11.8 Exploring Context for Authorization Rules

Depending on your authorization scheme's evaluation point, additional context information is available to write more generic, data-driven rules.

So far, you used authorization schemes with an evaluation point of Once per session and Once per page view. Rules evaluated only once per session are appropriate when the decision to grant or deny access relies only on the logged-in username and the roles or groups they belong to.

If the rule depends on information that might change during the user's session, then Once per page view rules using SQL or PL/SQL can reference standard bind variables to reference additional context information like:

• APP_USER – Current logged-in username (or nobody if not logged in)
• APP_ID – Current application ID
• APP_ALIAS – Current application alias
• APP_PAGE_ID – Current page ID
• APP_PAGE_ALIAS – Current page alias
• WORKSPACE_ID – Current workspace ID

If your authorization scheme uses an evaluation point of Once per component or Always (No Caching), then your SQL or PL/SQL can reference three additional bind variables:

• APP_COMPONENT_TYPE – Dictionary view name containing current component
• APP_COMPONENT_NAME – Name of the current component
• APP_COMPONENT_ID – Unique ID of the current component in its dictionary view.

This additional context information lets you design more generic, data-driven rules your app administrator might configure from an application settings page. If you do, for best performance consider caching the result for each unique combination of factors that affect the authorization decision.