Authorization and user roles in Oracle Apex?

Although APEX has a built-in user management concept called "Groups" I must confess I have never used it, and a quick perusal of the documentation doesn't make it clear to me how you use these to control access (but see Tom's answer here for that).

You will probably need to create user/role tables within your database and use these in conjunction with APEX Authorization Schemes to control access to pages. A single Authorization Scheme of type "PL/SQL Function returning Boolean" could be created with the function body:

return my_auth_pkg.is_authorized (p_user    => :app_user,
                                  p_app_id  => :app_id
                                  p_page_id => :app_page_id);

You would then implement the package to look up the user's privileges and decide whether to return TRUE or FALSE for the application and page id. enter image description here

Alternatively you could just perform the SQL to check for access directly in the Authorization Scheme: enter image description here

(NB "user_roles" and "role_pages" are names I made up, to represent your tables)


I just wish to expand on Tony's answer, which by itself is correct. I just want to show you another way, which i think would be easier on a total beginner and omits the creation of tables.

If your application uses Apex as authentication scheme, then your users are managed through the administration of the workspace itself. You can create, edit and delete users, but you can also define groups, and link users to groups. It is possible for you to create several "end user" type of users, and define a couple of groups, like "Executives".

Apex users and groups Creation of a group When you have created your group, go to the user you wish to assign this group to, and add the group to the groups of that user

Adding a group to a user

Once you have that set up, you still need the authorization schemes. The fact remains you need some pl/sql knowledge here, but it is possible to keep the coding to a minimum, thanks to some handy api-work. Defining an authorization based on apex groups The current_user_in_group does what it says: it checks for the current user if he has said group assigned. With some expanding using some simple IF-structures, you can ramp it up a bit!

Not that i'd totally recommend this method, i find it a bit tedious myself, and you need someone to go into APEX to actually maintain users and their groups, but it could well be that this is acceptable in your environment. You could use it to start out with however. You can very easily switch out authentication schemes, and with altering your authorization schemes so they comply with the new auth scheme, you can easily and quickly adjust this afterward. It depends on your priorities and goals of course.