Skip to main content

Oracle Database 12c Real Application Security and APEX

Oracle Real Application Security (RAS) applies security policies at the database layer. So those policies are applied to the data and is not relying on the security built in into an application (like VPD). Security is applied to direct connections. Policies are stored in an "Identity and Policy Store".
As an example an employee can see some public information of other employees and all his own data. A manager can see all data of all his employees. So you need both column and row level security. To accomplish the row level security RAS uses "Data Realms". And privileges - like viewSSN and viewSalary - will be assigned to columns. Each Data Realm ha an associated ACL with grants. So a policy is a collection of Data Realms and associated ACLs. 
A user is granted a role. A role is a combination of policies. And this works for all applications that access this data, either APEX, SQL*Plus or whatever.
In APEX you have to create Authorization Schemes that query the RAS ACL's using the ORA_CHECK_ACL function. The good news is, RAS is a no-cost option of the 12c EE database.
See 12c Oracle Security Documentation for all details.
The RAS Application Policy Management APEX application that was used in the demo looks very handy for managing the policies in a (more) user friendly way. This application might be available for download from OTN at some later stage. It probably won't be shipped as a packaged application as it requires an EE license.

Post a Comment

Popular posts from this blog

Showing a success message after closing a modal dialog

APEX 5 comes with Modal Dialogs out of the box. Very neat. Especially for adding and changing data. And to minimise the number of time a user has to click, it could be useful to add a "Close Dialog" process after the actual data processing. When the data processing fails, the Dialog stays on top showing the error. When data processing runs fine, the Dialog is closed ... without any confirmation. And this might be scary for a shaky user.

So how can we provide the user some feedback? On Page 4 of the Sample Dialog Application you can see one solution: up on a Dialog Closed Event on the parent page it does a redirect to refresh the parent page appending the success message of the "Close Dialog" process. This has two drawbacks. First, it probably refreshes more than necessary. And second, if you're using multiple layers of dialogs (dialogs that open other dialogs) the message appears in the "parent dialog".
As an alternative you could follow these steps: 1…

A review of APEX World 2017 - Day 1

Last week the SS Rotterdam was the beautiful location of the largest gathering of APEX Developers worldwide. With around 380 (!) attendees a new high was set. And they came from all over the world : I spotted people from The Netherlands, Belgium, Switzerland, Austria, Croatia, Germany, Denmark, Norway, UK, Ireland and the USA. And I even might have missed one or two ….

The event started with a presentation by the “father of APEX”, Mike Hichwa, talking about "Oracle APEX Past, Present and Future”. Of course everyone is curious what the APEX future might bring: Friendly URL’s, automated testing, more JSON, concurrent APEX versions, third party Oauth 2 authentication (think Facebook, Google), APEX app diff and more, a lot more, REST capabilities. And now we have to wait for APEX 5.2 … and that might take a while! 
After this keynote, the conference split up in three tracks. After the coffee break I returned to to big theatre where Geertjan Wielenga talked about "Finally Javas…

Push changed rows to an Interactive Grid

For pushing changes from the database to the end user, the regular solution is using websockets. A change in a record is detected - using a trigger or using the CQN (Change Query Notification) feature - and a notification is send to a websocket server. That websocket server broadcasts the notification over a channel to all browsers that are tuned in to that websocket channel. Then the browser reacts to that notification, usually showing an alert or refreshing a report. This trick is described on multiple sites, just Google for "oracle apex websockets" or similar.

So back in the old days, we used that notification in the browser to refresh the (interactive) report. But along comes the Interactive Grid (IG). While he full-refresh mechanism still works for IG, an IG has also the option to refresh just one row.  So wouldn't it be awesome that just the changed row(s) get refreshed upon a change in the database, instead of the whole report? Can we do it ... yes we can!
First i…