Oracle Technology Network

Adding Security to your Database Application Using Oracle Application Express 4.0

<Do not delete this text because it is a placeholder for the generated list of "main" topics when run in a browser>

Purpose

This tutorial shows you how to add security to your application using Oracle Application Express.

Time to Complete

Approximately 40 minutes.

Prerequisites

Before you perform this tutorial, you should:

.

Perform the Manipulating Database Objects Using Application Express 4.0 tutorial.

. Perform the Creating and Running a Database Application Using Application Express 4.0 tutorial.

.

Perform the Adding Additional Components to your Existing Database Application tutorial.

Creating Users 

As mentioned earlier, this application uses Oracle Application Express Authentication. To create new users, you use the functions already available in Oracle Application Express. Application Express 4.0 allows you to create users in bulk.

You create some new users and then in the next topic you restrict access to certain areas of the application to certain people. To do this, perform the following steps:

.

Click the down arrow next to Administration, and select Manage Users and Groups.

 

.

Click Create User.

 

.

Enter the following information. Hint: Make sure there are no extra spaces after the username or password.

User Name: Brad.Knight
Email Address: brad.knight@oracle.com
Default Schema: <your_schema_name>
User is a Workspace Administrator: No
User is a developer: No
Password and Confirm Password: obe4U

Note that while creating users, you have a choice to provide access to Team Development Module. By default, developers get access to Application Builder, SQL Workshop, Websheet Development, and Team Development Module.

Note: In this OBE, you accept the default Yes for Require Change of Password on First Use. Therefore, when you log in as this user later, you are redirected to a screen where you specify a new password. You can then re-login using the new password. However, you can specify the same obe4U as the new password.

Click Create and Create Another.

 

.

Enter the following information, and then click Create and Create Another.

User Name: Susie.Parker
Email Address: susie.parker@oracle.com
Default Schema: <your_schema_name>
User is a developer: No
User is a Workspace Administrator: No
Password and Confirm Password: obe4U

Note: In this OBE, you accept the default Yes for Require Change of Password on First Use. Therefore, when you log in as this user later, you are redirected to a screen where you specify a new password. You can then re-login using the new password. However, you can specify the same obe4U as the new password.

 

.

Enter the following information, and then click Create User.

User Name: John.Bell
Email Address: john.bell@oracle.com
Default Schema: <your_schema_name>
User is a developer: No
User is a Workspace Administrator: No
Password and Confirm Password: obe4U

Note: In this OBE, you accept the default Yes for Require Change of Password on First Use. Therefore, when you log in as this user later, you are redirected to a screen where you specify a new password. You can then re-login using the new password. However, you can specify the same obe4U as the new password.

 

.

The Dashboard provides a quick way to get summary information about users. Click View Dashboard.

 

.

Under Recently Created section, notice that the three users have been created. You now set up administrator access to the application. Click the Application Builder tab.

 

 

Restricting Access


Now that you have users defined, you can restrict access to certain portions of the application. In this topic, you allow only certain users to edit tasks. To do this, perform the following steps:

Add an Access Control Page

To secure the application so that only privileged users can perform certain operations, you create an Access Control Page that is used to define which users can access which part of the application. Perform the following steps:

.

Click the Project Tasks Application.

 

.

Click Create Page.

 

.

Select the Access Control page type and click Next >.

 

.

Accept the default page value, and click Next >.

 

.

Make sure Do not use tabs is selected and click Next >.

 

.

Click Finish.

 

.

Click Run Page.

 

.

You see the access control page you just added to the application. The page is divided into two regions, and the default setting for Application Model is Full Access. In this case, you want to restrict certain users from certain parts of the application. Select Restricted Access and click Set Application Mode.

 

.

The Application mode has been set. In the next topic, you identify your privileged users. Click Add User.

 

Identify Privileged Users

In a previous topic, you created 3 users: Brad.Knight, John.Bell and Susie.Parker. In this topic, you identify Brad.Knight to be allowed to edit the application but he can't change any user access. John.Bell can only view the information in the application, he can not make any changes. And finally Susie.Parker is the administrator of the application so she can change anything in addition to changing the user privileges. Peform the following steps:

.

Enter john.bell for the username and select View for the privilege, then click Add User again.

 

 

.

Enter brad.knight for the username and select Edit for the privilege, then click Add User again.

 

.

Enter susie.parker for the username and select Administrator for the privilege, then click Apply Changes.

 

.

Next you can define which areas of the application are restricted. Click the Application <n> link from the developer tool bar.

 

Apply Authorization Schemes to Application Components

With your authorization scheme created, users with View privilege can review the Employee Information but can not change it. Users with Edit privilege can make changes to Employee Information but can not make changes to the access control list. Users with Administrator privilege, can make any changes including to the access control list. Perform the following steps:

.

Click Edit Application Properties.

 

.

Click the Security tab.

 

.

Under Authorization, change the scheme to access control - view and click Apply Changes.

 

.

Now that you have given access to the application for view privileged users, you can restrict edit privileged users to Employee Information. Click Projects.

 

.

In the Page Rendering section, locate and expand the Report columns node.

 

.

Right-click PROJECT_ID and click Edit.

 

.

Click the Authorization tab.

 

.

Select access control - edit for the Authorization Scheme and click Apply Changes.

 

.

Click Apply Changes.

 

.

Because you only want the Create Button to appear if the user has Edit or Administrator privilege, you need to set the authorization scheme. In the Page Rendering section, under Region Buttons node, right-click CREATE and select Edit.

 

.

Click the Security button.

 

.

Select the access control - edit authorization scheme and click Apply Changes.

 

.

You also want to protect against direct access to the page. So even though you restricted a user that didn't have edit privilege to edit or create users on page 2, they can still access page 3 if the correct URL is entered. To prevent this from happening, you need to restrict page 3 to only edit users. Click > for Page to advance to Page 3.

 

.

In the Page Rendering section, under Regions, right-click Master Detail and select Edit.

 

.

Click the Security section button.

 

.

For Authorization Scheme, select access control - edit. Click Apply Changes.

 

.

Click Run.

 

.

Click the Application <n> link from the developer tool bar.

 

.

Since users with the administrator privilege are only allowed to make changes to the access control list, you need to set the authorization scheme for page n. Click Access Control Administration Page.

 

.

In the Page Rendering section, right-click Access Control Administration Page and select Edit.

 

.

If the Security section is already not displayed, click Security section tab. Then, select access control - administrator for the Authorization Scheme and click Apply Changes. Now you are ready to run the application.

 

.

Enter 1 for Page and click <.

 

.

Make sure that it says Page 101 and click Run.

 

.

If you are already logged in as OBE, click Logout. Enter brad.knight and obe4U for the username and password. Then click Login.

 

.

Click Manage Projects and Tasks.

 

.

Click the Edit () icon in front of Email Integration.

 

.

Notice that Brad can edit the Projects. Click Logout.

 

.

Enter john.bell and obe4U for the username and password. Then click Login. Click Manage Projects and Tasks.

 

.

John has only view privilege and therefore can not edit Project information. He also does not see the Create button displayed.

 

.

Change the page number in your URL to try and access Page 3.

Example url  …/f?p=2018:2:2101953412249296357::NO
Change to    …/f?p=2018:3:2101953412249296357::NO

Press the ENTER key on your keyboard. Notice that you receive a message denying you access to the page because you restricted Page 3 to edit privilege users only. Click the Application <n> link in the Developer tool bar.

.

Click Login page.

 

.

Click Run.

 

.

Enter susie.parker and obe4U for the username and password. Then click Login.

 

.

Click Manage Projects and Tasks.

 

.

Click the Edit ( ) icon in front of Email Integration. Susie can edit the Projects.

.

Change the page number in your URL to try and access Page 6.

Example url  …/f?p=2018:3:2101953412249296357::NO
Change to    …/f?p=2018:6:2101953412249296357::NO

Press the ENTER key on your keyboard. Notice that susie has access to the Administration page. Click Logout.

 

Summary

In this tutorial, you have learned how to:

Oracle Is The Information Company About Oracle | Oracle RSS Feeds | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Your Privacy Rights