20.5.2 Creating and Editing an Authorization Scheme

Learn how to create and edit an authorization scheme. Before you can attach an authorization scheme to an application or an application component or control, you must first create it.

• About Authorization Scheme Types
  Select an authorization scheme type when you create an authorization scheme.
• Creating an Authorization Scheme
  Create an authorization scheme on the Shared Components page.
• Editing Attributes of an Existing Authorization Scheme
  Edit attributes of an existing authorization scheme.
• Changing the Evaluation Point Attribute
  Control when an authorization scheme is validated using the Evaluation Point, Validate authorization scheme attribute.
• About Resetting Authorization Scheme State
  Call an API to reset a session's authorization scheme state.

20.5.2.1 About Authorization Scheme Types

Select an authorization scheme type when you create an authorization scheme.

The authorization scheme type determines how an authorization scheme is applied. Developers can create new authorization type plug-ins to extend this list.

Table 20-1 Authorization Scheme Types

Authorization Scheme Types	Description
Exists SQL Query	Enter a query that causes the authorization scheme to pass if it returns at least one row and causes the scheme to fail if it returns no rows
NOT Exists SQL Query	Enter a query that causes the authorization scheme to pass if it returns no rows and causes the scheme to fail if it returns one or more rows
PL/SQL Function Returning Boolean	Enter a function body. If the function returns true, the authorization succeeds.
Item in Expression 1 is NULL	Enter an item name. If the item is null, the authorization succeeds.
Item in Expression1 is NOT NULL	Enter an item name. If the item is not null, the authorization succeeds.
Value of Item in Expression 1 Equals Expression 2	Enter and item name and value.The authorization succeeds if the item's value equals the authorization value.
Value of Item in Expression 1 Does NOT Equal Expression 2	Enter an item name and a value. The authorization succeeds if the item's value is not equal to the authorization value.
Value of Preference in Expression 1 Does NOT Equal Expression 2	Enter an preference name and a value. The authorization succeeds if the preference's value is not equal to the authorization value.
Value of Preference in Expression 1 Equals Expression 2	Enter an preference name and a value. The authorization succeeds if the preference's value equal the authorization value.
Is In Group	Enter a group name. The authorization succeeds if the group is enabled as a dynamic group for the session. See "APEX_AUTHORIZATION.ENABLE_DYNAMIC_GROUPS" in Oracle Application Express API Reference. If the application uses Application Express Accounts Authentication, this check also includes workspace groups that are granted to the user. If the application uses Database Authentication, this check also includes database roles that are granted to the user.
Is Not In Group	Enter a group name. The authorization succeeds if the group is not enabled as a dynamic group for the session.

20.5.2.2 Creating an Authorization Scheme

Create an authorization scheme on the Shared Components page.

To create an authorization scheme:

1. On the Workspace home page, click the App Builder icon.

2. Select an application.

3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authorization Schemes.

5. Click Create.

6. Specify how to create an authorization scheme by selecting one of the following:

   • From Scratch

   • As a Copy of an Existing Authorization Scheme

7. On Create Authorization Scheme - Details:

   1. Name - Enter an unique name that identifies this authorization scheme.

   2. Scheme Type - Select how this authorization scheme will be applied. See "About Authorization Scheme Types."

   3. Identify error message displayed when scheme violated - Enter error text that displays if the authorization scheme fails (that is, the current user fails the security check).

   4. Validate Authorization Scheme - Authorization schemes are evaluated on first use in a session. Use this option to controls if future uses cause re-evaluations and when a memorized result can be taken instead.

   For more details, see field-level Help.

8. Click Create Authorization Scheme.

See Also:

• "Attaching an Authorization Scheme to an Application, Page, or Components"

• "Changing the Evaluation Point Attribute"

• "About Resetting Authorization Scheme State"

20.5.2.3 Editing Attributes of an Existing Authorization Scheme

Edit attributes of an existing authorization scheme.

To edit attributes of an existing authorization scheme:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authorization Schemes.

   The Authorization Schemes page appears. By default, each scheme displays as an icon. You can customize the appearance the page using the Search bar at the top of the page.

5. Select an authorization scheme.
6. Edit the appropriate attributes.

   To learn more, see field-level Help.

7. To save your changes, click Apply Changes.

20.5.2.4 Changing the Evaluation Point Attribute

Control when an authorization scheme is validated using the Evaluation Point, Validate authorization scheme attribute.

Authorization schemes are evaluated on first use in a session. The Validate authorization scheme attribute controls if future uses cause re-evaluations and when a memorized result can be taken instead.

To change the authorization scheme evaluation point:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authorization Schemes.

   The Authorization Schemes page appears.

   By default, each scheme displays as an icon. You can customize the appearance the page using the Search bar at the top of the page.

5. Select an authorization scheme.
6. Scroll down to Evaluation Point and edit the Validate authorization scheme attribute. Options include:

   • Once per session - Evaluate only once and always use the memorized result afterwards.

   • Once per page view - Evaluate once for each request that is processed. Use the memorized result if the authorization scheme is referenced in more than one component on the page.

   • Once per component - Evaluate once for each component that references the authorization scheme, but save the result in the session. Further requests to render or process the scheme use the result that was memorized for the component.

   • Always (No Caching) - The authorization scheme will always be evaluated.

   To learn more, see field-level Help.

7. To save your changes, click Apply Changes.

Tip:

The default value Once per session is the most efficient. You should choose another value if the authorization check depends on changing session state or other factors that are not consistent over an entire session.

20.5.2.5 About Resetting Authorization Scheme State

Call an API to reset a session's authorization scheme state.

If an authorization scheme is validated once for each session, Oracle Application Express caches the validation results in each user's session cache. You can reset a session's authorization scheme state by calling the APEX_AUTHORIZATION.RESET_CACHE API.

See Also:

"APEX_AUTHORIZATION.RESET_CACHE Procedure" in Oracle Application Express API Reference