Implement an authorization scheme using to check users

Similar Messages

• Authorization Scheme using the APEX Authentication Scheme

  How would you build an authentication scheme that is using the APEX Authorization scheme. All users are belonging to a group which could be Oracle, External or Developer and I'd like to hide certain pages from the External users.
  I am not sure if I can grab the group name from some V('..') function and make something work?
  Cheers,
  Andy

  I'll give it a try again, sorry for not being able to describe the problem better!
  I am using the APEX built in authorization and authentication to make my life simple with regards to user mgmt. So all the users are managed using the Home>Administration>Manage Application Express Users. Every user belongs to an APEX group (Home>Administration>Manage Application Express Users>User Groups). For example:
  User A belongs to Group External
  User B belongs to Group Oracle
  User C belongs to Group Admin
  Now, there are certaing pages in my application that I want to restrict from the Group External (but the Group Admin and Group Oracle can see them).
  So my question is really how would I build such an Authorization Scheme to accomplish this? Not suer about which APEX API functions I should use to get this data and how to build the function.
  I hope this makes more sense?
  Andy

• Authorization scheme (using {not} Scheme)

  I have build a change password page and every user, except user with a Guest role (= GUEST SCHEME) have access to that page.
  I defined a scheme GUEST for users with the GUEST role. When I define the page with Authorization scheme {not}GUEST this isn't working everyone has access to the page, also the guest users.
  am I misunderstanding the {not}scheme choice or is something else wrong.
  Fred.

  Fred,
  I have solved it with the work around I mentioned before:I read what you said very carefully but thought it reckless to conclude that the workaround was successful because you just said "To work around the problem, I did xyz" without indicating the outcome.
  The authorization schemes on navigation tabs fire also on the default login pageYes they do, they fire on every page whether or not the page template accommodates a navigation bar. This looks like a bug to me.
  Is there a "authorization scheme report" which shows all the objects where the authorization scheme is defined.Shared Components > Authorization Schemes > Utilization (slightly different in each version).
  Scott

• Authorization Scheme problem using query

  Greetings:
  I have an application with 4 different roles in my application. Depending on the user role, the access to different pages within the application are filtered. We have 4 group types: admin, general, transactional and read_only; each, with descending levels of authorization.
  The application utilizes a two-level tab navigation system in which I hide the tabs that the users are not supposed to see, depending on the level of authorization that they have. I have implemented three authorization schemes for three different types of access depending on the pages within my application. The only page without any auhorization is the login page.
  The three created authorization schemes are as follows.
  My first scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  APP_GROUP_TYPE != 'READ_ONLY'
  This one is supposed to negate access to the READ_ONLY group, but allow access to all other groups.
  My Second scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  and
  APP_GROUP_TYPE != 'transactional')
  The second one, I have added the transactional group as to be explicitly negated access.
  My Third scheme
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  AND
  APP_GROUP_TYPE != 'transactional'
  AND
  APP_GROUP_TYPE != 'general')
  the last one, I have added the general group as to be explicitly negated access.
  I am thinking that, logically, this would work, but the pages do not display properly. I am always getting the failed authorization page, even with my admin user. Is there something wrong with my methodology? Should I be white-listing instead of black-listing in my queries? Thanks for your support.

  I appreciate your help Jeff, you helped me a great deal, but not in the way you may think. In your link, there was a post that offered a solution with a simple query. There was one person that posted a query using (upper) to bring the username to uppercase so it can be properly compared to :APP_USER. Yes, the users were entered as lowercase, the logic was ok. I changed the query logic to a white list as to avoid possible users that may be able to authenticate into the application without a proper group configured.
  Thanks for your support. Maybe this can help someone on the forums out.

• How to use Pl/sql block to edit check user input

  Hi,
  Please advise on PL/SQL Block code that could be used to Check User input from within a Loop and proceed conditionally based upon User Supplied compliant Input. Thanks in advance.

  Hi,
  yakub21 wrote:
  You could use the ACCEPT to get user input and then assign the input to a variable that could then be verified.
  I believe that anything is possible because we don't yet have proof that it is not!
  I do have code that can accept user input. Is it PL/SQL code? Sybrand was clearly talking about PL/SQL:
  sybrand_b wrote:
  Pl/sql is for server side code, it is not a front end tool, and it is incapable of the functionality you describe.If you do have PL/SQL code that accepts user input, please post an example. A lot of people, including me, would be very interested.
  Pass the user-input value to a variable and then assign that value to another variable from within a Declare of a PL/SQL Block.
  The opportunity here is to figure a way to loop with user input until desired input is entered by the user before proceeding with the code. I'm using PL/SQL Block because I don't want the code to persist. I just want to run it as part of database configuration procedure. ThanksIt sounds like you're talking about SQL*Plus, which is a very poor tool for looping or branching.
  It's possible, but it's not pretty. The following thread shows one way of looping in SQL*Plus:
  Re: How to give the different values to runtime parameters in a loop?

• Authorization scheme issues

  Hi I'm using custom authenitication scheme sso with ntlm_page_sentry function.
  I've an authorization scheme 'Admin control" like this :
  declare
  v_role varchar2(55);
  begin
  select role into v_role from user_roles where lower(userid) = lower(:APP_USER);
  if v_role = 'ADMIN' then
  return true;
  else
  return false;
  end if;
  exception
  when NO_DATA_FOUND then return false;
  end;
  In a login page(page:101) :I've a process like this with process point as onload before header:
  declare
  v_role varchar2(55);
  v_nextpage number;
  begin
  select upper(role) into v_role from sales_inq.user_roles where lower(userid) = lower(:APP_USER);
  case v_role
  when 'ADMIN' then v_nextpage := 9;
  when 'EDIT' then v_nextpage := 1;
  when 'VIEW' then v_nextpage := 2;
  end case;
  owa_util.redirect_url('f?p=' || :APP_ID || ':' || v_nextpage);
  exception
  when NO_DATA_FOUND then
  owa_util.redirect_url('f?p=' || :APP_ID || ':101');
  end;
  I've assigned "admin control" authorization scheme to page9 and changed authentication to "page requires authentication"
  After loginto my system through networkid which is assigned to ADMIN role when I run login page(101) I'm unable to access page 9.Can't I test this in standalone mode in dev instance?For ex:my userid is in user_role table with a role of admin why I can't see that page?
  Thanks,
  Mahender.
  Edited by: user518071 on Oct 8, 2009 12:44 PM

  Hi Scott,
  How does the login page get invoked?
  I'm trying to implement this authorization scheme for the first time for this UI.
  Previous scenario:User needs to login so login page will be displayed automatically
  Current scenario:User comes to login screen which is a dummy page without any items or regions and I've created process (on load before header process code mentioned above)which will check the network user's role and branch to corresponding page
  Why is there a login page if you have an sso facility?
  There is no login page as such but it's common intermediary page for all users which is not displayed but automatically directed to their corresponding page based on the process (on load before header process code mentioned above)
  Is there a login page designated as the Session Not Valid Page in the authentication scheme?
  No
  or let me know how we can do this ?
  I've three roles for users :admin,edit,view and it's stored in user_roles table,user with role view can access only his page and user with edit can access all view pages as well as his pages,admin can access all pages.Then next issue is how to test this without using active directory in dev instance by adding security to corresponding pages(ex:admin control,page requires authentication)
  Thanks,
  Mahender.

• Error in executing authorization scheme code

  I run my application on APEX.ORACLE.COm and I immediatly get the following error:
  ORA-06550: line 13, column 28: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line 12, column 14: PL/SQL: SQL Statement ignored ORA-06550: line 16, column 19: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 16, column 5: PL/SQL: Statement ignored ORA-06550: line 17, column 15: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 17, column 5: PL/SQL: Statement ignored ORA-06550: line 25, column 28: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line
  Error ERR-1082 Error in executing authorization scheme code.
  Here are the login credentials:
  Workspace: RGWORK
  Application: Online Certification Application Prototype - 21405
  User: TESTER
  Password: test123
  The application s/b public . I am not able to identify the invalid authorization scheme. I checked all the authorization schemes in the Shared Components > Security > Authorization Schemes and can't find the culprit.
  Can someone assist please?
  Thank you,
  Robert
  My Blog: http://apexjscss.blogspot.com

  Your Authorization Scheme "Access control - administrator" has this line of code that uses a table that isn't there (or RGTEST has no access to):
  select id, application_mode
  from apex_adm.apex_access_setup
  This Authorization Scheme is used in the Admin tab.
  If you run the page in debug mode you'll see (amongst a lot of other stuff):
  0.19: Authorization Check: "11204012643155257465" User: "nobody" Component: "tab"
  0.20: Show ERROR page...
  That pointed me to the Tab section...and there it was!

• Public and Authenticated App with Authorization Scheme once per session

  I have a question . . .
  Let's say I have an application and at the application level I have an authorization scheme (auth1). If auth1 is set up to evaluate once per session, does it authenticate for the public user, then pass me back to the page and then check then evaluate the auth1 scheme. Or does it evaluate the auth1 scheme, then log in, then return to the page. Is it the same regardless of authentication scheme (e.g. Oracle SSO).
  It may make a big difference. If the authorization sheme is based upon the user (most will be) then setting it to evaluate once per session can be a real problem. If it evaluates before the user logs in, then it won't really work.
  This is an even bigger question when the application does not have a authorization scheme at the application level and allows public pages. If a page that is not public has an authorization scheme set, and the user goes directly to that page, it seems to authenticate the authorization scheme and then logs you in, but does not re-evaluate authorization scheme after you are logged in. Is this accurate? I realize that I could set it up to evaluate for every page view, but I really only need it once after login.
  Is this clear?

  Anton,
  It seems that all authorization schemes that are set to evaluate once per session are evaluated with the beginning establishment of a session.Sort of correct. Authorization schemes don't get evaluated until the component that uses them is considered for rendering or processing. So if the authorization scheme is attached to a page, it won't fire until the page is requested. If another component uses that scheme first, the evaluation will happen then and will not happen again during the session.
  What if I have another page that is not public. If it is the first page I go to, what happens. Obviously, I get redirected to login, then login. Do the authorization schemes get evaluated at this point?Yes, assuming the authorization scheme is used by the page, the scheme is evaluated during the first rendering or processing of the page in the session, after the authentication step.
  Now, what if I have a page that is public, but also has an auth scheme (odd, but could happen). Now what happens, does the auth scheme get evaluated before or after login?During the rendering or processing of the page after the authentication step. For a public page, the authentication step is performed up to the point where it determines that no authentication is required.
  OK, now let's add in Application level auth scheme. I can have public or private pages. If I go to a private page, when does the app level auth scheme kick in? How about for a public page?When an application uses an authorization scheme, it gets evaluated before the authorization scheme (if any) for the page that is being requested, so the public/private property of the page doesn't matter.
  General advice: when an authorization scheme uses :APP_USER, it doesn't work well to have it fire once per session because it'll get run before authentication to the application occurs, which sets APP_USER. You can have such schemes fire once per page view and for PL/SQL function-type schemes, have them give a "pass" when the current page is the login page, that kind of thing.
  In addition, if the overhead of running a scheme is high, one can set an application-level item to indicate that a once-per-page scheme has already run satisfactorily. The PL/SQL-type schemes can access the value of such an item to skip the expensive part of the evaluation and return true immediately.
  Finally, the htmldb_application.reset_security_check API can be called in order to reset the "fired" status of all authorization schemes in the session, allowing them to be re-evaluated if/when they are encountered again in the session.
  Hope this helps,
  Scott

• Authorization Scheme - Getting handle on which object is calling the scheme

  Hi
  I'm currently trying to write a custom authorization scheme using a plsql returning boolean. What I'm wondering is whether there is a way to reference the application object (e.g. page, region, page item, button etc) that has triggered the authorization plsql to run.
  What I'm ultimately wanting to do is to create a generic authorization scheme that can be applied to any object, and that auth scheme will look up a database table containing what users can access what object. I can only do this if I know at run-time which object the plsql is currently checking authorization for. (I can get the user from :APP_USER.
  For example I have an authorization scheme "test_scheme". I have applied test_scheme to the button "CREATE" on page 1. This button has a button_id which I can find from APEX_APPLICATION_PAGE_BUTTONS view.
  During page rendering the buttons authorization scheme will be checked (and so the plsql returning boolean will be triggered). When the plsql is triggered I want to reference the fact that the CREATE button on page 1 (or better the button_id) has triggered the plsql, from within the plsql itself.
  I hope this makes sense.
  Many thanks in advance.

  Hi Scott,
  Looks like there are a few others out there encountering the limiatations of authorization schemes.
  Hopefully there will be an enhancement at some point to enable referencing the component id which has triggered the authorization scheme to run.
  Until then I will go down the route of creating an authorization scheme for each component that needs one.
  Many thanks for pointing me to that discussion.
  Jimbo

• Authorization Scheme based on a group in LDAP?

  Hi,
  I would like to write an Authorization Scheme that checks whether a user (authenticated via a Authentication scheme based on LDAP) is a member of a specific group in LDAP, for access control.
  I can't seem to find documentation or an example of this. Would appreciate any tips or links to docs and examples....
  Thanks!

  I came across this nice example from the docs for the authorization scheme using the "IS_MEMBER Function".
  http://download.oracle.com/docs/cd/E17556_01/doc/apirefs.40/e15519/apex_ldap.htm#CDEJAAEI
  Very straightforward....
  However, my question now is, how would I tie this in to my authentication scheme?
  One Page Secured by > Authorization scheme (APEX_LDAP.IS_MEMBER) > From a user authenticated by my Authentication Scheme From LDAP directory?
  How would I tie these two schemes together?
  Thanks in advance for any help offered....

• Authorization scheme for display/read only conditions on item level

  Hi All,
  I have question. I want to use an authorization scheme to manage if users with a certain role have the permission to either update an item or have the persmission to only see the item or that they don't have permission to see it at all.
  So, the input for the scheme would be: 1. user role 2. the current page 3. the current item.
  The output would be: 0 (update) 1 (read only) 2 (not displayed).
  I think I can manage that.
  And I can attach this schema to the items.
  So far so good.
  But how can I make it so that the 0,1 and the 2 will actually do what they need to do?
  I have been thinking about making a function like GET_AUTHORISATON(ROLE,PAGE,ITEM) output: 0,1,2 but I still can't figure out how to connect this with the functionality I want to achieve.
  Can somebody give me a hint?
  Andre

  Thanks Hari,
  Thanks, it works, almost, but what if items are mandatory on a page, but not always mandatory?
  If a user has a certain role, some fields are manadatory, otherwise not.
  Again, a function would do the trick as far as the input and output information
  something like IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) but how can I make it work?
  I guess a PL/SQL validation like:
  IF IS_MANDATORY(USER_ROLE, CURRENT_PAGE, CURRENT_ITEM) THEN ITEM IS NOT NULL
  END IF;
  Andre
  PS: personally I think item level security is not something you wish to implement in your system. I prefer different screens for different roles.
  Far more straightforeward. Easy for maintenance. When something disfunctions, it's far more easy to pinpoint the location of the cause.

• Conditional Authorization Schemes?

  Can you implement conditional authorization schemes? For example, I have an application that a handful of users will need to be able to edit and a handful of users will need to be able to look through the screens of the app, but not modify data. Can you have a default authorization scheme of say "read-only" where the page items are not editable, and if you belong to the "read-write" scheme, then the fields are editable? Is there an easier way?

  Hi "Potter_geek",
  unfortunately there is no such "read-only" authorization scheme which automatically switches your page items to read-only.
  I see 3 possible workarounds:
  1) Add code to the "Read-Only condition" for each item.
  2) Add a condition/authorization just to your submit/create/... buttons, so that they are not displayed in case of read-only. All the items are still modifiable, but the user can't submit it.
  3a) Just create an "Application Level Process" (before computation/validation) where you check if a user has write access, if not trow an error that he isn't allowed to change anything. => not so user friendly
  3b) Create a page 0 region of type HTML with display point "After footer" and which has the authorization scheme read-only. It should contain a small javascript script which loops through all the INPUT/... elements of your page and set's them to readonly="readonly".
  Just some thoughts...
  Patrick
  Check out my APEX-blog: http://inside-apex.blogspot.com
  Check out the ApexLib Framework: http://apexlib.sourceforge.net

• Authorization schemes don't work without logging into workspace first

  Hi,
  I've got an application which uses APEX Authentication, but my Authorization Schemes only work if a user logs into the APEX workspace before logging into the application. For example if I've got a tab with its authorization scheme set to Must be Admin user, the tab won't appear unless you log into the workspace first (which end users aren't going to do) and then log into the application. I've pasted an example of one of my authorization schemes below, is it using the wrong function to check the group or something?
  Authorization Scheme - Must be Admin user
  begin
    if apex_util.current_user_in_group('Admin Users') then
      return true;
    else
      return false;
    end if;
  end;Thanks
  Edited by: XVar on Apr 13, 2011 2:05 PM

  Thanks Vee, I've tried your suggestions but I still can't understand why it's not working.
  Here's the authorization setting for my tab (called Super Admin):
  http://i62.photobucket.com/albums/h114/XVar/tab_settings.png
  The authorization scheme ("SAV Manager - Must be Super Admin"):
  http://i62.photobucket.com/albums/h114/XVar/authorization_scheme.png
  The results of the PL/SQL region, which uses the same code to detect group membership as the authorization scheme. As you can see this correctly identifies that the current user is a member of the "SAV - Super Admins" group, but the Super Admin tab isn't visible at the top of the page.
  http://i62.photobucket.com/albums/h114/XVar/current_groups.png
  Obviously the group detection is working fine, but the tab still isn't visible :/ I've got a feeling that I'm being a complete idiot and missing something obvious..

• ERR-1082 Error in executing authorization scheme code.

  Hi All,
  i have a different problem in apex....
  I am using below function to authenticate the apex users after SSO login. I have created authentication schemes for admin and users separately depending on that users will have access to the specific tabs.
  Now users are facing below error
  ORA-01403: no data found Error ERR-1082 Error in executing authorization scheme code.
  while they log in or submit the page. And the weired thing is randomly they are getting this error. 2 or 3 times in a week. and when i compile the authentication function that error will be resolved.
  this is function structure. Inside the function validation code is written.
  function F_auth_user( muser_name in varchar2, mauth_level in number, mgroup_name in varchar2) return boolean
  Some of the details: application users : 200 application size : 30MB
  May i know that how can i prevent this occurrence of error.

  Yes that is authorization schemes .
  Evidence is user can be able to login properly after compiling the function. otherwise the same error happening while navigating through out the applications.
  Function code:
  create or replace function F_auth_user(
  muser_name in varchar2,
  mauth_level in number,
  mgroup_name in varchar2) return boolean is
  ct number;
  muser_id number;
  begin
  select id into muser_id from t_employees where upper(email)=upper(muser_name);
  if muser_id is null or mauth_level is null or mgroup_name is null then
  return false;
  end if;
  if upper(mgroup_name) = 'ANY' then
  select count(*) into ct from t_employees emp, t_positions pos,
  t_employee_groups eg
  where emp.position = pos.id and
  pos.MgtLevel >= mauth_level and
  emp.position = pos.id and
  emp.id = muser_id;
  elsif upper(mgroup_name) = 'USER' then
  select count(*) into ct from t_employees emp, t_positions pos,
  t_employee_groups eg
  where emp.position = pos.id and
  pos.MgtLevel >= mauth_level and pos.MgtLevel!=6 and pos.MgtLevel!=4 and
  emp.position = pos.id and
  emp.id = muser_id ;
  elsif upper(mgroup_name) = 'ADMIN' then
  select count(*) into ct from t_employees emp, t_positions pos,
  t_employee_groups eg
  where emp.position = pos.id and
  pos.MgtLevel >= mauth_level and pos.MgtLevel!=6 and
  emp.position = pos.id and
  emp.id = muser_id ;
  else
  select count(*) into ct from T_employees emp, T_positions pos,
  t_emp_group_mapping egm, t_employee_groups eg
  where emp.position = pos.id and
  emp.id = egm.employee_id and
  pos.MgtLevel >= mauth_level and
  emp.position = pos.id and
  emp.id = muser_id and
  egm.group_id = eg.id and
  trim(eg.group_name) = mgroup_name;
  end if;
  if ct > 0 then
  return true;
  end if;
  return false;

• Custom handling of authorization scheme failed errors

  Is there a way I can catch when someone goes to a page they are not authorized to be on (Authorization Scheme used to enforce it) then instead of stopping cold redirect them to the public page of the application and use global notification to inform the user of the fact he or she is not authorized into the selected page instead of going to the red stop sign X page? I have used global notifications before but I am unsure if there is a way to keep my page secure applying the authorization scheme at the page level and do what I am talking about. Any ideas?

  This only happens when the user tampers with the URL, but that does happen.
  You can code your authorization scheme to return true when it detects unauthorized access to a page but first have it use owa_util.redirect_url to go to the notification page of your choosing.
  Scott