7/6/2016

securityAuthorizationanduserrolesinOracleApex?StackOverflow

StackOverflowisacommunityof4.7
millionprogrammers,justlikeyou,
helpingeachother.

signup

login

tour

help

JointheStackOverflowcommunityto:

Jointhemitonlytakesaminute:
Signup

Askprogramming
questions

Answerandhelp
yourpeers

Getrecognizedforyour
expertise

AuthorizationanduserrolesinOracleApex?
SoApexhas"workspaces",whichletyoucreateusersofthreetypesallofwhichareinternaltotheorganizationinnature.Also,thereseemsto
benowayforadeveloperofanindividualsiteonApextohave"users"justforhissite.
AmImissingsomething?
Ineedtobeabletohaveexternal(business)userstobeabletogetaccesstojustsomefeaturesofthesite,forexample,accountingcanonly
seepagesAandBwhileexecutivescanseeA,B,andC.
Ineedtohaveabilitytohaveseveralgroupsofpeoplewithdifferencedegreesofaccess.
Canthisonlybedonebycreatingworkspaces/groups?Orcanthatbedoneinternallyonjustmysite?
security permissions authorization roles oracleapex
editedMar23'12at19:19

askedOct26'11at15:40

Bishan
4,990

antonpug
30

96

164

2,627

17

47

92

2Answers

AlthoughAPEXhasabuiltinusermanagementconceptcalled"Groups"ImustconfessIhave
neverusedit,andaquickperusalofthedocumentationdoesn'tmakeitcleartomehowyouuse
thesetocontrolaccess(butseeTom'sanswerhereforthat).
Youwillprobablyneedtocreateuser/roletableswithinyourdatabaseandusethesein
conjunctionwithAPEXAuthorizationSchemestocontrolaccesstopages.AsingleAuthorization
Schemeoftype"PL/SQLFunctionreturningBoolean"couldbecreatedwiththefunctionbody:
returnmy_auth_pkg.is_authorized(p_user=>:app_user,
p_app_id=>:app_id
p_page_id=>:app_page_id);

Youwouldthenimplementthepackagetolookuptheuser'sprivilegesanddecidewhetherto
returnTRUEorFALSEfortheapplicationandpageid.

AlternativelyyoucouldjustperformtheSQLtocheckforaccessdirectlyintheAuthorization

http://stackoverflow.com/questions/7905159/authorizationanduserrolesinoracleapex

1/3

7/6/2016

securityAuthorizationanduserrolesinOracleApex?StackOverflow

Scheme:
(NB"user_roles"and"role_pages"arenamesImadeup,torepresentyourtables)
editedOct27'11at9:14

answeredOct26'11at16:10

TonyAndrews
84.8k

11

135

185

Whereexactlywouldtheabovelistedcodego? antonpug Oct26'11at16:14

Youwouldenteritinthe"FunctionBody"propertyoftheAPEXAuthorizationSchemewhenyoucreateit.

TonyAndrews Oct26'11at16:18
Ahalright.SothatisalsowhereIwouldcreatethecheckstoseeifmydbtablecontainstheproper

informationornot? antonpug Oct26'11at16:19

WherewouldIdeclare/defineis_authorized? antonpug Oct26'11at16:22
Inapackagethatyoucreateontheserver.YouneedtoknowPL/SQL. TonyAndrews Oct26'11at16:24

IjustwishtoexpandonTony'sanswer,whichbyitselfiscorrect.Ijustwanttoshowyouanother
way,whichithinkwouldbeeasieronatotalbeginnerandomitsthecreationoftables.
IfyourapplicationusesApexasauthenticationscheme,thenyourusersaremanagedthrough
theadministrationoftheworkspaceitself.Youcancreate,editanddeleteusers,butyoucanalso
definegroups,andlinkuserstogroups.Itispossibleforyoutocreateseveral"enduser"typeof
users,anddefineacoupleofgroups,like"Executives".

Whenyouhavecreatedyourgroup,gototheuseryouwishtoassignthisgroupto,andaddthe
grouptothegroupsofthatuser

http://stackoverflow.com/questions/7905159/authorizationanduserrolesinoracleapex

2/3

7/6/2016

securityAuthorizationanduserrolesinOracleApex?StackOverflow

Onceyouhavethatsetup,youstillneedtheauthorizationschemes.Thefactremainsyouneed
somepl/sqlknowledgehere,butitispossibletokeepthecodingtoaminimum,thankstosome
handyapiwork.

Thecurrent_user_in_groupdoeswhatitsays:itchecksforthecurrentuserifhehassaidgroup
assigned.WithsomeexpandingusingsomesimpleIFstructures,youcanrampitupabit!
Notthati'dtotallyrecommendthismethod,ifinditabittediousmyself,andyouneedsomeoneto
gointoAPEXtoactuallymaintainusersandtheirgroups,butitcouldwellbethatthisis
acceptableinyourenvironment.Youcoulduseittostartoutwithhowever.Youcanveryeasily
switchoutauthenticationschemes,andwithalteringyourauthorizationschemessotheycomply
withthenewauthscheme,youcaneasilyandquicklyadjustthisafterward.Itdependsonyour
prioritiesandgoalsofcourse.
answeredOct26'11at21:53

Tom
4,696

14

27

1 +1Great,nowIknowhowtousethebuiltingroups!Ihadlookedattheapex_utildocsbeforeanswering,
butfailedtoseethatfunction.Justanobservation:yourcodeinexpression1canbereducedtosimply
returnapex_util.current_user_in_group(p_group_name=>'Executives'); TonyAndrews Oct26'11
at22:24
IimplementedyouranswerhereTom,anditsureiseffectiveatrestrictingaccess.Infact,Ican'tgettothe

loginpageanymore.XDHowmightIfixthat?IshouldnotethatIappliedtheauthorizationschemeatthe
applevel,notthepagelevel.DoIhavetoturnauthorizationoffattheapplevelandreallygothroughand
limitaccesstoeachpageindividually?TraxusIVJan31'15at8:21
1 @TraxusIVWow,sorryforthelateresponse!Ithinkthismightbetiedtoyourapexversion,andlater
versionsofapexshouldn'tdothisanymore(Ibelieve).Mightbefrom4.2andup.Otherthanthat,yes,you'll
needtoassigndirectly.Don'tfretthough,youcandothisrelativelyeasilybygoingtoUtilities>select
Crosspageutilitiesontherightsidebar>grideditofallpages.Youcanchangetheauthorizationscheme
there,easily,forallyourpages.Don'tforgettosave!:)TomMar2'15at11:39

http://stackoverflow.com/questions/7905159/authorizationanduserrolesinoracleapex

3/3