Adding Security to your Database Application Using Oracle Application Express 5.1

You create an Access Control page to secure the application so that only privileged users can perform certain operations. In this page, you define which user can access which part of the application.

1. In the App Builder home page, click Sample Database Application.

   

2. Click Create Page >.

3. Select Access Control as page type.

   

4. Accept the default values and click Next >.

   

5. For Navigation Preference, accept the default value of Do not associate this page with a navigation menu entry and click Next >.

6. In the Confirmation step, click Create.

   

7. The page loads in Page Designer view. Click the Save and Run Page button.

   

8. Enter your login credentials and click Sign In.

   

9. You see the Access Control Administration page that you added to the application. The page is divided into two regions, and the default setting for Application Mode is Full access to all, access control list not used. In this case, you want to restrict certain users from certain parts of the application.

   Select "Restricted access. Only users defined in the access control list are allowed." and click Set Application Mode.

   

10. The Application mode has been set. In the next section, you identify your privileged users. Click Add User.

    

Earlier, you created 3 users - Brad.Knight, John.Bell, and Susie.Parker. In this section, you identify Brad.Knight to be allowed to edit information in the application, but he cannot change any user's access. John.Bell can only view the information in the application, but cannot make any changes. And finally, Susie.Parker is the administrator of the application so she can change anything in addition to changing the user privileges.

1. Enter john.bell for Username and select View for Privilege. Then, click Add User again.

2. Enter brad.knight for Username and select Edit for Privilege. Then, click Add User.

3. Enter susie.parker for Username and select Administrator for Privilege. Then, click Apply Changes.

   

4. Next, you define which areas of the application are restricted. Click the Application<n> link from the developer tool bar.

   

With your authorization scheme created, users with View privilege can review the Orders but cannot change or place orders. Users with Edit privilege can make changes to the Order Information and place new orders, but cannot make changes to the access control list. Users with Administrator privilege, can make any change and addition, including to the access control list.

1. Click Edit Application Properties.

2. Click the Security tab.

3. Under Authorization, change the Authorization Scheme to access control - view and click Apply Changes.

   

4. Now that you have given access to the application for view privileged users, you can restrict users to Orders information. Click Page 4 - Orders.

5. In the Page Rendering section, locate and expand the Orders report Columns node.

   

6. Click ORDER_NUMBER.

7. In the Column section, select access control - edit for the Authorization Scheme and click Save.

   

8. The Place Order button should only appear when the user has Edit or Administrator privilege. To enable this, you need to set the authorization scheme for the Place Order button.

   In the Page Rendering section, under Region Buttons node, click ENTER_NEW_ORDER.

   

9. In the Button section, select the access control - edit for Authorization Scheme and click Save.

   

10. A user, in spite of not having edit privilege for editing or placing orders (on page 4), may still be able to access the restricted pages 11,12, 14, and 8 (Place Order wizard) by entering the direct URL in the browser.

    To prevent this from happening, you need to restrict pages 11, 12, 14, and 8 to only edit users. Select Page 11 from Page Finder.

    

    Note: In the Sample Database Application, pages 11, 12, 14, and 8 open in a modal window due to which a user will not be able to open the page directly by providing the direct URL to the page. A user can only open pages that open in Normal mode by using the direct URL.

11. In the Page section under Security, select access control - edit for Authorization Scheme and click Save.

    You may change the page mode (under Appearance) in the Page section to Normal to test that the page is restricted by direct URL for users that are not a part of the access control - edit authorization scheme.

12. Repeat step 10 and 11 for pages 12, 14, and 8.

13. Since users with the administrator privilege are only allowed to make changes to the access control list, you need to set the authorization scheme for the page. From the Page Finder, open the Access Control Administration page.

    

14. In the Page section under Security, select access control - administrator for Authorization Scheme and click Save.

15. From the Page Finder, open Page 101 Login Page. Run the page by clicking the Save and Run Page button.

16. If you're already logged in, click the user icon and Sign Out. Enter brad.knight's username and password, and click Sign In.

    

    Note: If you're signing in as brad for the first time, you will receive a prompt to change your password. Enter you current password, your new password, and click Apply Changes. Then, login as brad.knight using your new password.

17. Use the left navigation menu and navigate to the Orders page.

18. Click the Order # of any record to edit the information.

    

    Notice that Brad can edit the Orders information and can see the Place Order button. Close the Order Details modal window, click the user icon, and Sign Out.

19. Login as john.bell and navigate to the Orders page.

    Note: If you're signing in as john for the first time, you will receive a prompt to change your password. Enter you current password, your new password, and click Apply Changes. Then, login as john.bell using your new password.

20. John has only view privileges and therefore cannot edit the Orders information. Also, he does not see the Place Order button.

    

21. Change the page number in your URL to try and access Page 21 Access Control Administration (page number may be different for you).

    Example URL .../f?p=101:4:1998477483740:::::
    Change to .../f?p=101:21:1998477483740:::::

    Press the ENTER key on your keyboard. Notice that you receive a message denying you access to the page because you restricted Page 21 to administrator privilege users only. Click on the Application<n> link in the Developer tool bar.

    

22. From the Page Finder, open Page 101 Login Page. Run the page by clicking the Save and Run Page button.

23. Login as susie.parker and navigate to the Orders page.

    Note: If you're signing in as susie for the first time, you will receive a prompt to change your password. Enter you current password, your new password, and click Apply Changes. Then, login as susie.parker using your new password.

24. Click the Order # to edit the information.

    

    Notice that Susie can edit the Orders and can see the Place Order button.

25. Change the page number in your URL to try and access Page 21 Access Control Administration (page number may be different for you).

    Example URL .../f?p=101:4:1998477483740:::::
    Change to .../f?p=101:21:1998477483740:::::

    Press the ENTER key on your keyboard. Notice that susie has access to the Administration page.