Authorization is a process of determining whether an authenticated/identified person is permitted to access a resource or do an operation. It is based on set of privileges or roles assigned to the user. For Example, In Oracle database, Administrator have privilege to schedule jobs, while an user cannot.
How is Authorization different from Authentication?
Often Authentication and Authorization work together. In other words, Authorization follows Authentication.
Authentication determines Who are you?
Authorization determines What you are allowed to do?
How to implement Authorization in APEX?
Authorization schemes are created/managed in Shared Components > Authorization Schemes (Security section). An Authorization scheme can be specified for a page or region or button or page item or navigation tabs or processes. It is evaluated to either true or false.
To understand APEX Authorization, I will illustrate a simple example in Person Details Demo application. I've implemented Authentication in previous article, where I added two users a2f_admin and a2f_user. a2f_admin user has Admin_Flag set to 'Y' in DEMO_USERS table.
My scenario is
- a2f_admin can create,delete,edit and view persons.
- a2f_user can only view persons and does not have privilege to create/delete/edit them.
Steps to implement the above scenario:
- Go to Shared Components > Authorization Schemes (Security section). Create authorization scheme from scratch.
- Enter name for authorization scheme. To identify admin user I will check if the user has ADMIN_FLAG set to 'Y' in DEMO_USERS table. So I use scheme type 'Exists SQL Query' and use below SQL. v('APP_USER') is used to fetch the logged in user name.
where user_name = v('APP_USER')
and admin_user = 'Y'
- Error Message has to be entered. It will be displayed if the scheme type fails.
- Once the authorization scheme is created, it can be specified to a page or region or page item. As I want only admin user to create persons, I navigate to Search Person (Pg 1) and assign 'Admin_Only' authorization scheme to create button.
- Similarly assign authorization scheme to edit, delete report columns.
- Apply Changes. Run the application. Below screenshots show how create/edit/delete are not shown for 'a2f_user' user.
So Authorization is achieved by writing to simple SQL query and specifying the scheme to page components.
I could do same thing with conditional display. Why choose Authorization?
Conditional Rendering and Processing helps control the display of a region or page item as well as execution of processes, computations and validations. For example, you can render create button only when the user has admin_flag set to 'Y', using similar SQL condition specified in authorization scheme creation.
Conditional display and Authorization acts similar for page items. But conditional display cannot be specified to page or application itself, while Authorization can be.
Can I use Authorization scheme programmatically in a condition?
Yes. You can use API apex_util.public_check_authorization() to check if Authorization scheme succeeds or fails. Create button can be implemented using this API and conditional display as shown below.
URL for the application:
My application can be accessed using the url http://apex.oracle.com/pls/otn/f?p=62577:1
Packaged Application:
My Packaged applications are created using APEX 3.2 version, you can only import them into APEX with same version. This packaged application has supporting objects i.e. table and sample data, along with apex application. You can import and run it without going through the above steps.
Download Tutorial 03 Packaged Application
Video for deploying packaged application (2:41 min). This video is applicable for deploying packaged applications for my next articles as well.
The zip file has sql files for application (apex_tut03_app.sql) and image (apex_tut03_img.sql).
You have seen how Authentication and Authorization provides additional security to the application.
Subscribe to this comment's feedwritten by Kishore Ryali , May 06, 2009
I built a sample page to demonstrate your requirement. http://apex.oracle.com/pls/otn/f?p=15944:20
You can use Column link parameters in Switch Responsibilities page(20) to set page items in Responsibility page (21). and conditionally display page items in page 21.
I used below steps for http://apex.oracle.com/pls/otn/f?p=15944:20
Responsibility page (Pg 21)
1. Add HTML Region with following Display Text page items with Labels.
P21_CURRENCY (Currency), P21_D1 (Display for Both), P21_D2 (Display for USD), P21_D3 (Display for CAD)
2. Add conditions with Condition Type PL/SQL Expression to P21_D2 and P21_D3.
P21_D2: 
21_CURRENCY = 'USD'
P21_D3: 21_CURRENCY = 'CAD' Switch Responsiblities page (Pg 20)
1. Add report region with SQL
select 1 resp_id, 'US Superuser' resp_name, 'USD' currency from dual
Union All
select 2 resp_id, 'Canada Superuser' resp_name, 'CAD' currency from dual
2. Add column link (No header text) with following parameters
Link Text: #RESP_NAME#
Target Page: 21
Item1: P21_CURRENCY , Value1: #CURRENCY#
Item1: P21_RESP_ID , Value1: #RESP_ID#
Item1: P21_RESP_NAME , Value1: #RESP_NAME#
Kishore
written by Anil Passi- , May 07, 2009
Congrats for this very well written article.
Thanks,
Anil Passi
written by Rad , August 31, 2009
Thanks
written by Sam Hall , September 16, 2009
Wrapping APEX_UTIL.PUBLIC_CHECK_AUTHORIZATION in a function that returns a Y or N for use in a where clause didn't work as it appears PUBLIC_CHECK_AUTHORIZATION writes some auditing information because I get "ORA-14551: cannot perform a DML operation inside a query". Do you have any ideas on this?
Nice to see this article.
I have a question here, say in a real time scenario where i have multipe operating units like one for US one for Canada, there when a user logins in US responsibility i have to default the currency to US $ and when user logins with Canadain Responsibility i have to defualt it with Canada $ how do i do that? And if i have to conditionally show some item or region onthe page depending onthe responsibility how do i do this...?
Thanks
Abdul.