Forum Stats

  • 3,782,953 Users
  • 2,254,714 Discussions
  • 7,880,227 Comments

Discussions

How to get the Static ID Global Variable

M.bro
M.bro Member Posts: 117 Blue Ribbon
edited Jan 29, 2019 12:27AM in APEX Discussions

Hi All,

I am Using oracle apex 5.1.0 and 18.1

I am using Lot of Global Variable (APP_USER,APP_PAGE_ID,APP_SESSION_ID,_APP_COMPONENT_NAME) but I am planning enable the to "Authorization Schemes " using the static id in region level or else you can suggest to me what is best practice to enable the authorization schemes.

My requirement is I have different user i need to enable the page level restriction,region level,button, field level restriction. How i can enable the restriction to the whole application. Right now i am using the table - apex_application_page_regions to get the Component name and the restrict the page,regions,button.

But in future i don't want use the component name.  because my page have same type of region name currently in application .

Thanks

M.Bro

Tagged:
M.bro

Answers

  • Franck N
    Franck N Member Posts: 1,016 Silver Trophy
    edited Jan 28, 2019 3:36AM

    Hi,

    you could have a global  item either on the global page of your application or as an Application Item.

    With a server side condition you could restrict the effect of the items on some pages "Current Page is in comma delimited list"

    have a  before-hearder Process or a Dynamic action on Page Load to set a Value into the Item according to the Users restriction.

    Maybe you have a table user with a column "right to apply"  then you just have to set any value into the created Item  "P0_ITEM"

    for example: "GRANT_ACCESS" or "RESTRICT_ACCESS" or "IS_READONLY"

    then restrict the element, item  region or Page according  to the  Item Value.

    regards,

    Franck

  • fac586
    fac586 Senior Technical Architect Member Posts: 20,349 Red Diamond
    edited Jan 28, 2019 4:55AM
    M.bro wrote:I am Using oracle apex 5.1.0 and 18.1I am using Lot of Global Variable (APP_USER,APP_PAGE_ID,APP_SESSION_ID,_APP_COMPONENT_NAME) but I am planning enable the to "Authorization Schemes " using the static id in region level

    Why would you need/want to do this?

    The APP_COMPONENT_ID substitution string returns the internal APEX ID of the component, not the Static ID assigned by the developer. This means that its value is not fixed and can only be used in a relative (e.g. to efficiently query APEX_APPLICATION_PAGE* views) rather than an absolute (as a universal and permanent identifier) fashion.

    or else you can suggest to me what is best practice to enable the authorization schemes. 

    In my opinion the best way to implement authorization schemes is (and always has been) as follows:

    • Create a matrix of possible operations versus user roles/privileges: view/create/edit/delete customer vs account manager/sales rep/customer services desk/telesales operator
    • Define authorization schemes for permitted operations, not roles (and definitely not APEX components): EDIT_CUSTOMER not ACCOUNT_MGR
    • Implement the authorization schemes as type PL/SQL Function Returning Boolean, using functions in packages that return TRUE/FALSE based on all criteria that permit the operation. Exactly how a user has create/edit customer privilege is determined in the package (e.g. user has EDIT CUSTOMER privilege, OR user is sales rep, OR user is the current account manager for this customer...). Determinants that are shared by multiple schemes can be combined at this level. These implementations can be changed as necessary without requiring changes to the application.
    • Apply the operation-based authorization schemes to applications, pages, and page components in APEX. It is not necessary for the authorization scheme to know which component is being rendered, if the scheme appropriate to the component's operational role is applied.
    • Other than the poorly documented and fragile APP_COMPONENT_NAME, APP_COMPONENT_TYPE, APP_COMPONENT_ID substitution strings introduced in APEX 5.0, "parameters" cannot be passed to authorization schemes. Use application items, APEX collections or application contexts to set current context before the authorization scheme is evaluated, and access these values in the functions.

    The only good reason for using authorization schemes based on APP_COMPONENT_NAME/APP_COMPONENT_TYPE/APP_COMPONENT_ID introspection is in products where the component/role mapping can be defined by end users at runtime, rather than upfront during design.

    My requirement is I have different user i need to enable the page level restriction,region level,button, field level restriction. How i can enable the restriction to the whole application. Right now i am using the table - apex_application_page_regions to get the Component name and the restrict the page,regions,button.

    Unclear. Authorization schemes can be applied to an entire application in the application's security attributes. If this is not relevant to the question you are asking then please clarify.

    But in future i don't want use the component name. because my page have same type of region name currently in application .

    Unclear. Please explain in more detail.

    M.bro
  • fac586
    fac586 Senior Technical Architect Member Posts: 20,349 Red Diamond
    edited Jan 28, 2019 4:53AM
    Franck N wrote:you could have a global item either on the global page of your application or as an Application Item.With a server side condition you could restrict the effect of the items on some pages "Current Page is in comma delimited list"have a before-hearder Process or a Dynamic action on Page Load to set a Value into the Item according to the Users restriction.Maybe you have a table user with a column "right to apply" then you just have to set any value into the created Item "P0_ITEM"for example: "GRANT_ACCESS" or "RESTRICT_ACCESS" or "IS_READONLY"then restrict the element, item region or Page according to the Item Value.

    Basing critical security functionality on page items is not good practice as they are far more vulnerable to user tampering than built-in substitution strings or restricted application items.

    Security cannot be implemented using dynamic actions or JavaScript as this can be disabled or circumvented in the browser.

    Conditions should not be used to implement security features. The existence of both authorization schemes and conditions in APEX is a good example of the separation of concerns. While both features are used to conditionally control the rendering and execution of components and processes, they are intended to be used for separate purposes. Authorization schemes are used to apply security-related conditions, and conditions to implement other business rules. For example, a "Create Order" button could have both an authorization scheme and a condition applied. The authorization scheme to ensure that the current user has privileges that allow them to create an order, and a condition checking that the customer balance is within their credit limit.

    M.bro
  • M.bro
    M.bro Member Posts: 117 Blue Ribbon
    edited Jan 29, 2019 12:27AM

    Thanks for your detailed Explanation.

    Why would you need/want to do this?

    The APP_COMPONENT_ID substitution string returns the internal APEX ID of the component, not the Static ID assigned by the developer. This means that its value is not fixed and can only be used in a relative (e.g. to efficiently query APEX_APPLICATION_PAGE* views) rather than an absolute (as a universal and permanent identifier) fashion.

    How to get the app_component_id ?It should same id/Unique id for page level/ Application Level?

    Even I checked this table SELECT region_name,region_id FROM   apex_application_page_regions  Region Id should not unique.

    I am also using the Function checking the true or false. based that i need to pass App_id,App_page_id,App_region_id it's should created before in Roles table. I am following the same procedure what you explained.

    I created on function checking whether true or false.

    Each page level or region level i giving the  function access using the security option.

    pastedImage_3.png

    I need to check the access for each field based access in the region.