Securing the Application

In addition to securing access to your application with user credentials, you can use application roles to secure data at the level of the page, the component and the business object.

Enabling Role-Based Security

You can limit access to your staged or published application by requiring users to sign in with the credentials of their Oracle Cloud Account.

To configure the security for your application you must choose the user authentication policy. The policy you choose will determine if anonymous users can access the application and if roles can be assigned to authenticated users. You must select the Require authentication option in the Access panel to use role-based security in your application.


Description of security-roles1a.png follows
Description of the illustration security-roles1a.png

The following table describes the authentication options for your application. You must select at least Require authentication or Allow anonymous access.

Authentication Option Description Behavior
Require authentication

When this option is selected, users can sign in using their Oracle Cloud Account credentials. Signed in users are assigned the role Authenticated User. Signed in users can also be assigned other application roles.

This option must be selected to enable user roles and role-based security in the application.

When Require authentication is selected and Allow anonymous access is deselected, all users must sign in and be authenticated.

Allow anonymous access

When this option is selected, users are not required to sign in.

In some cases this option will be unavailable because the terms of your service subscription do not permit anonymous access to your applications.

When Allow anonymous access is selected and Require authentication is deselected, all users have equal access to all pages in the application and have the same privileges.

If Require authentication is selected, users that are not signed in are assigned the role Anonymous User. Signed in users are assigned the Anonymous User AND Authenticated User.

Enable basic authentication for business object REST APIs

When this option is selected, other applications can access the REST APIs of the application’s business objects using basic authentication.

 

Note:

Access to web services consumed by your application can be enabled using Basic Auth. When a user successfully signs in to your application with an authorized user name and password, the authorization to call the web services is provided by the credentials of the application instead of the credentials of the user. Your application must require an initial login to use this method for authorization.

To configure access options for your application:

  1. Open the Security page under Application Settings.
    The Security page displays the roles and security settings for your application.
  2. Select the access options for the application in the Access panel.
    You can choose Require authentication, Allow anonymous access, or both. If you enable both options for your application, users can choose to sign in to the application or use the application anonymously.
    Description of security-roles-access.png follows
    Description of the illustration security-roles-access.png

    The Roles panel is displayed in the page when the Require authentication option is selected. The Roles panel displays a list of current user roles. You can create custom application roles to secure pages, components and objects in your application. User roles and role-based security are not available if the Require authentication option is deselected.

Important:

The changes that you make to authentication and security are only applied after you stage the application. The versions of your application that are currently staged or published are unaffected.

About Authentication and User Roles

You can secure access to pages, components and business objects by creating application roles that are assigned to authenticated users.

When developing an application, access to pages, components and business objects in the application can be secured with application roles assigned to end users. If the authentication option is enabled for your application in the Access panel, every application user is automatically granted the role of either Anonymous User or Authenticated User.

Additionally, authenticated users can have application roles assigned to them based on the enterprise roles assigned to them in the Oracle PaaS identity provider.


Description of security-roles1.png follows
Description of the illustration security-roles1.png

The Roles panel in the Security page displays a list of the roles used in the application. You cannot modify the properties of the default authentication roles Anonymous User and Authenticated User, but you can add, remove and edit application roles.

Authentication Roles

All application users are automatically assigned one or more of the authentication roles. If access to the application requires authentication, all users are automatically granted the role Authenticated User when they sign in. If anonymous access to the application is also allowed, users that sign in are granted the Authenticated User role AND the Anonymous User role. Users who are not signed in are only granted the Anonymous User role.

Authentication Role Description
Anonymous User

All users who access a Visual Builder application are assigned this role when anonymous access to the application is enabled.

Authenticated User

All users who access a Visual Builder application are assigned this role after they sign in. An authenticated user can see all components and manage business objects unless access to the component or object is explicitly disabled for the Authenticated User role.

All developers are assigned this role by default.

Application Roles

You can use application roles for securing access to individual pages, components and business objects in your application. Application roles are mapped to existing user roles in the identity domain. You use application roles to ensure that users assigned the same user role in the Oracle PaaS identity provider are granted equal access in your application. Application developers can create and edit application roles, but only identity domain administrators can create the user roles in the identity domain. It is the responsibility of the identity domain administrator to assign and maintain user roles in the identity provider. All user authentication is delegated to the identity provider.

For example, when a user attempts to access a page secured by an application role, the roles assigned to the user are authenticated in the identity provider. The user is granted access if one of the application roles securing the page is mapped to one of the user’s roles in the identity provider.

Note:

By default, Authenticated Users can access all objects and components in your application. To thoroughly enable role-based security you must explicitly specify authentication or visibility for an object and disable access for the Authenticated User role.

Security based on roles is disabled by default. To enable role-based security you must configure the specific page, component or business object. The following table describes where to set the role-based security settings for pages, components and objects.

Application Objects Description
Pages

You can set role-based access for individual pages in the Security page of Application Settings.

Components

You can set role-based visibility of a component in the Roles tab of the Page Designer

Business Objects

You can set role-based security and privileges for viewing, creating, updating and deleting objects in the Security tab of the object in the Data Designer.

Managing Application Roles

You can create, edit and remove the application roles used to secure access to objects and components in your application.

You can create an application role for each user role in the Oracle PaaS identity provider that you think you might want to use in your application. You can also edit an existing application role to change the user role mapped to the application role. When securing access to an object or a page, you specify the application roles that can access the object.

To create an application role:

  1. Open the Security page under Application Settings.
    The Security page displays the roles and security settings for your application.
  2. Enable Require Authentication in the Access pane.
  3. Click New Role in the Roles pane.
    You will use the Create Role dialog box to map an application role to a user role in the identity provider.
    Description of security-roles2.png follows
    Description of the illustration security-roles2.png
  4. Type the Application Role Name.
    This is the name that is used in the Visual Builder UI when you select security roles.
  5. Select a user role in the Maps to dropdown list. Click Create.
    The list displays the user roles defined in the identity domain. The list of user roles is created by the identity domain administrator.

Securing Access to Pages

Application roles can be used to secure access to individual pages in your application. Roles are assigned to pages in the Security page of Application Settings.

When authenticated access to your application is enabled, you can set access privileges for individual pages based on the application roles of users. When you secure access to a page with a role, the security setting for the page also applies to links and buttons that direct to that page. For example, you might want to use role-based authentication to secure access to an Edit page, but not require any authentication to access the application’s Home page. Links to the Edit page from the Home page will only be visible to authenticated users with roles granted access to the Edit page.

To secure access to a page:

  1. Open the Security page under Application Settings.
    The Security page displays the roles and security settings for your application.
  2. In the Pages panel, enable role-based authentication for a page by selecting the page’s Authentication Required checkbox.
    The Pages panel lists each page in your application and the roles that can access the page.
    Description of security-pages1.png follows
    Description of the illustration security-pages1.png

    If you enable Authentication Required for a page, you must supply at least one role. A page is accessible to all users if the page’s Authentication Required checkbox is not selected.

  3. Start typing in the Role text area for the page and select a user role from the dropdown list.

    Description of security-pages2.png follows
    Description of the illustration security-pages2.png

    You can choose Authenticated User if you want all signed in users to have access to the page, or you can choose a custom role.

    Note:

    To secure access to a page, you might want to remove the Authenticated User role and only add the roles that you want to grant access. If the Authenticated User role is granted access to a page, all users that sign in to the application will be able to access the page.

Securing Business Objects

Application roles can be used to secure the data stored in business objects.

By default, the business objects in your application are accessible to all users that can access the application. To secure the data stored in objects you can use application roles to restrict a user’s access to view, create, update and delete operations. For custom business objects, you can configure role-based access for the individual operations. For business objects exposing an external service, you can only grant access to all operations or none. For external business objects it is not possible to configure access rights to operations individually.

When access to an operation is disabled for a particular role, the corresponding action is removed from the page when a user with that role is viewing the business object. For example, if you disable access to the Update operation for the role Sales Manager, the Edit action is removed from the Actions menu in the table when Sales Manager is viewing the table in a page. A role that is not granted View access to a business object will see a message that they do not have permission to see the data when they attempt to view the table for the business object.

To enable role-based security for a business object:

  1. Open the Business Objects page in the Data Designer.
  2. Select the business object you want to secure.
  3. Open the Security tab of the business object.
  4. Click Role-based security to enable security for the object.
    When you enable role-based security for a business object, you see a matrix of the existing application roles and the business operations that can be performed. By default, when you enable security all existing application roles are permitted to perform all operations. If you create a new application role, permission to perform operations are disabled for the new application role and must be enabled manually.
  5. Select the operations that can be performed by each application role.

    When configuring security for custom business objects, you can enable or disable permission for each operation.


    Description of security-bo2.png follows
    Description of the illustration security-bo2.png

    When configuring security for business objects for an external service, you can only enable or disable permission for all operations or for none.


    Description of security-bo3.png follows
    Description of the illustration security-bo3.png

    Tip:

    You can further define security at the row level and limit row access to the user who created the row. To specify which users the rule applies to, select the user role or roles in the table and then select "View allowed only if user also created row". The security rule will be applied to users assigned that role.

    Description of security-row-based.png follows
    Description of the illustration security-row-based.png

Securing Access to Components

User roles can be used to secure access to individual components on pages.

By default, all components in a page are visible to all users. You can set the visibility of a component based on the role of the user visiting the page. For example, you can hide an image on a page from users that are not signed in.

To hide a component based on a user role:

  1. In the Page Designer, open page that contains the component that you want to hide.
  2. Select the component on the canvas.
  3. Open the Roles tab in the Property Inspector.
    You use the Roles tab to set the Visibility property of the component.
    Description of security-component1.png follows
    Description of the illustration security-component1.png
  4. Select a role in the dropdown list.
  5. Disable Visibility to hide the component from the selected role.
    You can set the Visibility property for each role in your application. The component must be visible to at least one role.
After you set the visibility, you can use the Who Am I? role selector to select a role to use when previewing the page in the Page Designer. See Activating Role-Based Application Preview.