Report Link + Authorization Scheme

Similar Messages

• Authorization Scheme - Report

  I was looking for a report that would show the utilization of the authorization schemes, defined in an application. Where do I find or how do I create such a report?
  Thanks,
  Denes Kubicek

  Thanks Scott,
  next time I will keep my eyes open while searching for that stuff. Your application - HTML db - is a good thing. Thanks for that as well.
  Denes Kubicek

• Authorization Scheme -- Best Practices?

  Hi All --
  We have a reporting application containing approximately 300 pages and 60 or so menu items all using authorization schemes (exists SQL method) as a means to determine whether or not a use can see the menu items and/or access the pages. We've been seeing an issue where a user logging into the application experiences poor performance upon login and have traced it to our access checks and the number of "exists" queries run when a user logs in and before our menu is displayed.
  What would be considered best practice in a case such as this? Does anyone have any ideas on how to increase the performance on these authorizaton checks?
  Thanks,
  Leigh Johnson
  Fastenal Company

  Leigh - No, the asktom post Joel referred to is posted above: http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:62048567543425
  We just want to know if this post if from you folks or not.
  About the authorization schemes for each page, I would think that whatever scheme you code to authorize a link to a page, e.g., on a menu, would be the same scheme you'd want to attach to the page itself.
  So the authorization has to take place first at the point you render (or suppress) a link to a page and again at the point the page is requested (the latter being necessary because a user can bypass the menu links and try to access pages directly by entering the page ID in the URL.
  So again, if you have X links on the menu page, each requiring a distinct query for authorization, you'll have to pay the price to do all that authorization once per session because of the design of the menu page. More precisely, the authorization scheme code, e.g., their EXISTS queries, have to be executed once per session per resource access attempted. For performance purposes, the results of these checks are cached for the duration of the session (because you set them up to be evaluated once per session and not on every page view).
  One thing that might help you is region caching (or page caching) for the menu. You'd use the Cache By User option, of course. Then if the same named user logged in and out numerous times during the "cache valid" period, which is adjustable, the user would see the cached menu "instantly". Authorization checks will not have been performed during these page requests however, so you'd want to be sure that it makes sense to present cached versions of these links. However, the corresponding authorization schemes that you'd attach to the pages themselves would be evaluated when the user clicked on a "cached" link, so you'll get the protection you need, ultimately.
  Scott

• Display page items based on Authorization Scheme...

  I have a report form that shows all my columns, but I have two columns that I only want "Admin" and "Edit" from my authorization scheme to be able to edit; but I would like for "User" to view.
  Currently I have "authorization" enabled for the two items, and set for "Edit". This works, except the "User" logins cannot view the items.
  I thought of two possibilities, both I think I'd need help on though!:
  1. Create a duplicate page item for these two items. One would show as "Text" only (cannot edit). The other would be "Text Field". The "Text Field" column would only be
  accessible by "Edit" or "Admin".
  The problem, though, is now "Edit" or "Admin" users will see both columns
  2. Set up something in "Conditions" that would show as "text" for "User", and as "Text Field" for "Admin" or "Edit"?
  I would have no clue how to do this...
  Any thoughts?
  Kevin L.

  Kevin
  You can create two items and in the Authorization Scheme you can set one as Users and second as Edit. Also You can do something using small JS. Create a variable P_USR_TYPE to hold the value of User group lets say 1 for Users and 2 for Edit. Then on the HTML header or footer of the region you can add a javascript call
  function UsrCustomization()
       if ( P_USR_TYPE == 1 )
            // mark the item as readonly
            // document.getElementById('P1_FIELD_QUESTION').disabled = true;
            document.getElementById('P1_FIELD_QUESTION').readOnly="readonly"
  UsrCustomization();Thanks,
  Manish

• Authorization Scheme problem using query

  Greetings:
  I have an application with 4 different roles in my application. Depending on the user role, the access to different pages within the application are filtered. We have 4 group types: admin, general, transactional and read_only; each, with descending levels of authorization.
  The application utilizes a two-level tab navigation system in which I hide the tabs that the users are not supposed to see, depending on the level of authorization that they have. I have implemented three authorization schemes for three different types of access depending on the pages within my application. The only page without any auhorization is the login page.
  The three created authorization schemes are as follows.
  My first scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  APP_GROUP_TYPE != 'READ_ONLY'
  This one is supposed to negate access to the READ_ONLY group, but allow access to all other groups.
  My Second scheme (set as scheme type: exists SQL Query):
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  and
  APP_GROUP_TYPE != 'transactional')
  The second one, I have added the transactional group as to be explicitly negated access.
  My Third scheme
  Select APP_USER_NAME, APP_GROUP_TYPE from APP_USERS
  where
  APP_USER_NAME = :APP_USER
  AND
  (APP_GROUP_TYPE != 'READ_ONLY'
  AND
  APP_GROUP_TYPE != 'transactional'
  AND
  APP_GROUP_TYPE != 'general')
  the last one, I have added the general group as to be explicitly negated access.
  I am thinking that, logically, this would work, but the pages do not display properly. I am always getting the failed authorization page, even with my admin user. Is there something wrong with my methodology? Should I be white-listing instead of black-listing in my queries? Thanks for your support.

  I appreciate your help Jeff, you helped me a great deal, but not in the way you may think. In your link, there was a post that offered a solution with a simple query. There was one person that posted a query using (upper) to bring the username to uppercase so it can be properly compared to :APP_USER. Yes, the users were entered as lowercase, the logic was ok. I changed the query logic to a white list as to avoid possible users that may be able to authenticate into the application without a proper group configured.
  Thanks for your support. Maybe this can help someone on the forums out.

• Unexpected problem with authorization scheme of type plsql function

  Hi,
  I have created one authorization scheme of type plsql function returning boolean. Authorization scheme is for pages only. p2_user_priviledge is a textbox on home page which extract privilege (list of pagenos) for login user from database. Home page has no authorization required. AUTHORIZATION SCHEME always returns false. I am not able to trace problem in my code. same code works fine for a textbox's default returning 'c'.
  ----- CODE FOR AUTHORIZATION SCHEME------------------------------------------------------------
  declare
  pageid varchar2(10);
  privilege varchar2(300);
  c number(3);
  begin
  pageid := ':P'||to_char(:app_page_id)||':' ; ---Pageno get stored in format  *:P2:*
  privilege := trim(:p2_user_priviledge); ++------Contain list of privilege like    :P2:P13:P67:P23:  etc+++ select instr(privilege,pageid) into c from dual;
  if c>0 then
  return true;
  else
  return false;
  end if;
  end;
  One more problem is again related to authorization scheme.
  I created one application and one authorization scheme (auth_aug) which worked finely. Then after some days i added 10 more pages to same application, But now autho_aug was always returning false for new pages. So i copied code from 'autho_aug' to new scheme 'autho_sept', & it worked for new pages. I don't understand if code is same for both scheme, why required to use two different schemes.
  Now i have added few more pages to application, and facing problem mentioned earlier.
  any solution for both the problems.....

  Hi,
  Let me clear my problem once again.
  -->Home page i.e. P2 does not use authorization, So it is displayed along with text item :p2_user_privilege.
  -->Then user click on one of the links , Now page :P70: should get displayed.
  P70 is using authorization scheme.
  -->But :p2_user_priviledge value is not accessible at authorization scheme, I dont know why.
  I could not find out where to create Application item , as suggested by you.
  & not able to find Developer menu , session at home page as suggested earlier.
  And one more question, my application at runtime display
  X en us
  at bottom
  How to make it
  USER: X Language: en us
  Like in development environment.
  Hope I have cleared my problem, waiting for reply.
  Edited by: TEJU on Nov 17, 2008 9:25 AM

• Page Authorization Scheme OK button not working

  Hi All,
  I have a Page Level Authorization scheme, which makes a PL/SQL Function call to determine whether the logged in user should have access to the Page. This works well and displays an 'Access denied by Page security check' error message, but the OK Hyperlink that is displayed does not work as I would expect as I am not returned to the calling page.
  The pages in question are Popups and when I hover over the OK Hyperlink, the Javascript in the Taskbar shows javascript:window.history.go(-1). Is this the route of my problem, and is there any way around this when using Popup windows?
  Thanks,
  Mike

  Scott,
  Thanks for your response. Yes you have the sequence right: "User clicks on link to popup page from base page and the link is to a forbidden page"
  "The basic question is why would you ever show a link to a forbidden page to the user?"
  The main reason is time, ideally yes we would like to hide links to forbidden pages but it will take time to implement due to complexity of role combinations and number of pages. So for now, we are confident in our method for denying access to forbidden pages.
  The error message that is displayed on the forbidden page is set in the Authorization Scheme, but how do I alter the OK link? Isn't this generated 'behind the scenes'?
  Thanks,
  Mike

• Authorization Scheme based on a group in LDAP?

  Hi,
  I would like to write an Authorization Scheme that checks whether a user (authenticated via a Authentication scheme based on LDAP) is a member of a specific group in LDAP, for access control.
  I can't seem to find documentation or an example of this. Would appreciate any tips or links to docs and examples....
  Thanks!

  I came across this nice example from the docs for the authorization scheme using the "IS_MEMBER Function".
  http://download.oracle.com/docs/cd/E17556_01/doc/apirefs.40/e15519/apex_ldap.htm#CDEJAAEI
  Very straightforward....
  However, my question now is, how would I tie this in to my authentication scheme?
  One Page Secured by > Authorization scheme (APEX_LDAP.IS_MEMBER) > From a user authenticated by my Authentication Scheme From LDAP directory?
  How would I tie these two schemes together?
  Thanks in advance for any help offered....

• Best Approach to create Security / Authorization Schema for an APEX Apps

  Hi,
  I am planning to create a Security / Authorization Schema for an APEX Application.
  Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
  I am looking for following features...
  1. users LOGIN and then user's name is stored in APEX_USER...
  2. Based on the user, I want to restrict the Application on following levels.
  - TABS
  - TABS - Page1 (Report
  - Page2 (Form)
  - Page2 (Region1)
  - Page2 (Region1, Button1)
  - Page2 (Region1, Items,....)
  AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
  I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
  My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
  Also what should be the FRONT end, we should have to enter these detail...
  SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
  Thanks,
  Deepak

  Hi Raghu,
  thanks for the detial info.
  so that means..I should have 2 table...
  master table (2 columns - username, password)
          username    password
     user1       xxxx
     user2       xxxx2nd table (2 columns - username, chq_disp_option)
  - In this table, we don't have Y/N Flag you mentioned..
  - If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
  - so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
  - suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
            username    chq_disp_option
     user1       re_region1
     user1       re_region2
     user1       tb_main
     user1       Page1
     user1       Page5
     ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
  - is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
  Thanks,
  Deepak

• Error ERR-1082 Error in executing authorization scheme code.

  Hi,
  i imported my application from test to prod environment
  when run application i received the error (on login page)
  ORA-06550: line 13, column 19: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line 12, column 13: PL/SQL: SQL Statement ignored ORA-06550: line 16, column 18: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 16, column 4: PL/SQL: Statement ignored ORA-06550: line 17, column 14: PLS-00364: loop index variable 'C1' use is invalid ORA-06550: line 17, column 4: PL/SQL: Statement ignored ORA-06550: line 25, column 19: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line
  Error      ERR-1082 Error in executing authorization scheme code.
  Any help?
  Thanks in advance
  Costantino

  Hi Scott,
  Thank you for the quick reply.
  What I did was to install APEX 3.1 to 11g db, and installed packaged application which called Software Management. It is working fine to log into the application and other operations, but I got the same error which reported on this thread once I applied the existing authorization schemes. So I thought if I missed to import the apex_access_setup and apex_access_control tables. I am looking for the solution to enable the default authorizations...
  I would appreciate if you could give me any suggestions.
  Thanks,
  Rui

• Customise Authorization Scheme web page

  Hi
  APEX - 4.1
  Oracle - 11gr2
  I have added an Authorization Scheme to my application whereby a check is performed to determine whether or not a user is allowed to access a webpage. If a user tries to access a restricted webpage a new webpage is displayed with
  'Access denied by Application security check' and a red exclamation
  My question is how can I customise this webpage as it differs from my application template (The log out disappears at the top and the topbar moves about between the restriction error webpage and the page it returns back to)?
  Is this possible?
  Thanks
  Rob

  Hi
  Thanks for the help. I located the 'Error Page Template Control' section.
  I am not looking to customise that section, but what I have noticed in firebug is that when I switch to this error page the BODY of the HTML document changes.
  So on a ordinary page you would normally have
    <div id="navbar">
      <div class="app-user">#WELCOME_USER#</div>
      <div class="app-user">Client: Internal</div> -- This is customised be me
      #NAVIGATION_BAR#
      #REGION_POSITION_08#
    </div>whereas on this error page you will have
    <div id="navbar">
      <div class="app-user">#WELCOME_USER#</div>
      <div class="app-user">Client: Internal</div> -- This is customised be me
    </div>Also the topbar seems to change from
     <div id="topbar">#REGION_POSITION_01##REGION_POSITION_04#</div>to
     <div id="topbar"></div>Is this normally? It is these adjustments I want to fix as navbar has the logout link which disappears and the topbar has my menu which messes with the page format on the error page
  Cheers
  Rob

• Ultimate Authorization Scheme

  Hello
  I want to create Ultimate Authorization Scheme :)
  One scheme for all regions
  I've got table with regions Id - "regions" and table with relationship of region and user "user_region_auth"
  if user has a authority to region than he could see the region :)
  The scheme could be something like that:
  Type: Exists SQL Query
  select id from user_region_auth r
  where reg_id = #REGION_ID#
  and usr_id = :APP_ID
  and flag = 1
  the problem is that i can't reference to region id dynamically
  my Q: How to reference to region Id dynamically ??
  thx for every reply
  regards
  piotry

  Duh, yes, it is indeed being set to the page being rendered but now that I think about it that's not what I need.
  Say I have 2 pages, each with it's own tab. Tab T1 points to Page 1 and should be visible only to User U1 and Tab T2 points to Page 2 and should be visible only to user U2. I create my auth scheme and attach it to both pages and tabs. Now when User U1 launches the direct link to Page 1, APP_PAGE_ID is set to 1 so the auth scheme returns true which ends up making Tab T2 visible (not what I want)
  I guess what I was hoping is that when the engine evaluates the auth scheme for a Tab, it sets APP_PAGE_ID to the primary "tab page" for that tab for use by the auth scheme logic.
  Oh well, I guess I will have to come up with a different type of auth. scheme for tabs that doesn't rely upon the page being rendered. Thanks for your help.

• Authorization scheme problem

  Hi all,
  I have implemented ACL authorization (Restricted only), and have just created a new ACL scheme in my app is the name of "Registration" same copy of EDIT scheme, I have set following users with these roles:
  USERS with roles
  =============
  1. Admin with Administrator.
  2. Guest with Registration.
  3. Frank with Edit.
  I have create a Navigation List entries (for redirection) on my home page with following entries with restricted roles:
  Navigation List :
  ============
  Administration (for Administrator only ) assigned 'ADMIN' role
  New Registration (for 1 time user registration) assigned 'REGISTRATION' role
  Student Schedule (for existing users) assigned 'EDIT' role
  Student Semester Result (for existing users) assigned 'EDIT' role
  Student Attendance (for existing users) assigned 'EDIT' role
  Problem:
  ========
  When I set REGIS role to guest user , all entries of navigation list ( i mentioned above) except Administration Entry are shown on this page.
  I want to restrict guest user, who can only see Registration Link only. How can I do this ??
  help me out
  waiting for your prompt reply
  regards n thanks
  qamar

  Thanks for your reply scott, at least someone is there to understand it :).
  Well ok just forget everything and focus on it, I am using apex version Apex 3.0.1 with Oracle 9.2.0.1.0, my question is simple as i had stated above long time ago, I have added a new scheme/role 'REGIS' as same as EDIT role and changed EDIT to REGIS on that scheme/role, through this I just want to access only guest user to log in temporarily and create its account in our application and log out, and when he registered in our application, a role EDIT will assigned him automatically and he will be able connect our portal with EDIT role now.
  I had created a simple HTML page and created a Navigation List on it.
  there are 5 list entries on this page .
  1. Administration
  2. New User Registration.
  3. Student schedule.
  4. Student results
  5. Student attendance.
  -Administration
  (assigned ADMIN , so only administrator can see this link and all the entries)
  -New User Registration
  (only guest user with REGIS role can see this link)
  -3,4,5
  (only registered users with EDIT role can see these links)
  I have set these authorization in every list entry with authorization schemes mentioned above.
  Q. But the problem in this situation is that when I assign REGIS scheme to my 2 list entry, all other entries (3,4,5) including 2nd entry are also visible to guest user who has REGIS scheme assigned.
  I hope now you can understand clearly what I am trying to say and understand it.
  Hoping for your prompt reply.
  regards
  qamarsyed

• Authorization scheme (using {not} Scheme)

  I have build a change password page and every user, except user with a Guest role (= GUEST SCHEME) have access to that page.
  I defined a scheme GUEST for users with the GUEST role. When I define the page with Authorization scheme {not}GUEST this isn't working everyone has access to the page, also the guest users.
  am I misunderstanding the {not}scheme choice or is something else wrong.
  Fred.

  Fred,
  I have solved it with the work around I mentioned before:I read what you said very carefully but thought it reckless to conclude that the workaround was successful because you just said "To work around the problem, I did xyz" without indicating the outcome.
  The authorization schemes on navigation tabs fire also on the default login pageYes they do, they fire on every page whether or not the page template accommodates a navigation bar. This looks like a bug to me.
  Is there a "authorization scheme report" which shows all the objects where the authorization scheme is defined.Shared Components > Authorization Schemes > Utilization (slightly different in each version).
  Scott

• What are the tables & Views related to  Authorization Schemes

  Hi,
  I want to export all the Authorization Schemes into csv or excel.
  Thanks,
  Raj

  Hi Scott,
  thanks for the quick response.
  So my question is then...
  I want to create a APEX Report which will give me the following information.
  1. Application and all the Pages associated with it, which I am getting from apex_applications and
  apex_application_pages. This is OK
  2. List of all the Database Objects (Table/View) which the individual page is using, I mean relation between Page ID and database object. HOW to get that???.....(I want for each individual page, the list all the database objects (tables/views), which that page is using)
  Thanks,
  Deepak