn't there (or RGTEST has no access to):
  select id, application_mode
  from apex_adm.apex_access_setup
  This Authorization Scheme is used in the Admin tab.
  If you run the page in debug mode you'll see (amongst a lot of other stuff):
  0.19: Authorization Check: "11204012643155257465" User: "nobody" Component: "tab"
  0.20: Show ERROR page...
  That pointed me to the Tab section...and there it was!

• Implement an authorization scheme using to check users

  Hello,
  I want to implement an authorization scheme for my application in which i want to
  give access to only threee users to view my application. Can anyone help me what would be my pl/sql expression.
  something like :APP_USER in ('R123',Y7654','TY7890')
  can anyone help me with what type of scheme I need to create??
  thanks,
  orton

  Hi,
  I have exactly similar application for my organisation with SSO organisation, but the application need to be accessed only by my TEAM members
  What is did is i created a user table.. that will hold the user detail like email id , etc..
  after that i went to shared component -> Security -> authorization scheme
  Clicked on create button to create new authorization scheme..
  Selected From scratch option .
  Give a name to the authorization scheme.. i named is as VALID USERS
  Scheme type - select Exits SQL Query
  then in expression 1 i entered
  select * from user_table where upper(user_email_id) = upper(:APP_USER)
  and in error message enter ...Unauthorized USER.
  Regards,
  Shijesh

• Page Authorization Scheme OK button not working

  Hi All,
  I have a Page Level Authorization scheme, which makes a PL/SQL Function call to determine whether the logged in user should have access to the Page. This works well and displays an 'Access denied by Page security check' error message, but the OK Hyperlink that is displayed does not work as I would expect as I am not returned to the calling page.
  The pages in question are Popups and when I hover over the OK Hyperlink, the Javascript in the Taskbar shows javascript:window.history.go(-1). Is this the route of my problem, and is there any way around this when using Popup windows?
  Thanks,
  Mike

  Scott,
  Thanks for your response. Yes you have the sequence right: "User clicks on link to popup page from base page and the link is to a forbidden page"
  "The basic question is why would you ever show a link to a forbidden page to the user?"
  The main reason is time, ideally yes we would like to hide links to forbidden pages but it will take time to implement due to complexity of role combinations and number of pages. So for now, we are confident in our method for denying access to forbidden pages.
  The error message that is displayed on the forbidden page is set in the Authorization Scheme, but how do I alter the OK link? Isn't this generated 'behind the scenes'?
  Thanks,
  Mike

• Authorization scheme issues

  Hi I'm using custom authenitication scheme sso with ntlm_page_sentry function.
  I've an authorization scheme 'Admin control" like this :
  declare
  v_role varchar2(55);
  begin
  select role into v_role from user_roles where lower(userid) = lower(:APP_USER);
  if v_role = 'ADMIN' then
  return true;
  else
  return false;
  end if;
  exception
  when NO_DATA_FOUND then return false;
  end;
  In a login page(page:101) :I've a process like this with process point as onload before header:
  declare
  v_role varchar2(55);
  v_nextpage number;
  begin
  select upper(role) into v_role from sales_inq.user_roles where lower(userid) = lower(:APP_USER);
  case v_role
  when 'ADMIN' then v_nextpage := 9;
  when 'EDIT' then v_nextpage := 1;
  when 'VIEW' then v_nextpage := 2;
  end case;
  owa_util.redirect_url('f?p=' || :APP_ID || ':' || v_nextpage);
  exception
  when NO_DATA_FOUND then
  owa_util.redirect_url('f?p=' || :APP_ID || ':101');
  end;
  I've assigned "admin control" authorization scheme to page9 and changed authentication to "page requires authentication"
  After loginto my system through networkid which is assigned to ADMIN role when I run login page(101) I'm unable to access page 9.Can't I test this in standalone mode in dev instance?For ex:my userid is in user_role table with a role of admin why I can't see that page?
  Thanks,
  Mahender.
  Edited by: user518071 on Oct 8, 2009 12:44 PM

  Hi Scott,
  How does the login page get invoked?
  I'm trying to implement this authorization scheme for the first time for this UI.
  Previous scenario:User needs to login so login page will be displayed automatically
  Current scenario:User comes to login screen which is a dummy page without any items or regions and I've created process (on load before header process code mentioned above)which will check the network user's role and branch to corresponding page
  Why is there a login page if you have an sso facility?
  There is no login page as such but it's common intermediary page for all users which is not displayed but automatically directed to their corresponding page based on the process (on load before header process code mentioned above)
  Is there a login page designated as the Session Not Valid Page in the authentication scheme?
  No
  or let me know how we can do this ?
  I've three roles for users :admin,edit,view and it's stored in user_roles table,user with role view can access only his page and user with edit can access all view pages as well as his pages,admin can access all pages.Then next issue is how to test this without using active directory in dev instance by adding security to corresponding pages(ex:admin control,page requires authentication)
  Thanks,
  Mahender.

• Authorization Scheme based on a group in LDAP?

  Hi,
  I would like to write an Authorization Scheme that checks whether a user (authenticated via a Authentication scheme based on LDAP) is a member of a specific group in LDAP, for access control.
  I can't seem to find documentation or an example of this. Would appreciate any tips or links to docs and examples....
  Thanks!

  I came across this nice example from the docs for the authorization scheme using the "IS_MEMBER Function".
  http://download.oracle.com/docs/cd/E17556_01/doc/apirefs.40/e15519/apex_ldap.htm#CDEJAAEI
  Very straightforward....
  However, my question now is, how would I tie this in to my authentication scheme?
  One Page Secured by > Authorization scheme (APEX_LDAP.IS_MEMBER) > From a user authenticated by my Authentication Scheme From LDAP directory?
  How would I tie these two schemes together?
  Thanks in advance for any help offered....

• Authorization scheme for display/read only conditions on item level

  Hi All,
  I have question. I want to use an authorization scheme to manage if users with a certain role have the permission to either update an item or have the persmission to only see the item or that they don't have permission to see it at all.
  So, the input for the scheme would be: 1. user role 2. the current page 3. the current item.
  The output would be: 0 (update) 1 (read only) 2 (not displayed).
  I think I can manage that.
  And I can attach this schema to the items.
  So far so good.
  But how can I make it so that the 0,1 and the 2 will actually do what they need to do?
  I have been thinking about making a function like GET_AUTHORISATON(ROLE,PAGE,ITEM) output: 0,1,2 but I still can't figure out how to connect this with the functionality I want to achieve.
  Can somebody give me a hint?
  Andre

  Thanks Hari,
  Thanks, it works, almost, but what if items are mandatory on a page, but not always mandatory?
  If a user has a certain role, some fields are manadatory, otherwise not.
  Again, a function would do the trick as far as the input and output information
  something like IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) but how can I make it work?
  I guess a PL/SQL validation like:
  IF IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) THEN ITEM IS NOT NULL
  END IF;
  Andre
  PS: personally I think item level security is not something you wish to implement in your system. I prefer different screens for different roles.
  Far more straightforeward. Easy for maintenance. When something disfunctions, it's far more easy to pinpoint the location of the cause.

• Authorization schemes

  I am trying to not reinvent the wheel but Oracle DB secuirty as it exists today in APEX. I have successfully setup the authentication using Database account and that works fine, but now I want to have my application only allow special oracle accounts that are signified by Banner, authorized to process the application. I do not want to have to setup any additional security, but use my current DB security that is already setup in the Banner accounts for what can be accessed. I know I have to do something in the Authorization schemes in APEX, but I am not sure what? Any help would be appreciated. Thanks. Joe

  It's quite simple really.
  Create the scheme and the bottom line is that the scheme has to return TRUE or FALSE. TRUE means that they pass the test and can do whatever it is, FALSE means they fail the test and should get an error.
  99.9% of the time I create a boolean-returning function in the database and I call it in the scheme like this (assume myfunction() takes the value of the signed-on user and does something with it to check if this user passes the test or not):
  RETURN myfunction(:APP_USER);If TRUE comes back, they pass security validation, else it will fail them.
  If you are just testing the user name itself, try this:
  RETURN (:APP_USER like '%BANNER');...or whatever else returns TRUE/FALSE to evaluate your test.
  Then, after you define the scheme, attach it to whatever needs protection.
  There is an application-level to place the authorization scheme to restrict all access to all pages but I've never gotten it to effectivelly work because if you do the above example, it will even protect the login page because the APP_USER isn't yet set to the person who is going to log in. So I've always had to put the authorization at each page.
  However you might be able to manage it at the application level if you do it this way (I never tried but I guess this would work...assume 101 is the login page):
  RETURN :APP_PAGE_ID='101' OR (:APP_PAGE_ID != '101' AND :APP_USER like '%BANNER');So anytime page 101 (login) is accessed, the user passes security test to render the page. Else if it's not page 101, their username has to end in BANNER in order to pass the test.

• Logout fails Authorization Scheme

  I'm using the following logout url on the authentication scheme:
  wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=140:12
  On page 12 the authorization scheme is - No Page Authorization Required - and the Authentication is 'Page is Public'.
  Page 12 fails on authentication. I get Access denied by Application security check and the error message for the authentication scheme.
  I know it's happening because the authentication scheme is using a query to verify the user exists in a table:
  Exists SQL Query
  select 1
  from Personnel
  where upper(USERid) = :APP_USER
  :APP_USER is now empty because they logged out.
  My question is how can I get the application to skip the authentication scheme? I thought when I picked, 'no page authorization required' and 'page is public' the application no longer checks the authentication and authorization.
  Thanks, Elizabeth

  Sorry about that. I tried to write it from memory.
  I'm using the following logout url on the Authentication Scheme:
  wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=140:12
  On page 12 the Authorization Scheme is - No Page Authorization Required - and the Authentication is 'Page is Public'.
  Page 12 fails on authorization. I get Access denied by Application security check and the error message for the Authorization Scheme.
  I know it's happening because the Authorization Scheme is using a query to verify the user exists in a table:
  Exists SQL Query
  select 1
  from Personnel
  where upper(USERid) = :APP_USER
  :APP_USER is now empty because they logged out.
  My question is how can I get the application to skip the Authorization Scheme? I thought when I picked, 'no page authorization required' and 'page is public' the application no longer checks the authentication and authorization.
  Thanks, Elizabeth

• Customise Authorization Scheme web page

  Hi
  APEX - 4.1
  Oracle - 11gr2
  I have added an Authorization Scheme to my application whereby a check is performed to determine whether or not a user is allowed to access a webpage. If a user tries to access a restricted webpage a new webpage is displayed with
  'Access denied by Application security check' and a red exclamation
  My question is how can I customise this webpage as it differs from my application template (The log out disappears at the top and the topbar moves about between the restriction error webpage and the page it returns back to)?
  Is this possible?
  Thanks
  Rob

  Hi
  Thanks for the help. I located the 'Error Page Template Control' section.
  I am not looking to customise that section, but what I have noticed in firebug is that when I switch to this error page the BODY of the HTML document changes.
  So on a ordinary page you would normally have
    <div id="navbar">
      <div class="app-user">#WELCOME_USER#</div>
      <div class="app-user">Client: Internal</div> -- This is customised be me
      #NAVIGATION_BAR#
      #REGION_POSITION_08#
    </div>whereas on this error page you will have
    <div id="navbar">
      <div class="app-user">#WELCOME_USER#</div>
      <div class="app-user">Client: Internal</div> -- This is customised be me
    </div>Also the topbar seems to change from
     <div id="topbar">#REGION_POSITION_01##REGION_POSITION_04#</div>to
     <div id="topbar"></div>Is this normally? It is these adjustments I want to fix as navbar has the logout link which disappears and the topbar has my menu which messes with the page format on the error page
  Cheers
  Rob

• Authorization scheme violation message not translatable?

  Hello team,
  could you please confirm that the authorization scheme violation message is not included in the translatable text for some reason?
  I can't find it in the list of texts to be translated even after seeding the application.
  Bye,
  Flavio
  http://oraclequirks.blogspot.com/search/label/Apex

  Hello gents,
  it's curious because after doing some tests i was almost convinced it was a sort of "feature".
  From the behavior of the application i see that the authorization code is not duplicated in a translated application as it happens for most other components, as a result if i modify the authorization violation message, the change becomes effective immediately across all translations.
  In view of this fact i developed the fancy theory that this was a security measure to prevent that a non-updated translated application could serve as a "trojan horse" to access a restricted page in virtue of the lack of control...
  Anyway, i'm glad to hear that my theory is a nonsense :-D
  Bye,
  Flavio
  http://oraclequirks.blogspot.com/search/label/Apex

• Change Authorization Schemes

  Hello All.
  I have an application with a custom Authorization Scheme on it. This scheme is used on every page's Security option, with "Page Requires Authentication" set.
  If I need to change or upgrade the scheme, I need to navigate to every page in the application to change it. Is there a better way to do so? I mean, is there a way to change or subistitute the authorization scheme on all pages on an application without the need to navigate on every page?
  Thanks in advance.

  Thanks for the reply.
  That would be great, but I need to change the Authorization Scheme's name as well, since I work with different ones for different apps.
  What I need to do is import a different Authorization Scheme And then use it on all my pages.
  If this is not possible, I will have to deal with the database side, but I would like to have another option.
  Thanks again

• Create Authorization Schemes with plsql

  Hello
  I´d like to create an Application, which has many "Authorization Schemes".
  The source of this schemes is a permission-table in the database.
  How could i create the schemes automaticly by script?
  That would save many time for creation and changes by hand.
  Thanks.
  Edited by: Scubus on Mar 13, 2009 2:36 PM

  Scubus,
  I found the syntax in the export file as well. By omitting p_id, APEX will generate an unique one.
  You have to run the sample as FLOWS or owner (with apex_administrator_role) with security group id set. You can find the security group ID from the export file (right below big APEX text), or run select &WORKSPACE_ID. from dual within application.
  The p_flow_id is the application ID.
  SQL > exec wwv_flow_api.set_security_group_id(p_security_group_id=>858728211457679);
  PL/SQL procedure successfully completed.
  SQL > begin
  wwv_flow_api.create_security_scheme(
  p_flow_id => 114,
  p_name=>'Check EMP4',
  p_scheme_type=>'EXISTS',
  p_scheme=>'select 1 from emp',
  p_caching=>'BY_USER_BY_PAGE_VIEW',
  p_error_message=>'EMP must exists');
  end;
  PL/SQL procedure successfully completed.
  SQL > commit;
  Commit complete.Ittichai