Forum Stats

  • 3,734,276 Users
  • 2,246,935 Discussions


Need to overhaul APEX object and system privileges - Oracle EE 12c, APEX 19

Dave_VZ Member Posts: 28 Red Ribbon

I'm new to a site and to APEX as an Oracle DBA. Nothing fancy, the workspace groups are APEX.RO, APEX.RW, and INTERNAL. The RO end-users use APEX just for production queries, but it seems the developer role has to be assigned for an end-user to access the SQL Workspace. Therefore, end-users inherit the developer classification. Next, for reasons fully undocumented, the former contract holder granted excessive system privileges directly to the APEX.RW account.

Has anyone experienced a reason why APEX security cannot follow recommended, time-tested permissions that are least-necessary? Or a way I might open up SQL Workspace to end users? TIA.


  • Scott Wesley
    Scott Wesley Member Posts: 5,966 Gold Crown

    Opening up SQL Workspace to end users to execute ad hoc queries is ... not normal.

    That said, there's a layer here not mentioned - each workspace only has access to certain schemas - using the 'time tested' Oracle security permissions.

    Normally, database privileges are abstracted from the user using the Parsing schema of the application, making the written application the proxy for delivering whatever the user needs.

  • Dave_VZ
    Dave_VZ Member Posts: 28 Red Ribbon

    Good insight, Scott. Most of the project's customers know only the browser-based application. My use of end-users in this context is a subset of customers authorized as subject matter experts. Thus my RO workspace allows SELECT and EXECUTE on appropriate objects. Other venues such as SQLcl or SQLDeveloper are not available to them. To my noob level of understanding, the only way in APEX for these limited users to have the SQL Worksheet, however, is to categorize them as developers rather than not.

    The actual developers on the project have RW roles in the non-production instances. My concern here is that they were previously granted unnecessary system privileges. That has to be fixed, but "delicately".

  • Scott Wesley
    Scott Wesley Member Posts: 5,966 Gold Crown

    Yeah, sounds like a clean-out is required.

    And an alternative for power users is to throw some Interactive Reports at them. They could have a basic set of data that they could then filter, pivot, compute, chart etc.

    Rich H
  • Rich H
    Rich H Member Posts: 80 Bronze Badge

    Another avenue might be to consider the packaged Data Reporter application as it has in-built SQL query capability when creating a data source, it may need a bit of local customization depending on your requirements.

Sign In or Register to comment.