Secure an Application in Oracle Visual Builder
You can secure the access to your application with user credentials, and create user roles to secure data at the level of the flow and the business object.
About Authentication and User Roles
You use authentication to manage access to the pages and data in your application. In addition to the default authentication roles, you can assign user roles to end users to secure access to page flows and business objects.
Every web and mobile app user is automatically granted the role of either anonymous user or authenticated user. Additionally, authenticated users can be assigned user roles based on the enterprise roles assigned to them in the Oracle platform as a service (PaaS) identity provider.
All application users are automatically assigned one or more of the authentication roles. If access to the application requires authentication, all users are automatically granted the authenticated user role when they sign in. If anonymous access to the application is also allowed, users that sign in are granted the Authenticated User role AND the Anonymous User role. Users who aren't signed in are only granted the anonymous user role.
| Authentication Role | Description |
|---|---|
| Anonymous User |
All users who access a Visual Builder application are assigned this role when anonymous access to the application is enabled. |
| Authenticated User |
All users who access a Visual Builder application are assigned this role after they sign in. An authenticated user can see all components and manage business objects unless access to the flow or object is explicitly disabled for the Authenticated User role. All developers are assigned this role by default. |
You use user roles to secure access to individual page flows and business objects in your application. User roles are mapped to existing user roles in the identity domain. The application’s user roles ensure that users assigned the same user role in the Oracle PaaS identity provider are granted equal access in your application. A developer can create and edit user roles, but only identity domain administrators can create the user roles in the identity domain. It's the responsibility of the identity domain administrator to assign and maintain user roles in the identity provider. All user authentication is delegated to the identity provider. You define the user roles for the visual application in the user roles tab of the application’s Settings dialog box.
For example, when a user attempts to access a page in a flow secured by a user role, the roles assigned to the user are authenticated in the identity provider. The user is granted access if one of the user roles securing the page flow is mapped to one of the user’s roles in the identity provider.
By default, authenticated users can access all objects and components in your application. To thoroughly enable role-based security you must explicitly specify authentication or visibility for an object and disable access for the authenticated user role.
Security based on roles is disabled by default. To enable role-based security you must configure the application, flow or business object. This table describes where to set the role-based security settings for application, flows and business objects.
| Application Objects | Description |
|---|---|
| Application |
You can set role-based access for web and mobile applications in the security tab of the settings editor of the application artifact. |
| Flows |
You can set role-based access for page flows in the Security tab of the Settings editor of a flow artifact. |
| Business objects |
You can set role-based security and privileges for viewing, creating, updating, and deleting objects in the Security tab of the object in the Business Object editor. |
Manage User Roles and Access
You can create, edit, and remove the user roles used to secure access to flows and business objects in your application.
You can create a user role for each user role in the Oracle PaaS identity provider that you want to use in your application. The User Roles tab in the Settings dialog box is used to map an application’s user role to a user role in the identity provider. You can also edit existing application user roles to change the role in the identity provider it's mapped to. When securing access to a flow or business object, you specify the user roles that can access the object. After you create a user role, you can set the access privileges for the role in the Security tab of each business object that has role-based security enabled.
The User Roles tab also contains the following access options for your visual application:
-
Allow anonymous access. When selected, anonymous users are allowed to access all service connections, and access for the anonymous user role can be configured for a business object by enabling role-based security for the business object.
-
Enable basic authentication for business object REST APIs. When selected, other clients can access the REST APIs of the application’s business objects using basic authentication.
To create a user role in your visual application: