20.3.1 Understanding Access Control

Adding the Access Control feature to an application, creates multiple pages and the following components: an Access Control region, access roles, authorization schemes, a build option, and an Application Setting. About Adding Access Control

Running the Access Control Wizard creates multiple pages and the following components:

  • Adds an Access Control region to the Administration page you specify.

  • Creates the access roles: Administrator, Contributor, and Reader.

  • Creates the authorization schemes: Administration Rights, Contribution Rights, and Reader Rights.


    When you add a new Access Control to an existing application, these authorization schemes are only be created if the names do not exist.  For example, if Administration Rights already exists (case sensitive comparison), the wizard will not recreate. Instead, the Access Control page will re-use the existing authorization scheme.

  • Creates the build option, Feature: Access Control.

  • Creates the Application Setting, ACCESS_CONTROL_SCOPE.

Developers use the access control list to associate the privileges, view, edit, and administration, with application users. Within the final Access Control UI, each privileges correlates to an access role:
  • View correlates to the Reader role.

  • Edit correlates to the Contributor role.

  • Administration correlates to the Administrator role. About Access Control Authorization Schemes

When you add the Access Control feature to an application, the PL/SQL Body Wizard creates the following authorization schemes:

  • Administration Rights – This authorization scheme checks if the current user in the application is assigned ADMINISTRATOR role.

         p_user_name => :APP_USER, 
         p_role_static_id => 'ADMINISTRATOR');
  • Contribution Rights – This authorization scheme checks if the current user in the application is assigned the ADMINISTRATOR role or the CONTRIBUTOR role.

    if apex_acl.has_user_role (
      p_user_name => :APP_USER, 
      p_role_static_id => 'ADMINISTRATOR') or
      apex_acl.has_user_role (
        p_user_name=> :APP_USER,
        p_role_static_id=> 'CONTRIBUTOR') then
        return true;
        return false;
    end if;
  • Reader Rights – This authorization scheme returns TRUE if the access control is configured to allow any authenticated user access the application.  If this behavior is not allowed, it checks if the current user in the application is assigned to any application role.

    if nvl(apex_app_setting.get_value(
       p_name => 'ACCESS_CONTROL_SCOPE'),'x') = 'ALL_USERS' then
        -- allow user not in the ACL to access the application
        return true;
        -- require user to have at least one role
        return apex_acl.has_user_any_roles (
            p_application_id => :APP_ID, 
            p_user_name      => :APP_USER);
    end if; About Configuring Access Control

Once you add the Access Control feature, you configure it by running the application and accessing the Access Control region on the Administration page.

The Access Control region lists currently defined access roles and contains two sections: Users and Access Control.


Click Users to add new users, change a user’s role, or disable access control by locking an account.


You add additional roles and configure role assignments on the Shared Components, Application Access Control page. See "Managing Roles and User Assignments."

Access Control

Click Access Control to specify the behavior when authenticated users access the application.

For Any authenticated user may access this application, select one of the following:

  • No - Select No if all users must be defined in the access control list.

  • Yes - Select Yes to enble authenticated users not in the access control list to use the application. About Exporting an Application with Access Control

When your export an application with the Access Control feature, the application roles, Administrator, Contributor, and Reader, are exported.  However, the users assigned to these roles are not exported. If you deploy a exported application with the Access Control feature, navigation menu entry for Administration page will not display. When you deploy an application with Access Control feature, your can add user roles as needed by going to Shared Components, Application Access Control.  If the application is being deployed in a runtime environment, you can add user roles using APEX_ACL API.  For example, the following example adds the user name 'SCOTT' as Administrator in application 255:

        p_application_id => 255,
        p_user_name      => 'SCOTT',
        p_role_static_id => 'ADMINISTRATOR' );

You can also execute the APEX_ACL API from the command line or create an install script in application supporting objects.