- 3,734,276 Users
- 2,246,935 Discussions
- 7,857,216 Comments
Forum Stats
Discussions
Howdy, Stranger!
Categories
- 380.9K All Categories
- 2.1K Data
- 203 Big Data Appliance
- 1.9K Data Science
- 446.1K Databases
- 220.4K General Database Discussions
- 3.7K Java and JavaScript in the Database
- 23 Multilingual Engine
- 506 MySQL Community Space
- 459 NoSQL Database
- 7.7K Oracle Database Express Edition (XE)
- 2.8K ORDS, SODA & JSON in the Database
- 438 SQLcl
- 3.9K SQL Developer Data Modeler
- 185.4K SQL & PL/SQL
- 20.8K SQL Developer
- 291.3K Development
- 6 Developer Projects
- 117 Programming Languages
- 288.1K Development Tools
- 96 DevOps
- 3K QA/Testing
- 645.2K Java
- 18 Java Learning Subscription
- 36.9K Database Connectivity
- 149 Java Community Process
- 104 Java 25
- 22.1K Java APIs
- 137.7K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 12 Java Essentials
- 138 Java 8 Questions
- 85.9K Java Programming
- 79 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.2K Java SE
- 13.8K Java Security
- 195 Java User Groups
- 22 JavaScript - Nashorn
- Programs
- 180 LiveLabs
- 34 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 165 Deutsche Oracle Community
- 1.2K Español
- 1.9K Japanese
- 225 Portuguese
Need to overhaul APEX object and system privileges - Oracle EE 12c, APEX 19
I'm new to a site and to APEX as an Oracle DBA. Nothing fancy, the workspace groups are APEX.RO, APEX.RW, and INTERNAL. The RO end-users use APEX just for production queries, but it seems the developer role has to be assigned for an end-user to access the SQL Workspace. Therefore, end-users inherit the developer classification. Next, for reasons fully undocumented, the former contract holder granted excessive system privileges directly to the APEX.RW account.
Has anyone experienced a reason why APEX security cannot follow recommended, time-tested permissions that are least-necessary? Or a way I might open up SQL Workspace to end users? TIA.
Answers
-
Opening up SQL Workspace to end users to execute ad hoc queries is ... not normal.
That said, there's a layer here not mentioned - each workspace only has access to certain schemas - using the 'time tested' Oracle security permissions.
Normally, database privileges are abstracted from the user using the Parsing schema of the application, making the written application the proxy for delivering whatever the user needs.
-
Good insight, Scott. Most of the project's customers know only the browser-based application. My use of end-users in this context is a subset of customers authorized as subject matter experts. Thus my RO workspace allows SELECT and EXECUTE on appropriate objects. Other venues such as SQLcl or SQLDeveloper are not available to them. To my noob level of understanding, the only way in APEX for these limited users to have the SQL Worksheet, however, is to categorize them as developers rather than not.
The actual developers on the project have RW roles in the non-production instances. My concern here is that they were previously granted unnecessary system privileges. That has to be fixed, but "delicately".
-
Yeah, sounds like a clean-out is required.
And an alternative for power users is to throw some Interactive Reports at them. They could have a basic set of data that they could then filter, pivot, compute, chart etc.
-
Another avenue might be to consider the packaged Data Reporter application as it has in-built SQL query capability when creating a data source, it may need a bit of local customization depending on your requirements.
