Extend the security of your application by creating an authorization scheme.
Authorization is a broad term for controlling access to resources based on user privileges. While conditions control the rendering and processing of specific page controls or components, authorization schemes control user access to specific controls or components.
Parent topic: Managing Application Security
Learn about how an authorization scheme extends the security of your application's authentication scheme.
You can specify an authorization scheme for an entire application, page, or specific control such as a region, item, or button. For example, you could use an authorization scheme to selectively determine which tabs, regions, or navigation bars a user sees. An authorization scheme either succeeds or fails. Common authorization scheme types include Exists, Not Exists SQL Queries, and PL/SQL Function Returning Boolean. If a component or control level authorization scheme succeeds, the user can view the component or control. If it fails, the user cannot view the component or control. If an application or page-level authorization scheme fails, then Oracle Application Express displays a previously defined message.
When you define an authorization scheme, you give it a unique name. Once defined, you can attach it to any component or control in your application. To attach an authorization scheme to a component or control in your application, simply navigate to the appropriate attributes page and select an authorization scheme from the Authorization Scheme list.
Parent topic: Providing Security Through Authorization
Learn how to create and edit an authorization scheme. Before you can attach an authorization scheme to an application or an application component or control, you must first create it.
Parent topic: Providing Security Through Authorization
When you create an authorization scheme you select an authorization scheme type. The authorization scheme type determines how an authorization scheme is applied. Developers can create new authorization type plug-ins to extend this list.
Table 20-1 Authorization Scheme Types
Authorization Scheme Types | Description |
---|---|
Exists SQL Query |
Enter a query that causes the authorization scheme to pass if it returns at least one row and causes the scheme to fail if it returns no rows |
NOT Exists SQL Query |
Enter a query that causes the authorization scheme to pass if it returns no rows and causes the scheme to fail if it returns one or more rows |
PL/SQL Function Returning Boolean |
Enter a function body. If the function returns true, the authorization succeeds. |
Item in Expression 1 is NULL |
Enter an item name. If the item is null, the authorization succeeds. |
Item in Expression1 is NOT NULL |
Enter an item name. If the item is not null, the authorization succeeds. |
Value of Item in Expression 1 Equals Expression 2 |
Enter and item name and value.The authorization succeeds if the item's value equals the authorization value. |
Value of Item in Expression 1 Does NOT Equal Expression 2 |
Enter an item name and a value. The authorization succeeds if the item's value is not equal to the authorization value. |
Value of Preference in Expression 1 Does NOT Equal Expression 2 |
Enter an preference name and a value. The authorization succeeds if the preference's value is not equal to the authorization value. |
Value of Preference in Expression 1 Equals Expression 2 |
Enter an preference name and a value. The authorization succeeds if the preference's value equal the authorization value. |
Is In Group |
Enter a group name. The authorization succeeds if the group is enabled as a dynamic group for the session. See "APEX_AUTHORIZATION.ENABLE_DYNAMIC_GROUPS" in Oracle Application Express API Reference. If the application uses Application Express Accounts Authentication, this check also includes workspace groups that are granted to the user. If the application uses Database Authentication, this check also includes database roles that are granted to the user. |
Is Not In Group |
Enter a group name. The authorization succeeds if the group is not enabled as a dynamic group for the session. |
Parent topic: Creating and Editing an Authorization Scheme
Create an authorization scheme on the Shared Components page.
To create an authorization scheme:
On the Workspace home page, click the App Builder icon.
Select an application.
On the Application home page, click Shared Components.
The Shared Components page appears.
Under Security, select Authorization Schemes.
Click Create.
Specify how to create an authorization scheme by selecting one of the following:
From Scratch
As a Copy of an Existing Authorization Scheme
On Create Authorization Scheme - Details:
Name - Enter an unique name that identifies this authorization scheme.
Scheme Type - Select how this authorization scheme will be applied. See "About Authorization Scheme Types."
Identify error message displayed when scheme violated - Enter error text that displays if the authorization scheme fails (that is, the current user fails the security check).
Validate Authorization Scheme - Authorization schemes are evaluated on first use in a session. Use this option to controls if future uses cause re-evaluations and when a memorized result can be taken instead.
For more details, see field-level Help.
Click Create Authorization Scheme.
Edit attributes of an existing authorization scheme.
To edit attributes of an existing authorization scheme:
Parent topic: Creating and Editing an Authorization Scheme
Control when an authorization scheme is validated using the Evaluation Point, Validate authorization scheme attribute.
To change the authorization scheme evaluation point:
Tip:
The default value Once per session is the most efficient. You should choose another value if the authorization check depends on changing session state or other factors that are not consistent over an entire session.
Parent topic: Creating and Editing an Authorization Scheme
Call an API to reset a session's authorization scheme state.
If an authorization scheme is validated once for each session, Oracle Application Express caches the validation results in each user's session cache. You can reset a session's authorization scheme state by calling the APEX_AUTHORIZATION.RESET_CACHE
API.
See Also:
"APEX_AUTHORIZATION.RESET_CACHE
Procedure" in Oracle Application Express API Reference
Parent topic: Creating and Editing an Authorization Scheme
Once you have created an authorization scheme you can attach it to an entire application, page, control, or component.
Parent topic: Providing Security Through Authorization
To attach an authorization scheme to an application:
You can use the Authorization Scheme Subscription and Authorization Scheme Utilization reports to better manage authorization schemes within your application.
To view authorization scheme reports:
Parent topic: Providing Security Through Authorization