Authorization is a process of determining whether an authenticated/identified person is permitted to access a resource or do an operation. It is based on set of privileges or roles assigned to the user. For Example, In Oracle database, Administrator have privilege to schedule jobs, while an user cannot.
How is Authorization different from Authentication?
Often Authentication and Authorization work together. In other words, Authorization follows Authentication.
Authentication determines Who are you?
Authorization determines What you are allowed to do?
How to implement Authorization in APEX?
Authorization schemes are created/managed in Shared Components > Authorization Schemes (Security section). An Authorization scheme can be specified for a page or region or button or page item or navigation tabs or processes. It is evaluated to either true or false.
To understand APEX Authorization, I will illustrate a simple example in Person Details Demo application. I've implemented Authentication in previous article, where I added two users a2f_admin and a2f_user. a2f_admin user has Admin_Flag set to 'Y' in DEMO_USERS table.
My scenario is
- a2f_admin can create,delete,edit and view persons.
- a2f_user can only view persons and does not have privilege to create/delete/edit them.
Steps to implement the above scenario:
- Go to Shared Components > Authorization Schemes (Security section). Create authorization scheme from scratch.
- Enter name for authorization scheme. To identify admin user I will check if the user has ADMIN_FLAG set to 'Y' in DEMO_USERS table. So I use scheme type 'Exists SQL Query' and use below SQL. v('APP_USER') is used to fetch the logged in user name.
select 1 from demo_users
where user_name = v('APP_USER')
and admin_user = 'Y'
- Error Message has to be entered. It will be displayed if the scheme type fails.
- Once the authorization scheme is created, it can be specified to a page or region or page item. As I want only admin user to create persons, I navigate to Search Person (Pg 1) and assign 'Admin_Only' authorization scheme to create button.
- Similarly assign authorization scheme to edit, delete report columns.
- Apply Changes. Run the application. Below screenshots show how create/edit/delete are not shown for 'a2f_user' user.
So Authorization is achieved by writing to simple SQL query and specifying the scheme to page components.
I could do same thing with conditional display. Why choose Authorization?
Conditional Rendering and Processing helps control the display of a region or page item as well as execution of processes, computations and validations. For example, you can render create button only when the user has admin_flag set to 'Y', using similar SQL condition specified in authorization scheme creation.
Conditional display and Authorization acts similar for page items. But conditional display cannot be specified to page or application itself, while Authorization can be.
Can I use Authorization scheme programmatically in a condition?
Yes. You can use API apex_util.public_check_authorization() to check if Authorization scheme succeeds or fails. Create button can be implemented using this API and conditional display as shown below.
URL for the application:
My application can be accessed using the url http://apex.oracle.com/pls/apex/f?p=62577:1
My Packaged applications are created using APEX 3.2 version, you can only import them into APEX with same version. This packaged application has supporting objects i.e. table and sample data, along with apex application. You can import and run it without going through the above steps.
Download Tutorial 03 Packaged Application
Video for deploying packaged application (2:41 min). This video is applicable for deploying packaged applications for my next articles as well.
The zip file has sql files for application (apex_tut03_app.sql) and image (apex_tut03_img.sql).
You have seen how Authentication and Authorization provides additional security to the application.