APEX Field Notes

Learning Oracle APEX can be challenging, especially without practical guidance. These are my field notes—captured directly from hands-on development work. I’m sharing them here as a living tutorial for anyone looking to get up to speed with APEX quickly and effectively. From beginner concepts to advanced techniques, I cover the essentials: forms, reports, dynamic actions, and much more. Whether you're just starting out or aiming to refine your skills, you'll find practical insights to help you

Sunday, July 13, 2025

How Do I Apply Access Control in Oracle APEX

Introduction

Applying access control in Oracle APEX is a fundamental aspect of securing applications, ensuring that users can only interact with components and data they are authorized to access. Oracle APEX provides a built-in Application Access Control feature that simplifies role-based access management, allowing developers to define roles, assign them to users, and apply authorization schemes to control access to pages, regions, or buttons. This blog post will guide you through the process of applying access control in Oracle APEX, provide detailed steps for implementation, share best practices, and include a link to the official Oracle APEX documentation for further guidance.

Steps to Apply Access Control in Oracle APEX

Understanding Application Access Control
Oracle APEX’s Application Access Control feature, located in Shared Components, enables role-based access management. It allows you to define roles (e.g., Administrator, Editor, Viewer) and associate them with users, typically through a database table. These roles are then used in authorization schemes to restrict access to application components.
Setting Up Application Access Control
To configure access control:
- Navigate to Shared Components > Application Access Control in your Oracle APEX application.
- Click Add Role to define roles such as "Administrator," "Editor," or "Viewer." Assign a unique name and description for each role.
- Create a table to store user-role mappings, or use the default APEX_ACCESS_CONTROL table. Example table structure:
```
CREATE TABLE apex_access_control (
  username VARCHAR2(100),
  access_level VARCHAR2(50),
  CONSTRAINT pk_apex_access_control PRIMARY KEY (username)
);
```
- Populate the table with user-role assignments. Example:
```
INSERT INTO apex_access_control (username, access_level) VALUES ('JOHN_DOE', 'ADMINISTRATOR');
INSERT INTO apex_access_control (username, access_level) VALUES ('JANE_SMITH', 'EDITOR');
```
Creating Authorization Schemes for Access Control
Create authorization schemes that leverage the roles defined in Application Access Control:
- Go to Shared Components > Authorization Schemes.
- Click Create and define a scheme (e.g., "Admin_Only").
- Select the scheme type as Exists SQL Query and use a query to check the user’s role. Example:
```
SELECT 1
FROM apex_access_control
WHERE username = :APP_USER
AND access_level = 'ADMINISTRATOR';
```
- Alternatively, use a PL/SQL Function Returning Boolean for more complex logic:
```
FUNCTION is_admin (p_username IN VARCHAR2) RETURN BOOLEAN IS
  l_count NUMBER;
BEGIN
  SELECT COUNT(*) INTO l_count
  FROM apex_access_control
  WHERE username = p_username
  AND access_level = 'ADMINISTRATOR';
  RETURN l_count > 0;
END;
```
- Set the evaluation frequency (e.g., "Once per Session" for static roles or "Once per Page View" for dynamic roles).
- Specify an error message (e.g., "Access Denied: Administrator privileges required.") for unauthorized access.
Applying Authorization Schemes to Components
Apply the authorization schemes to restrict access to specific components:
- Pages: In Page Designer, open the page, go to the Security tab, and select the authorization scheme (e.g., "Admin_Only") from the Authorization Scheme dropdown. This restricts the entire page to users with the specified role.
- Regions: Select a region in Page Designer, navigate to the Security tab, and assign the scheme to control visibility or interactivity.
- Buttons or Items: Apply the scheme to buttons (e.g., "Submit") or form items via their Security tab to restrict actions like editing or submitting.
- Verify application by checking the Used In column in the Authorization Schemes list to see all components using the scheme.
Managing User-Role Assignments
- Update user-role mappings dynamically via a form or PL/SQL process. Example: Create a form to manage the apex_access_control table, allowing administrators to assign roles.
- After updating roles, reset the authorization scheme state to ensure immediate application of changes:
```
BEGIN
  UPDATE apex_access_control
  SET access_level = 'EDITOR'
  WHERE username = :APP_USER;
  APEX_AUTHORIZATION.RESET_CACHE;
END;
```
- Ensure the form or process is secured with an authorization scheme to restrict access to authorized users (e.g., administrators).
Testing Access Control
- Test the setup by logging in as users with different roles (e.g., Administrator, Editor, Viewer) to verify that access restrictions work as expected.
- Use APEX Debug Mode or query the APEX_ACTIVITY_LOG view to troubleshoot issues with scheme evaluation or role assignments.
- Confirm that error messages display clearly when access is denied.

Combining with Other Security Features

Combine access control with other APEX security features, such as Session State Protection (to prevent URL tampering) or Virtual Private Database (VPD) for row-level security.

Example: Use VPD to restrict data access based on roles stored in apex_access_control:

BEGIN
  DBMS_RLS.ADD_POLICY (
    object_schema   => 'APP_SCHEMA',
    object_name     => 'EMPLOYEES',
    policy_name     => 'EMP_ACCESS',
    function_schema => 'APP_SCHEMA',
    policy_function => 'restrict_by_role'
  );
END;
FUNCTION restrict_by_role (p_schema IN VARCHAR2, p_object IN VARCHAR2) RETURN VARCHAR2 IS
BEGIN
  RETURN 'EXISTS (SELECT 1 FROM apex_access_control WHERE username = SYS_CONTEXT(''USERENV'', ''SESSION_USER'') AND access_level = ''EDITOR'')';
END;

Access control in Oracle APEX allows you to define and manage user permissions within an application. This is achieved through an Access Control List (ACL), which you can create using the Access Control Wizard. This wizard is accessible via the Create Application Wizard or the Create Page Wizard.

When you run the Access Control Wizard, it:

Generates a management page for the access control list.
Creates two tables in the application's default parsing schema to store access control data.

Understanding Access Levels and Roles

The access control list enables you to assign specific privileges to users within the application. These privileges determine what actions users can perform and correspond to predefined access roles:

View Access (READER Role) – Users can view content but cannot make modifications.
Edit Access (CONTRIBUTOR Role) – Users can make changes but do not have administrative control.
Administration Access (ADMINISTRATOR Role) – Users have full control, including the ability to manage access control settings.

To enforce access restrictions on application pages and components, you must create an Authorization Scheme and associate it with the application.

Defining Additional Roles

Beyond the default roles, you can define custom roles through the Application Access Control page. Since roles are assigned to users, it is important to define roles before adding users.

Oracle APEX provides system views that allow you to review the access control settings:

APEX_APPL_ACL_USERS – Displays user access details.
APEX_APPL_ACL_USER_ROLES – Shows the roles assigned to users.
APEX_APPL_ACL_ROLES – Lists all roles defined in the application.

Creating Custom Access Control Roles

To enhance security and customize access control, you can create new roles within the application. Before assigning users to roles, ensure that the necessary roles have been created. This structured approach ensures that each user has the appropriate level of access based on their role in the application.

Best Practices for Applying Access Control in Oracle APEX

Follow Least Privilege: Assign users the minimum roles needed for their tasks to enhance security.
Use Descriptive Role Names: Define clear role names (e.g., "ADMINISTRATOR," "EDITOR") to reflect their purpose and simplify maintenance.
Centralize Role Management: Store user-role mappings in a single table (e.g., apex_access_control) for consistency across applications.
Secure Role Updates: Restrict role assignment updates to authorized users (e.g., administrators) using authorization schemes.
Optimize Evaluation Frequency: Use "Once per Session" for static roles to improve performance, or "Once per Page View" for dynamic role changes.
Test Extensively: Validate access control in a development environment with various user scenarios to ensure correct behavior.
Document Configurations: Maintain detailed records of roles, authorization schemes, and their application to components for easier troubleshooting.
Monitor Access: Enable Application Activity Logging in Shared Components > Security Attributes to track access attempts and audit role assignments.

Oracle APEX Documentation
For comprehensive details on applying access control in Oracle APEX, refer to the official documentation:
Oracle APEX Application Access Control Documentation

Conclusion

Applying access control in Oracle APEX using the Application Access Control feature enables developers to implement robust, role-based security with ease. By defining roles, creating authorization schemes, and applying them to components, you can ensure that users access only the features and data they are authorized for. Following best practices and consulting the Oracle APEX documentation will help you maintain a secure and efficient application, adapting to evolving security requirements.

How Do I Copy or Subscribing to an Authorization Scheme in Oracle APEX

Introduction

Copying or subscribing to an authorization scheme in Oracle APEX enables developers to reuse access control logic across applications or within the same application, promoting consistency and simplifying maintenance. Copying creates an independent duplicate of a scheme, while subscribing links to a master scheme in another application, allowing centralized updates. Both approaches help streamline security management in complex APEX environments. This blog post will detail how to copy or subscribe to an authorization scheme in Oracle APEX, provide step-by-step instructions, share best practices, and include a link to the official Oracle APEX documentation for further guidance.

Steps to Copy or Subscribe to an Authorization Scheme in Oracle APEX

Understanding Copying vs. Subscribing
- Copying: Creates a standalone duplicate of an authorization scheme within the same or a different application. The copied scheme can be modified independently without affecting the original.
- Subscribing: Links a target application to a master authorization scheme in another application. Changes to the master scheme automatically propagate to all subscribed applications, ensuring consistency.
  Both methods are managed in Shared Components > Authorization Schemes.
Copying an Authorization Scheme
To copy an existing authorization scheme:
- Navigate to Shared Components > Authorization Schemes in the source application.
- Locate the scheme to copy (e.g., "Admin_Access" with logic like:
```
SELECT 1
FROM user_roles
WHERE username = :APP_USER
AND role_name = 'ADMIN';
```
- Click the scheme name, then select Copy from the available actions.
- Specify the target:
  - Same Application: Provide a new name for the copied scheme (e.g., "Admin_Access_Copy").
  - Different Application: Select the target application ID from the workspace and provide a new name.
- Save the copied scheme. The new scheme is now independent and can be edited without affecting the original.
- Apply the copied scheme to components (e.g., pages, regions) via their Security tab in Page Designer.
Subscribing to an Authorization Scheme
To subscribe to a master authorization scheme:
- Open the target application and navigate to Shared Components > Authorization Schemes.
- Click Create and select As a Subscription from Master Application.
- Choose the master application by its ID or name from the list of applications in the workspace.
- Select the master authorization scheme (e.g., "Admin_Access") from the dropdown.
- Provide a local name for the scheme in the target application (optional; can match the master scheme’s name).
- Save the subscription. The scheme now references the master scheme’s logic and cannot be edited directly in the target application.
- Apply the subscribed scheme to components (e.g., pages, regions, buttons) via their Security tab in Page Designer.
- Note: Updates to the master scheme (e.g., changing the SQL query to include role_name IN ('ADMIN', 'MANAGER')) automatically apply to all subscribed applications.
Managing Copied Schemes
- After copying, edit the new scheme’s attributes (e.g., SQL query, PL/SQL function, or evaluation frequency) to suit the target application’s needs.
- Example: Modify a copied scheme to add conditions:
```
SELECT 1
FROM user_roles
WHERE username = :APP_USER
AND role_name = 'ADMIN'
AND dept_id = :P1_DEPT_ID;
```
- Verify the copied scheme’s independence by ensuring changes do not affect the original.
Managing Subscribed Schemes
- Changes to the master scheme in the source application propagate to all subscribed applications.
- To stop subscribing, either:
  - Copy the master scheme to the target application (creating a local, editable copy).
  - Delete the subscription and create a new local scheme.
- Check the Subscription column in the Authorization Schemes list to confirm subscription status.
Integrating with Application Access Control
If the scheme uses Application Access Control:
- Ensure the master application’s apex_access_control table is accessible to the target application (e.g., via shared database objects).
- Example master scheme:
```
SELECT 1
FROM apex_access_control
WHERE username = :APP_USER
AND access_level = 'EDITOR';
```
- For subscriptions, verify that user-role mappings are consistent across applications. For copied schemes, replicate the table or logic in the target application if needed.
Testing Copied or Subscribed Schemes
- Test the copied or subscribed scheme by logging in as users with different roles (e.g., ADMIN, EDITOR) to ensure access restrictions work as expected.
- Use APEX Debug Mode or query the APEX_ACTIVITY_LOG view to troubleshoot issues with scheme evaluation.
- For subscriptions, test after updating the master scheme to confirm changes propagate correctly.
- Verify that error messages (e.g., "Access Denied") display appropriately when access is denied.

To copy or subscribe to an authorization scheme, follow these steps:

Access the Authorization Schemes Page:

On the Workspace home page, click App Builder.
Select the application where you want to copy or subscribe to an authorization scheme.
On the Application home page, click Shared Components to open the Shared Components page.
Under the Security section, click Authorization Schemes.
The Authorization Schemes page will display, including details such as Subscribed From, Subscription Status, and Subscribers.

Initiate the Copy Process:

In the Tasks list, click Copy from another app.

Select the Source Application:

Under Copy From Application, choose the application that contains the authorization scheme you want to copy.
Click Next to proceed.

Set the Name and Copy Options:

In the To Name field, optionally modify the name of the copied authorization scheme.
Choose a copy action:

Yes – Copy the authorization scheme without subscribing.
No – Do not copy the authorization scheme.
Copy and Subscribe – Copy the authorization scheme and subscribe to it. Subscribing ensures that any updates to the original (master) scheme automatically apply to the copied version.

After completing these steps, the copied or subscribed authorization scheme will be available for use in your application.

EXAMPLE:

Step 1 - To create a new scheme, click create.

A screenshot of a computer

Description automatically generated

Step 2- Follow the wizard

A screenshot of a black box

AI-generated content may be incorrect.

A screenshot of a computer

Description automatically generated

Best Practices for Copying or Subscribing to Authorization Schemes in Oracle APEX

Choose Copying for Flexibility: Copy schemes when you need to customize logic for a specific application without affecting the original.
Choose Subscribing for Consistency: Subscribe to schemes when maintaining uniform access control across multiple applications is critical.
Select a Stable Master Application: For subscriptions, use a well-maintained master application to ensure reliable scheme updates.
Use Descriptive Names: Name schemes clearly (e.g., "Global_Admin_Access" or "Local_Editor_Access") to indicate their purpose and scope.
Test Thoroughly: Validate copied or subscribed schemes in a development environment to ensure they function correctly with local data.
Document Configurations: Maintain records of copied and subscribed schemes, including master application IDs, scheme names, and associated components.
Secure Shared Data: Ensure database objects (e.g., user_roles or apex_access_control tables) used by schemes are accessible to all relevant applications.
Monitor and Audit: Enable Application Activity Logging in Shared Components > Security Attributes to track access attempts and detect issues after copying or subscribing.

Oracle APEX Documentation
For detailed guidance on copying and subscribing to authorization schemes in Oracle APEX, refer to the official documentation:
Oracle APEX Authorization Schemes Documentation

Conclusion
Copying or subscribing to an authorization scheme in Oracle APEX provides powerful options for reusing and managing access control logic across applications. Copying allows for independent customization, while subscribing ensures consistency through centralized updates. By following best practices and thoroughly testing your setup, you can maintain a secure and efficient authorization framework. Regularly consult the Oracle APEX documentation to leverage advanced features and keep your application’s security robust.

HOW DO I Reset Authorization Scheme State in Oracle APEX

Introduction

Authorization schemes in Oracle APEX control access to application components, such as pages, regions, or buttons, based on user roles or conditions. These schemes are often evaluated once per session for performance, but there are scenarios where resetting their state is necessary to re-evaluate permissions during a user’s session, such as when roles change dynamically. Resetting the authorization scheme state ensures that access controls reflect the latest user privileges. This blog post will explain how to reset the authorization scheme state in Oracle APEX, provide detailed steps, share best practices, and include a link to the official Oracle APEX documentation for further guidance.

Steps to Reset Authorization Scheme State in Oracle APEX

Understanding Authorization Scheme State
Authorization schemes in Oracle APEX are typically evaluated based on their defined frequency: "Once per Session" (cached for the session) or "Once per Page View" (re-evaluated on each page load). When set to "Once per Session," the scheme’s result is stored in the session state, and changes to user roles or conditions during the session may not take effect until the session ends. Resetting the authorization scheme state forces re-evaluation of the scheme to reflect updated permissions.
When to Reset Authorization Scheme State
Resetting the state is necessary in scenarios such as:
- A user’s role changes during their session (e.g., an admin promotes a user to a new role).
- A condition in the scheme (e.g., department or status) is updated dynamically.
- Debugging or testing authorization logic requires immediate re-evaluation.
Using APEX_AUTHORIZATION.RESET_CACHE to Reset State
Oracle APEX provides the APEX_AUTHORIZATION.RESET_CACHE API to reset the authorization scheme state for a user’s session.
- Call the API in a PL/SQL process, dynamic action, or application process when a change occurs that requires re-evaluation. Example:
```
BEGIN
  APEX_AUTHORIZATION.RESET_CACHE;
END;
```
- Where to Use:
  - Page Process: Add a PL/SQL process to a specific page (e.g., after a role-update form submission). In Page Designer, create a process under Processing > Processes, set the type to "Execute Code," and include the RESET_CACHE call.
  - Dynamic Action: Create a dynamic action triggered by a button click (e.g., "Update Role") and add a PL/SQL action to call APEX_AUTHORIZATION.RESET_CACHE.
  - Application Process: Define an application-level process under Shared Components > Application Processes to reset the cache globally when specific conditions are met (e.g., after a database update).
- Ensure the process runs after the user’s permissions are updated (e.g., after updating a role in the user_roles table).
Manually Invalidating Session State
In some cases, you may need to invalidate the entire session to force re-evaluation of all authorization schemes:
- Use APEX_SESSION.DELETE_SESSION to end the current session and force a new one. Example:
```
BEGIN
  APEX_SESSION.DELETE_SESSION(p_session_id => :APP_SESSION);
END;
```
- Redirect the user to the login page or a specific page after invalidating the session to start a new session. Example:
```
BEGIN
  APEX_SESSION.DELETE_SESSION(p_session_id => :APP_SESSION);
  APEX_UTIL.REDIRECT_URL(p_url => 'f?p=' || :APP_ID || ':LOGIN:' || :APP_SESSION);
END;
```
- Note: This approach logs the user out, requiring re-authentication, so use it sparingly.
Adjusting Evaluation Frequency as an Alternative
Instead of resetting the state, consider changing the scheme’s evaluation frequency:
- Navigate to Shared Components > Authorization Schemes and edit the scheme.
- Change the Evaluation Point from "Once per Session" to "Once per Page View" for dynamic scenarios.
- Example: If a scheme checks a user’s role (SELECT 1 FROM user_roles WHERE username = :APP_USER AND role_name = 'ADMIN'), setting it to "Once per Page View" ensures it re-evaluates on each page load, eliminating the need for manual resets in some cases.
- Be cautious, as this increases database queries and may impact performance.
Testing the Reset Process
- Test the reset by updating a user’s role (e.g., via a form or database update) and triggering the APEX_AUTHORIZATION.RESET_CACHE call.
- Verify that the user’s access to components (e.g., pages, regions) reflects the updated permissions.
- Use APEX Debug Mode or query the APEX_ACTIVITY_LOG view to confirm the scheme re-evaluates correctly.
- Check that error messages (e.g., "Access Denied") display appropriately when access is revoked.
Integrating with Application Access Control
If using Application Access Control:
- Update the apex_access_control table to reflect role changes (e.g., UPDATE apex_access_control SET access_level = 'EDITOR' WHERE username = :APP_USER).
- Call APEX_AUTHORIZATION.RESET_CACHE immediately after the update to ensure the scheme reflects the new role.
- Example:
```
BEGIN
  UPDATE apex_access_control
  SET access_level = 'EDITOR'
  WHERE username = :APP_USER;
  APEX_AUTHORIZATION.RESET_CACHE;
END;
```

Oracle APEX caches the validation results of authorization schemes in a user's session to improve performance. If an authorization scheme is set to validate once per session, its result is stored in the session cache. However, in some cases, you may need to reset the authorization state, such as when user roles change dynamically.

To reset the authorization scheme state for a session, you can use the APEX_AUTHORIZATION.RESET_CACHE API. This allows the application to revalidate authorization schemes without requiring the user to log out and start a new session.

Copying or Subscribing to an Authorization Scheme

Developers can copy an authorization scheme either from the current application or from another application. If copying from another application, there is also an option to subscribe to the scheme.

Subscribing to an authorization scheme ensures that any updates made to the master scheme will automatically reflect in all subscribed applications. This is particularly useful for maintaining consistency in security settings across multiple applications in a workspace.

To learn more about how shared component subscriptions work, refer to the Using Shared Component Subscriptions documentation in Oracle APEX.

Best Practices for Resetting Authorization Scheme State in Oracle APEX

Use RESET_CACHE Judiciously: Only reset the authorization state when necessary (e.g., after role changes) to avoid unnecessary performance overhead.
Minimize Session Invalidations: Avoid using APEX_SESSION.DELETE_SESSION unless absolutely required, as it disrupts the user experience by forcing re-authentication.
Choose Appropriate Evaluation Frequency: Use "Once per Page View" for dynamic permissions to reduce the need for manual resets, but balance with performance considerations.
Test Thoroughly: Validate reset processes in a development environment to ensure they correctly update access without unintended side effects.
Log Changes: Enable Application Activity Logging in Shared Components > Security Attributes to track role changes and reset events for auditing.
Document Processes: Maintain documentation of when and why authorization state resets are triggered, including associated PL/SQL processes or dynamic actions.
Secure Updates: Ensure that role updates and reset calls are protected by appropriate authorization checks to prevent unauthorized changes.
Monitor Performance: Monitor the impact of frequent resets or "Once per Page View" evaluations on application performance, especially in high-traffic applications.

Oracle APEX Documentation
For detailed information on managing authorization schemes and session state in Oracle APEX, refer to the official documentation:
Oracle APEX Authorization Schemes Documentation

Conclusion
Resetting the authorization scheme state in Oracle APEX is a powerful technique to ensure that access controls reflect the latest user permissions, especially in dynamic applications. By using the APEX_AUTHORIZATION.RESET_CACHE API, adjusting evaluation frequencies, or selectively invalidating sessions, developers can maintain a secure and responsive application. Following best practices and consulting the Oracle APEX documentation will help you implement effective reset processes and uphold a robust security framework.

How Do I Subscribe to an Authorization Scheme in Oracle APEX

Introduction

Subscribing to an authorization scheme in Oracle APEX allows developers to reuse a master authorization scheme across multiple applications, ensuring consistent access control and simplifying maintenance. By subscribing, you can reference a single scheme defined in a master application, reducing redundancy and ensuring that updates to the scheme propagate automatically to subscribed applications. This blog post will explain how to subscribe to an authorization scheme in Oracle APEX, provide detailed steps for implementation, share best practices, and include a link to the official Oracle APEX documentation for further guidance.

Steps to Subscribe to an Authorization Scheme in Oracle APEX

Understanding Authorization Scheme Subscription
In Oracle APEX, authorization schemes define access rules for application components like pages, regions, or buttons. Subscribing to an authorization scheme allows multiple applications to reference a master scheme from a designated application, ensuring consistent security logic. Changes made to the master scheme automatically apply to all subscribed applications, streamlining updates and maintenance.
Identifying the Master Authorization Scheme
The master authorization scheme must exist in a source application (the "master application") before you can subscribe to it.
- In the master application, navigate to Shared Components > Authorization Schemes.
- Verify that the desired scheme exists (e.g., "Admin_Access" or "Editor_Role"). Example master scheme (Exists SQL Query):
```
SELECT 1
FROM user_roles
WHERE username = :APP_USER
AND role_name = 'ADMIN';
```
- Note the master application’s ID and the scheme’s name for reference.
Subscribing to the Authorization Scheme
To subscribe to a master authorization scheme in a target application:
- Open the target application in Oracle APEX.
- Navigate to Shared Components > Authorization Schemes.
- Click Create to start the process.
- Select As a Subscription from Master Application in the creation wizard.
- Choose the master application by its ID or name from the list of available applications in the workspace.
- Select the master authorization scheme (e.g., "Admin_Access") from the dropdown.
- Provide a local name for the scheme in the target application (optional; can match the master scheme’s name).
- Save the subscription. The scheme will now reference the master scheme’s logic and cannot be edited directly in the target application.
Applying the Subscribed Authorization Scheme
After subscribing, apply the scheme to components in the target application:
- Pages: In Page Designer, open the page, go to the Security tab, and select the subscribed scheme (e.g., "Admin_Access") from the Authorization Scheme dropdown.
- Regions: In Page Designer, select the region, navigate to the Security tab, and assign the subscribed scheme.
- Buttons or Items: Apply the scheme to buttons or items via their Security tab to restrict actions or visibility.
- Verify that the scheme is correctly applied by checking the Used In column in the Authorization Schemes list.
Managing Subscription Updates
- Changes to the master scheme (e.g., updating the SQL query or PL/SQL function) automatically propagate to all subscribed applications.
- To update the master scheme, go to the master application, edit the scheme under Shared Components > **алеко

System: Authorization Schemes in Oracle APEX.

Example: If the master scheme’s logic changes (e.g., from role_name = 'ADMIN' to role_name IN ('ADMIN', 'MANAGER')), all subscribed applications will reflect this update without further action.
To stop subscribing, you can copy the master scheme to the target application (creating a local copy) or delete the subscription and create a new local scheme.

Testing the Subscribed Scheme
- Test the subscribed scheme in the target application by logging in as users with different roles (e.g., ADMIN, EDITOR, VIEWER) to ensure access restrictions work as expected.
- Use APEX Debug Mode or query the APEX_ACTIVITY_LOG view in the target application to troubleshoot any issues with scheme evaluation.
- Verify that error messages (defined in the master scheme) display correctly when access is denied.
Using Application Access Control with Subscribed Schemes
If the master scheme integrates with Application Access Control:
- Ensure the master application’s Application Access Control table (e.g., apex_access_control) is accessible to the target application, either through shared database objects or replication.
- Example master scheme using Application Access Control:
```
SELECT 1
FROM apex_access_control
WHERE username = :APP_USER
AND access_level = 'EDITOR';
```
- Verify that user-role mappings are consistent across applications to avoid discrepancies.

Subscribing to an authorization scheme allows developers to reuse security settings across multiple applications in a workspace. By subscribing, changes made to the master authorization scheme will automatically apply to the subscribed schemes, ensuring consistency across applications.

If you want to use an existing authorization scheme from another application, you can subscribe to it directly. Alternatively, you can copy an authorization scheme and then subscribe to it.

Steps to Subscribe to an Authorization Scheme

Navigate to the Authorization Schemes Page

From the Workspace home page, click on the App Builder icon.
Select the application in which you want to subscribe to an authorization scheme.
On the Application home page, click Shared Components to open the Shared Components page.
Under Security, click Authorization Schemes.
The Authorization Schemes page appears, displaying key details such as Subscribed From, Subscription Status, and Subscribers.

Select an Authorization Scheme

Click on the authorization scheme you want to subscribe to.
The Edit Authorization Scheme page appears.

Subscribe to an Authorization Scheme

Locate the Subscription section.
In the Subscribe From field, select the application containing the master authorization scheme.
Click Apply Changes to confirm the subscription.
Once subscribed, the authorization scheme will automatically update whenever the master scheme is modified.

Refreshing a Subscribed Authorization Scheme

If the master authorization scheme is updated and you want to apply the latest changes, you can refresh the subscription.
Locate the Subscription section.
Click Refresh Scheme to update the authorization scheme with the latest version from the master application.
Click Apply Changes to confirm.

Unsubscribing from an Authorization Scheme

If you no longer want the authorization scheme to be linked to the master scheme, you can unsubscribe.
Locate the Subscription section.
Click Unsubscribe to break the link to the master scheme.

By using authorization scheme subscriptions, developers can ensure uniform security policies across multiple applications while reducing maintenance effort.

Best Practices for Subscribing to Authorization Schemes in Oracle APEX

Choose a Reliable Master Application: Select a stable, well-maintained application as the master to ensure consistent scheme behavior across subscribed applications.
Use Descriptive Names: Name schemes clearly in the master application (e.g., "Global_Admin_Access") to reflect their purpose and scope.
Centralize Role Management: Use a shared Application Access Control table across applications to maintain consistent role assignments.
Test Subscriptions Thoroughly: Validate subscribed schemes in each target application to ensure they function as expected with local user data.
Document Subscriptions: Maintain documentation of which applications subscribe to which master schemes, including the master application ID and scheme details.
Monitor Changes: Regularly review updates to the master scheme to understand their impact on subscribed applications.
Secure Database Access: Ensure that any database objects (e.g., tables or functions) used by the master scheme are accessible to all subscribed applications.
Enable Logging: Activate Application Activity Logging in Shared Components > Security Attributes in both master and target applications to track access attempts and detect issues.

Oracle APEX Documentation
For detailed guidance on subscribing to and managing authorization schemes in Oracle APEX, refer to the official documentation:
Oracle APEX Authorization Schemes Documentation

Conclusion
Subscribing to an authorization scheme in Oracle APEX enables developers to implement consistent access controls across multiple applications, reducing maintenance overhead and ensuring uniformity. By carefully selecting a master scheme, applying it to components, and following best practices, you can create a scalable and secure authorization framework. Regularly consult the Oracle APEX documentation to stay informed about advanced features and maintain a robust security posture for your applications.

APEX Field Notes

Search This Blog

Sunday, July 13, 2025

How Do I Apply Access Control in Oracle APEX

Introduction

How Do I Copy or Subscribing to an Authorization Scheme in Oracle APEX

HOW DO I Reset Authorization Scheme State in Oracle APEX

How Do I Subscribe to an Authorization Scheme in Oracle APEX

How Do I Make a Faceted Search Map Page in Oracle APEX