Reset Authorization Scheme State in Oracle APEX

As an Oracle APEX expert, understanding how to reset the authorization scheme state is crucial when you need to re-evaluate a user's access rights during an active session. Oracle APEX caches the result of authorization schemes for performance reasons, so if the user's privileges change mid-session (such as after a role update or a login-as function), you must explicitly clear the authorization result cache to reflect the new state.

Below is a detailed explanation of how to reset or refresh the authorization scheme state in Oracle APEX:

Why Reset Authorization Scheme State?

Oracle APEX caches the evaluation result of an authorization scheme per session to avoid re-executing the logic repeatedly. While this improves performance, it means that if a user's authorization context changes, APEX may continue to rely on outdated results. For scenarios where authorization results are dynamic—based on session variables, roles, or temporary states—you must manually clear the cached result.

Step-by-Step: How to Reset the Authorization Scheme State

1. Use apex_authorization.reset_cache API

Oracle APEX provides a built-in PL/SQL API to reset the cached results for authorization schemes:

begin
  apex_authorization.reset_cache(p_authorization_name => 'IS_ADMIN');
end;

This command clears the cached result of the named authorization scheme for the current session. The next time APEX evaluates this scheme, it will re-execute the logic as defined.

Parameters:

• p_authorization_name: The name of the authorization scheme, not the static ID.

2. Reset All Authorization Schemes

If you want to reset all authorization schemes for the current session:

begin
  apex_authorization.reset_cache;
end;

This approach is useful after global context changes—such as role switching, user impersonation, or setting session variables that affect multiple access controls.

3. Where to Use This

You can place this PL/SQL logic in:

• Dynamic Actions (on button clicks or page load)

• After Login Procedures

• Custom Authentication plug-ins

• Process-level code (for conditional access refreshes)

• REST APIs or background PL/SQL procedures

Example Use Case: Resetting After Role Change

Suppose your application allows an admin to temporarily promote a user to a higher role, and your authorization schemes rely on session variables like :APP_ROLE.

After updating the role:

:APP_ROLE := 'ADMIN';
apex_authorization.reset_cache;

This ensures the new role is recognized across the entire application for authorization decisions.

Debugging Tip

To confirm that an authorization scheme is being re-evaluated:

• Enable Debug Mode in the developer toolbar.

• Trigger the component (page, region, button).

• Search for authorization evaluations in the debug log.

You’ll see a line like:

Evaluating authorization scheme "IS_ADMIN"...

If you don't see this, the result is still cached, and reset_cache may not have been executed properly.

Best Practices

• Avoid calling reset_cache on every page load—this negates the performance benefit of caching.

• Only reset schemes when necessary, such as after a user privilege change.

• Use static names for authorization schemes for easier referencing in PL/SQL.

• Combine with session state logic for dynamic authorization rules.

Oracle APEX caches the validation results of authorization schemes in a user's session to improve performance. If an authorization scheme is set to validate once per session, its result is stored in the session cache. However, in some cases, you may need to reset the authorization state, such as when user roles change dynamically.

To reset the authorization scheme state for a session, you can use the APEX_AUTHORIZATION.RESET_CACHE API. This allows the application to revalidate authorization schemes without requiring the user to log out and start a new session.

Copying or Subscribing to an Authorization Scheme

Developers can copy an authorization scheme either from the current application or from another application. If copying from another application, there is also an option to subscribe to the scheme.

Subscribing to an authorization scheme ensures that any updates made to the master scheme will automatically reflect in all subscribed applications. This is particularly useful for maintaining consistency in security settings across multiple applications in a workspace.

To learn more about how shared component subscriptions work, refer to the Using Shared Component Subscriptions documentation in Oracle APEX.

In Oracle APEX, resetting the authorization scheme cache is an essential technique when your app's security logic depends on changing runtime conditions. By using the apex_authorization.reset_cache API, you ensure that APEX re-evaluates the user's current access privileges immediately, maintaining secure and consistent behavior across your application. Use this feature wisely to balance security accuracy with performance.

Subscribe to an Authorization Scheme in Oracle APEX

 Subscribing to an authorization scheme allows developers to reuse security settings across multiple applications in a workspace. By subscribing, changes made to the master authorization scheme will automatically apply to the subscribed schemes, ensuring consistency across applications.

If you want to use an existing authorization scheme from another application, you can subscribe to it directly. Alternatively, you can copy an authorization scheme and then subscribe to it.

Steps to Subscribe to an Authorization Scheme

1. Navigate to the Authorization Schemes Page

• From the Workspace home page, click on the App Builder icon.

• Select the application in which you want to subscribe to an authorization scheme.

• On the Application home page, click Shared Components to open the Shared Components page.

• Under Security, click Authorization Schemes.

• The Authorization Schemes page appears, displaying key details such as Subscribed From, Subscription Status, and Subscribers.

2. Select an Authorization Scheme

• Click on the authorization scheme you want to subscribe to.

• The Edit Authorization Scheme page appears.

3. Subscribe to an Authorization Scheme

• Locate the Subscription section.

• In the Subscribe From field, select the application containing the master authorization scheme.

• Click Apply Changes to confirm the subscription.

• Once subscribed, the authorization scheme will automatically update whenever the master scheme is modified.

4. Refreshing a Subscribed Authorization Scheme

• If the master authorization scheme is updated and you want to apply the latest changes, you can refresh the subscription.

• Locate the Subscription section.

• Click Refresh Scheme to update the authorization scheme with the latest version from the master application.

• Click Apply Changes to confirm.

5. Unsubscribing from an Authorization Scheme

• If you no longer want the authorization scheme to be linked to the master scheme, you can unsubscribe.

• Locate the Subscription section.

• Click Unsubscribe to break the link to the master scheme.

By using authorization scheme subscriptions, developers can ensure uniform security policies across multiple applications while reducing maintenance effort.

Edit the Attributes of an Existing Authorization Scheme in Oracle APEX

 Editing the attributes of an existing authorization scheme allows you to update the conditions and behaviors that control user access to different parts of your application. This can be essential for fine-tuning security settings based on evolving requirements.

Steps to Edit the Attributes of an Existing Authorization Scheme

1. From the Workspace home page, click on the App Builder icon.

2. Select the application where you want to modify the authorization scheme.

3. On the Application home page, click on Shared Components.
   This opens the Shared Components page.

4. Under the Security section, select Authorization Schemes.
   The Authorization Schemes page appears. By default, the schemes are displayed as icons. You can use the search bar at the top of the page to filter and customize how the schemes are displayed.

5. Click on the authorization scheme you wish to edit.

6. Edit the necessary attributes of the scheme, such as: 

• Authorization Scheme Type (e.g., SQL query, PL/SQL function).

• Authorization Logic (modify the SQL query or PL/SQL function).

• Error Message (customize the message shown when authorization fails).
  For more details, refer to field-level help within the page.

7. Once you've made the necessary changes, click Apply Changes to save your edits.

Changing the Evaluation Point for an Authorization Scheme

The Evaluation Point attribute controls when an authorization scheme is validated. You can adjust this setting to determine how often the authorization scheme is re-evaluated during a session.

Authorization schemes are generally evaluated when they are first used in a session. The Validate Authorization Scheme attribute allows you to set when and how often re-evaluations occur, based on your application's needs.

Steps to Change the Authorization Scheme Evaluation Point

1. On the Workspace home page, click the App Builder icon.

2. Select the application you want to modify.

3. On the Application home page, click Shared Components.
   This will bring you to the Shared Components page.

4. Under the Security section, click Authorization Schemes.
   The Authorization Schemes page will appear. You can search or filter the schemes using the search bar at the top of the page.

5. Select the authorization scheme you want to modify.

6. Scroll down to the Evaluation Point section and update the Validate Authorization Scheme setting.
   You have several options:

• Once per session: The scheme is evaluated only once per session, and the result is memorized for subsequent requests.

• Once per page view: The scheme is evaluated for each page view, but the memorized result is used if the authorization scheme is referenced more than once on the same page.

• Once per component: The scheme is evaluated once per component on the page, with the result stored in the session for future use on that component.

• Always (No Caching): The authorization scheme will always be evaluated for every request without caching the result.

If you choose Once per session, it is the most efficient option for general use. Consider using another setting if the authorization check depends on factors that change during the session, such as changes in session state or user roles.

7. After making your changes, click Apply Changes to save the updated settings.

By carefully adjusting the evaluation point, you can optimize the performance of your application while ensuring the correct authorization checks are made at the right time.

Attaching an Authorization Scheme to an Application in Oracle APEX

In Oracle APEX, attaching an Authorization Scheme to an application allows you to enforce access control across various components such as pages, buttons, regions, items, and processes. This mechanism ensures that only users with appropriate permissions can access or interact with parts of the application. Below is a detailed guide on how to create and attach an Authorization Scheme within your APEX application.

Step 1: Create an Authorization Scheme

1. Open your APEX application.

2. From the App Builder, select your application and navigate to the Shared Components.

3. Under the Security section, click Authorization Schemes.

4. Click Create and choose from the available options:

   • From Scratch

   • From Scratch - PL/SQL Function Returning Boolean

   • From Scratch - SQL Query Returning Rows

   • Based on Existing Scheme

   • Is In Role

   • Must Not Be Public User

5. Provide a Name for your scheme (e.g., Is_Admin_Access).

6. Choose the appropriate Evaluation Type (PL/SQL, SQL, etc.).

7. Enter your authorization logic. For example, for PL/SQL:

   return :APP_USER in ('ADMIN', 'MANAGER');
   

8. (Optional) Enter an error message to be displayed if the authorization fails.

9. Click Create Authorization Scheme.

Step 2: Attach the Authorization Scheme at the Application Level

Attaching a scheme at the application level provides a global layer of protection.

1. Go back to Shared Components.

2. Under Security, click Authentication Schemes and ensure you have an authentication method enabled.

3. Then, go to Authorization Schemes and find your scheme in the list.

4. Click the Edit icon (pencil) next to the scheme.

5. Scroll down to the Available for Public Page Access option and set appropriately.

6. Now go to Shared Components > Application Definition Attributes.

7. Under the Security section, find the setting for Authorization Scheme.

8. Select your created scheme from the dropdown menu.

9. Click Apply Changes.

Now your entire application enforces this scheme by default. If a user fails this scheme, they will not be able to access the application unless explicitly allowed at a component level.

Step 3: Attach the Authorization Scheme to Specific Components

You can also attach the same or different authorization schemes to pages, regions, buttons, items, and processes:

• Page-Level Authorization

  • Open any page in Page Designer.

  • In the Page Attributes, find Security > Authorization Scheme.

  • Select your scheme from the list.

  • This will restrict access to the entire page.

• Region-Level Authorization

  • Select a region in Page Designer.

  • Go to the Security section.

  • Choose the Authorization Scheme.

  • The region will only be visible if the user passes the scheme.

• Button, Item, or Process-Level Authorization

  • Similar to regions, locate the Security section for the component.

  • Apply the desired scheme.

Step 4: Test the Authorization Scheme

1. Run the application as a user who should pass the scheme.

2. Confirm that all protected pages and components are accessible.

3. Run the application as a user who should not pass the scheme.

4. Ensure access is denied or content is hidden as expected.

Use APEX Developer Toolbar during runtime to check the current :APP_USER and simulate various scenarios.

Attaching an authorization scheme to an application helps enforce security by restricting user access based on defined conditions. By associating an authorization scheme with an application, you can control overall access and determine how security rules are applied throughout the application.

Steps to Attach an Authorization Scheme to an Application

1. Open Oracle APEX and navigate to the Workspace home page.

2. Click on App Builder to view the list of available applications.

3. Select the application where you want to apply the authorization scheme.

4. Click on Shared Components to access application-wide settings.

5. Locate the Security section and click on Security Attributes.

6. Scroll down to the Authorization section and choose an authorization scheme from the Authorization Scheme dropdown list.

7. Configure the Run on Public Pages setting: 

• On: The authorization scheme will be checked on public pages (pages that do not require authentication).

• Off: The authorization scheme will not be checked on public pages.

8. If you need to create a new authorization scheme, click Define Authorization Schemes and follow the setup process.

By completing these steps, the selected authorization scheme will be applied at the application level, ensuring that security rules are consistently enforced throughout the application.

Attaching an Authorization Scheme in Oracle APEX allows for fine-grained control over who can access or interact with specific areas of your application. By configuring schemes and assigning them to your application, pages, or UI elements, you create a layered and secure environment that adheres to business rules. Whether using simple role checks or complex PL/SQL logic, authorization schemes are essential for maintaining the integrity and security of your APEX apps.