Secure the Application

You can secure access to your application with user credentials, and also create user roles to secure data at the level of the business object.

About Authentication Roles and User Roles

You use authentication to manage access to the pages and data in your application. In addition to the default authentication roles, you can fine tune access to your application resources by creating user roles and assigning authenticated end users to them.

All app users are automatically assigned either the Anonymous User or Authenticated User authentication role, or both. If access to the app requires authentication, all users are automatically granted the role Authenticated User when they sign in. If anonymous access to the app is also allowed, users that sign in are granted the Authenticated User role AND the Anonymous User role, and users who are not signed in are only granted the Anonymous User role. You can use these roles when granting permissions to operations on business objects when role-based security is enabled. The following table describes the two authentication roles.

Authentication Role Description
Anonymous User

All users who access Oracle Visual Builder applications are assigned this role when anonymous access to the application is enabled.

Authenticated User

All users who access Oracle Visual Builder applications are assigned this role after they sign in. An authenticated user can see all components and manage business objects unless access to the object is explicitly disabled for the Authenticated User role.

All developers are assigned this role by default.

You use user roles to secure access to business objects and data in your application. The application’s user roles ensure that users assigned the same role or group in the Oracle PaaS identity provider are granted equal access in your application. You define the user roles for the visual application in the User Roles tab of the visual application’s Settings editor. The user roles defined for your application are stored in user-roles.json in the visual application's settings folder. See Manage User Roles and Access.

You assign users or groups in the identity domain to a user role in your visual application, but only identity domain administrators can add users to the identity domain, and it is the responsibility of the identity domain administrator to add users to groups and maintain them in the identity provider. Administrators manage groups using Oracle Identity Cloud Service (IDCS), or use Oracle Shared Identity Manager (SIM) to manage roles for services using a Traditional Cloud Account. All user authentication is delegated to the identity provider.

When a user attempts to access data in a business object secured by a user role, the roles assigned to the user are authenticated in the identity provider. The user is granted access if one of the user roles securing the business object is mapped to one of the roles or groups the user has been assigned to in the identity provider. Security based on roles is disabled by default. You can set role-based security and privileges for viewing, creating, updating and deleting objects in the Security tab of the business object in the Business Objects editor. See Secure Business Objects.

Note:

By default, Authenticated Users can access all objects and components in your application. To thoroughly enable role-based security you must explicitly specify authentication or visibility for an object to a user role and disable access for the Authenticated User authentication role.

About Anonymous Access

You can enable anonymous access to allow users to access your app without signing in. If anonymous access is not enabled, all users must sign in with the credentials of their Oracle Cloud Account.

All users accessing your app are assigned roles that can be used to secure access to the data and services in the application. By default, your application requires authentication, but you can use the Settings editor of the app artifact to allow anonymous access to the app. When anonymous access is enabled, users that do not sign in are assigned the Anonymous User authentication role. By default, users assigned this role cannot access the data stored in your visual application’s business objects and data retrieved from services. You must explicitly allow anonymous users access to the data by configuring the security settings of business objects and services. See Access and Secure Business Objects and About Service Connection Authentication.

Changes that you make to authentication and security settings are only applied when you stage or publish the application. The versions of your application that are currently staged or published are unaffected. For example, if your application is already published, you must create a new version of the application before you can change the security settings. You then must stage and publish the application when you want the new security settings to take effect.

Note:

The service administrator must enable anonymous access in the instance’s Tenant settings. You will not be able to enable anonymous access for any of your visual applications if anonymous access to applications is not permitted for the instance.

The following table describes the options for allowing anonymous access to your application and artifacts.

Allow Anonymous Access Options Description Behavior
Web and mobile applications

You enable the Allow Anonymous Access option for a web or mobile app in the Security tab of the Settings editor for the application artifact. Settings for anonymous access must also be set explicitly for business objects and service connections.

This option must be enabled to allow anonymous access to services and business objects.

When enabled, users are not required to sign in. Users that are not signed in are assigned the role Anonymous User. Signed in users are assigned the Anonymous User AND Authenticated User.

Business objects

You enable anonymous access to business objects by enabling role-based security in the business object’s Security tab and specifying the operations that the Anonymous User authentication role can perform. See Secure Business Objects.

When enabled, anonymous users can perform operations on custom business objects based on the permissions granted to the Anonymous User authentication role.

Service connections

You enable anonymous access to service connection data by enabling and specifying the authentication mechanism for anonymous access in the service’s Authentication tab. See About Service Connection Authentication.

When enabled, anonymous users can access data from the service connections that are configured to allow anonymous access.

Allow Anonymous Access

To allow anonymous access to an app and its data, you edit the security settings of each app artifact, business object and service connection. If your application is already published, you must create a new version and then change the security settings and publish the application.

Enabling anonymous access in the app artifact's Security tab is required to enable users to access the app without signing in. When anonymous access is enabled for an app, the following property is defined in app-flow.json:

"security":{
      "access":{
          "requiresAuthentication": false
      }
  }

To allow anonymous access to an app and data in its business objects and from services:

  1. Open your web or mobile application in the Navigator.
  2. Open the application artifact and select the Settings editor in the designer.
  3. Open the Security tab and select Allow anonymous access in the Access pane.
  4. Open the Security tab of the business object.
  5. Enable Role-based Security (if not enabled).
  6. Configure the rights granted to users assigned the Anonymous User authentication role.
  7. Open the Authentication tab of the service connection.
  8. Select Allow anonymous access.

    If the Allow anonymous access option is not visible, you might need to select Enable authentication / proxy and also confirm that anonymous access is an option for the authentication mechanism used to connect to the service.

  9. Select the Anonymous Authentication Mechanism from the dropdown list.

If you want to allow external clients anonymous access to the Describe endpoint for business objects in your visual application, select Allow anonymous access to business objects Describe endpoint in the Business Objects tab of the visual application's Settings editor. If you choose to allow anonymous access, access to an endpoint will still require adding the header “Authorization: Public” to the request. This header is injected automatically for requests sent from your visual applications.

Manage User Roles and Access

You can create, edit and remove the user roles used to secure access to business objects in your application.

In addition to the Authenticated User role, when a user signs in to your application, they can be assigned an application user role based on their user credentials and the roles or groups they have been assigned to in the identity provider. You use the User Roles tab in the visual application’s Settings editor to create user roles and assign roles and groups in the Oracle PaaS identity provider (IDCS) to the user roles. When you create a user role, the role and any groups or users assigned to it are automatically added to the application in IDCS.

After creating a role, you can secure access to business objects by specifying the application user roles that can access the object and setting the access privileges for the role in the business object’s Security tab.

To create a user role in your visual application:

  1. On the Oracle Visual Builder home page, locate the application where you want to change the settings and choose Settings in the application’s Options menu.

    Description of toolbar-settings-menu.png follows
    Description of the illustration toolbar-settings-menu.png

    Alternatively, open your web or mobile app and choose Settings in the application’s Options menu in the toolbar.

  2. Open the User Roles tab in the Settings editor.

    The User Roles tab displays a tile for each user role in your application, and the groups and users that have been assigned to it.



  3. Click Create Role.
  4. Type the name in the Create Role dialog box. Click Create.

    This role name is displayed when designing your application. It is not exposed to end users.

  5. Click Assign groups or users in the tile if no users or group have been assigned.

    If you want to edit a user role and some groups or users have already been assigned to it, click the Edit icon in the tile.

  6. In the Change Assignments dialog box, click the Add icon for each group or user that you want to assign to the role. Click Save Changes.


    You can assign multiple groups and roles to your user role. The list of groups and users is defined in the identity provider and managed by the identity domain administrator. When you save your changes, the user roles for your application in IDCS is automatically updated.

Embed a Web Application

Your web application can be embedded in sites in domains associated with your Identity Domain as well as external sites.

You must explicitly allow embedding in your web application’s settings if you want to allow other applications to embed your application. For example, if you know that another site wants to use pages and data from your web app in their site, and they don't want to or can't link to your app, you can allow your app to be embedded in their app.

For security reasons, all embedding is denied by default. You can use the Settings editor in the application designer to edit the metadata of the application artifact. The web application’s security settings are stored in the configuration.json file, which is located in the application’s settings folder when you browse the application’s sources.


Description of settings-embedding.png follows
Description of the illustration settings-embedding.png

To allow your web app to be embedded in another app:

  1. Open the web application in the Navigator.

  2. Select the application artifact to open it in the application designer.

  3. Click Settings in the application designer and open the Security tab in the Settings editor.

  4. Enable Allow embedding in any application domain.

When your app is embedded within another app, the preferred method is for the other app to only embed the content of the page and not display the elements that wrap the content. For example, you might want to prevent a user from opening your app's user menu and logging out when it is embedded in another app. You can edit the shell template page to remove content such as the header and footer elements that you don’t want to appear when the page is embedded.

Configure Basic Authentication for a Mobile Application

Mobile applications that you develop with Oracle Visual Builder can use basic authentication rather than the default Oracle Cloud authentication mechanism.

To use basic authentication, you specify a login endpoint URL and logout endpoint URL in the input fields that appear when you select Basic as the authentication mechanism in the Security tab of the mobile application's settings. At runtime, the mobile application presents a login screen where the user enters their user name and password (user credentials). These user credentials are converted into a basic authentication header and the login URL is invoked to pass the basic authentication header to the authentication service. On successful authentication, the user is navigated to the home page of the mobile application. If you want to pass additional HTTP headers to the service that you are connecting to through basic authentication, click New Header to display input fields where you enter the HTTP header(s) you want to pass.

The login and logout endpoint URLs can be any third party or Oracle Cloud service URL that supports basic authentication. This contrasts to the Oracle Cloud authentication mechanism which requires the user to have a valid account in the Oracle Identity Cloud Service that is associated with Oracle Visual Builder.

There are a number of things you need to know if you configure basic authentication for your mobile application. User roles, which secure access to individual page flows or business objects in your application based on the user’s role, cannot be used if you configure basic authentication for your mobile application. The built-in variable, user, which accesses information about the current user when the mobile app uses the Oracle Cloud authentication mechanism, does not return information when the mobile app uses basic authentication.

Propagate Current User Identity and Direct (Bypass Authentication Proxy) are the two authentication mechanisms for REST service connections that you can use if your mobile application uses basic authentication. We recommend that you use Propagate Current User Identity to pass the user credentials entered by the mobile application user to the REST service. Note though that you cannot use Propagate Current User Identity while you develop and test the mobile application in Oracle Visual Builder using the Page Designer’s Live and Design modes or run it in a separate browser tab. For these scenarios, temporarily use one of the following authentication mechanisms for the REST service connection:

  • Basic
  • Client Credentials OAuth 2.0
  • Resource Owner OAuth 2.0

Once you complete testing the mobile application in Oracle Visual Builder and are ready to install it on a device, switch the authentication mechanism that the REST service connection(s) in the mobile application use back to Propagate Current User Identity.

REST services that permit anonymous access can be accessed from a mobile application that uses Basic as its authentication mechanism if the REST service connection in the mobile application is configured to use Direct (Bypass Authentication Proxy) as the authentication mechanism.

Basic authentication is not a supported option for mobile apps that enable PWA support.