1. Building Responsive Applications with Visual Builder Studio
  2. Augment Applications
  3. Secure the Application
  4. Authentication Roles Versus User Roles

Authentication Roles Versus User Roles

You use authentication roles to manage access to the pages and data in your application. In addition to the default authentication roles, you can fine tune access to your application's resources by creating user roles and assigning authenticated users to them.

All app users are automatically assigned either the Anonymous User or Authenticated User authentication role. When access to the app requires authentication (default), all users are granted the Authenticated User role when they sign in. If anonymous access to the app is allowed, users are granted the Anonymous User role. You can use these roles when granting permissions to operations on business objects when role-based security is enabled. Here's a table that describes the two authentication roles:
Authentication Role Description
Authenticated User All users who access VB Studio applications are assigned this role after they sign in. An authenticated user can see all components and manage business objects, unless access to the object is explicitly disabled for the Authenticated User role. All developers are assigned this role by default.
Anonymous User All users who access VB Studio applications are assigned this role when anonymous access to the application is enabled. An anonymous user cannot access data stored in the application's business objects or retrieved from services, unless anonymous access is explicitly enabled for the Anonymous User role.

When your app requires authentication, you can further control access to business objects and data in your application through user roles. The application’s user roles ensure that users assigned the same role or group in the identity provider are granted equal access in your application. You define user roles in the User Roles tab of your application’s Settings editor. See Manage User Roles and Access.

As a developer, you can assign users or groups in the identity domain to a user role in your visual application, but only identity domain administrators can add users to the identity domain. It is the responsibility of the identity domain administrator to add users to groups and maintain them in the identity provider. Administrators manage groups using Oracle Identity Cloud Service (IDCS), or use Oracle Shared Identity Manager (SIM) to manage roles for services using a Traditional Cloud Account. All user authentication is delegated to the identity provider.

Note:

If you want to federate IDCS with your existing identity provider, see Federating with Identity Providers.

You can also choose to override the default security provider that an app is using by creating your own security provider that maps to a third-party provider. Note that this might affect functionality such as identity propagation to REST service calls. See Security Provider.

When a user attempts to access data in a business object secured by a user role, the roles assigned to the user are authenticated in the identity provider. The user is granted access if one of the user roles securing the business object is mapped to one of the roles or groups the user has been assigned to in the identity provider. Security based on roles is disabled by default. You can set role-based security and privileges for viewing, creating, updating and deleting objects in the Security tab of the business object in the Business Objects editor. See Secure Business Objects.

Note:

By default, Authenticated Users can access all objects and components in your application. To thoroughly enable role-based security, you must explicitly specify authentication or visibility for an object to a user role and disable access for the Authenticated User authentication role.