Skip to main content

Oracle Database 12c Real Application Security and APEX

By
Oracle Real Application Security (RAS) applies security policies at the database layer. So those policies are applied to the data and is not relying on the security built in into an application (like VPD). Security is applied to direct connections. Policies are stored in an "Identity and Policy Store".
As an example an employee can see some public information of other employees and all his own data. A manager can see all data of all his employees. So you need both column and row level security. To accomplish the row level security RAS uses "Data Realms". And privileges - like viewSSN and viewSalary - will be assigned to columns. Each Data Realm ha an associated ACL with grants. So a policy is a collection of Data Realms and associated ACLs. 
A user is granted a role. A role is a combination of policies. And this works for all applications that access this data, either APEX, SQL*Plus or whatever.
In APEX you have to create Authorization Schemes that query the RAS ACL's using the ORA_CHECK_ACL function. The good news is, RAS is a no-cost option of the 12c EE database.
See 12c Oracle Security Documentation for all details.
The RAS Application Policy Management APEX application that was used in the demo looks very handy for managing the policies in a (more) user friendly way. This application might be available for download from OTN at some later stage. It probably won't be shipped as a packaged application as it requires an EE license.

Comments

Post a Comment

Popular posts from this blog

Filtering in the APEX Interactive Grid

By
Remember Oracle Forms? One of the nice features of Forms was the use of GLOBAL items. More or less comparable to Application Items in APEX. These GLOBALS where often used to pre-query data. For example you queried Employee 200 in Form A, then opened Form B and on opening that Form the Employee field is filled with that (GLOBAL) value of 200 and the query was executed. So without additional keys strokes or entering data, when switching to another Form a user would immediately see the data in the same context. And they loved that. In APEX you can create a similar experience using Application Items (or an Item on the Global Page) for Classic Reports (by setting a Default Value to a Search Item) and Interactive Reports (using the  APEX_IR.ADD_FILTER  procedure). But what about the Interactive Grid? There is no APEX_IG package ... so the first thing we have to figure out is how can we set a filter programmatically? Start with creating an Interactive Grid based upon the good o...
1 comment
Read more

Refresh selected row(s) in an Interactive Grid

By
In my previous post I blogged about pushing changed rows from the dabatase into an Interactive Grid . The use case I'll cover right here is probably more common - and therefore more useful! Until we had the IG, we showed the data in a report (Interactive or Classic). Changes to the data where made by popping up a form page, making changes, saving and refreshing the report upon closing the dialog. Or by clicking an icon / button / link in your report that makes some changes to the data (like changing a status) and ... refresh the report.  That all works fine, but the downsides are: The whole dataset is returned from the server to the client - again and again. And if your pagination size is large, that does lead to more and more network traffic, more interpretation by the browser and more waiting time for the end user. The "current record" might be out of focus after the refresh, especially by larger pagination sizes, as the first rows will be shown. Or (even wors...
Post a Comment
Read more

apex_application.g_f0x array processing in Oracle 12

By
If you created your own "updatable reports" or your custom version of tabular forms in Oracle Application Express, you'll end up with a query that looks similar to this one: then you disable the " Escape special characters " property and the result is an updatable multirecord form. That was easy, right? But now we need to process the changes in the Ename column when the form is submitted, but only if the checkbox is checked. All the columns are submitted as separated arrays, named apex_application.g_f0x - where the "x" is the value of the "p_idx" parameter you specified in the apex_item calls. So we have apex_application.g_f01, g_f02 and g_f03. But then you discover APEX has the oddity that the "checkbox" array only contains values for the checked rows. Thus if you just check "Jones", the length of g_f02 is 1 and it contains only the empno of Jones - while the other two arrays will contain all (14) rows. So for ...
Post a Comment
Read more