APEX Field Notes

Learning Oracle APEX can be challenging, especially without practical guidance. These are my field notes—captured directly from hands-on development work. I’m sharing them here as a living tutorial for anyone looking to get up to speed with APEX quickly and effectively. From beginner concepts to advanced techniques, I cover the essentials: forms, reports, dynamic actions, and much more. Whether you're just starting out or aiming to refine your skills, you'll find practical insights to help you

Tuesday, July 1, 2025

Copying or Subscribing to Access Control Roles in Oracle APEX

In Oracle APEX, Access Control Roles are part of a built-in access management system that lets developers define user roles (such as ADMIN, MANAGER, or USER) and use these roles to control access to application pages, buttons, or logic. When you manage multiple applications or promote apps between environments (development, test, production), Oracle APEX allows you to Copy or Subscribe to Access Control Roles from another application to maintain consistency.

What Are Access Control Roles?

Access Control Roles define what users can see or do inside an APEX application. They are used with APEX's Access Control feature to control authorization logic. Roles can be used to:

Show or hide pages, regions, or buttons
Control logic inside PL/SQL processes
Restrict actions to certain users or groups

For example:

ADMIN can access everything
MANAGER may access only reports and some update features
USER might only be allowed to view records

To reuse roles across applications or environments, you can Copy or Subscribe to roles.

Option 1: Copy Access Control Roles

Copying means importing the roles from another application as a static copy. Once copied, the roles are part of your application and can be changed independently.

Steps to Copy Roles:

Go to Shared Components
Open your APEX application and click Shared Components.
Select Access Control
Under the Security section, click Access Control.
Click “Copy or Subscribe”
At the top-right corner of the Access Control Roles screen, click Copy or Subscribe.
Choose the Source Application
You will see a list of available applications. Select the app you want to copy roles from.
Select "Copy" Option
Choose the Copy radio button. This will import the roles and store them locally in your application.
Review and Confirm
A list of roles will appear. Click Apply to complete the copy.

Use Copy when you want to base your roles on another app but allow custom changes in your own app.

Option 2: Subscribe to Access Control Roles

Subscribing links your application to the source application’s roles. If the roles change in the source app, you can refresh the subscription in your app to pull those changes.

Steps to Subscribe:

Open Shared Components > Access Control
Click “Copy or Subscribe”
Select the Source Application
Choose the application that contains the role definitions you want to reuse.
Choose “Subscribe” Option
Select the Subscribe radio button. This will create a live subscription.
Apply the Subscription
Refresh When Needed
Later, if roles are updated in the source app, go back to Access Control and click Refresh Subscription to pull changes.

Use Subscribe when you want multiple applications to share and maintain the same set of roles, especially in enterprise environments.

Benefits and Use Cases

Feature	Copy Roles	Subscribe to Roles
Editable	Yes (independent copy)	No (managed in source app)
Auto-updated	No	Yes (when refreshed)
Best for	Standalone or derived apps	Shared apps or environments
Dependency	None	Depends on source app being available

Important Notes

You must have developer access to both the source and target applications.
Subscribed roles cannot be edited in the target application. Changes must be made in the source app.
If you later decide to unsubscribe, the current roles remain but are converted to local copies.

You can copy access control roles either within the current application or from another application in the workspace. When copying a role from another application, you also have the option to subscribe to it.

Steps to Copy or Subscribe to Access Control Roles

Navigate to the Application Access Control page:

Go to the Workspace home page.
Click the App Builder icon.
Select the application where you want to copy or subscribe to roles.
On the Application home page, click Shared Components.
Under Security, select Application Access Control.

The Application Access Control page will display available roles along with details such as Subscribed From, Subscription Status, and Subscribers.

Copy a role within the current application:

Locate the role you want to copy and click Copy in the Copy column.
The Copy Role Wizard will appear.
Enter a unique name for the new role.
Click Copy Role to complete the process.

Copy a role from another application:

In the Tasks region, click Copy Role from another app.
The Copy Role Wizard will open.
Select the application from which you want to copy the role.
Choose the role you wish to copy.
Enable the Subscribe option if you want the copied role to stay linked to the original role.
Click Copy Role to finalize the process.

By using subscriptions, you can maintain consistency across multiple applications and reduce administrative overhead.

Oracle APEX gives you flexible options to manage Access Control Roles across multiple applications. Use Copy when you want a one-time import and local control over role changes. Use Subscribe when you want to centralize role management and keep multiple apps in sync. Both options help enforce security policies and simplify role-based access control in your APEX environment.

Copy or Subscribe to Access Control Roles in Oracle APEX

You can copy access control roles from your current application or another application within the workspace. Additionally, when copying a role from another application, you have the option to subscribe to it.

Why Subscribe to Access Control Roles?

Subscribing to an access control role allows developers to reuse shared components across multiple applications, ensuring consistency and reducing maintenance efforts.

For more details on shared component subscriptions, refer to Using Shared Component Subscriptions in the Oracle APEX documentation.

In Oracle APEX, Access Control Roles are part of the built-in access control system that allows developers to define user roles and control access to pages, features, and data. If you are developing or maintaining multiple applications, or if you are working with a team across several environments, you may want to copy or subscribe to roles from one application to another to ensure consistency and simplify security management.

Below is a detailed breakdown of how to Copy or Subscribe to Access Control Roles in Oracle APEX:

Understanding Access Control Roles in APEX

Access Control Roles in APEX are part of the Access Control feature found under Shared Components > Security > Access Control. Roles are identifiers like ADMIN, EDITOR, or VIEWER that you assign to users. These roles determine what pages, buttons, or actions a user can access.

You can:

Copy roles: Make a static copy of roles from another application. The roles will no longer stay synchronized.
Subscribe to roles: Create a link to roles defined in another application so changes to roles in the source application will automatically propagate to your current application.

Copying Roles from Another Application

Step-by-Step:

Navigate to Shared Components
- From your app's home page in APEX, click Shared Components.
Access Access Control
- Under the Security section, click Access Control.
Click “Copy or Subscribe”
- You will see the Access Control Entries and an option to Copy or Subscribe to roles from another application.
Choose the Source Application
- Select the application that has the roles you want to copy from.
- You must have developer access to both applications.
Select Copy Option
- Choose Copy if you want to import the roles as a one-time copy.
- Copied roles will appear in your application's access control list, and you can edit them independently.
Review and Confirm
- Review the roles being copied.
- Click Apply or Copy to finalize the process.

Use “Copy” when you want to base your roles on another app but still allow local modifications.

Subscribing to Roles from Another Application

Step-by-Step:

Open Shared Components > Access Control
Click Copy or Subscribe
Choose the source application
Select Subscribe
- This creates a live subscription to the roles of the source application.
- Any future changes to the roles in the source app will reflect in your app when you refresh the subscription.
Apply
- Once subscribed, your roles will show with a "Subscribed" tag.
Refresh Subscription as Needed
- To pull updates from the source app, return to Access Control and click Refresh Subscription.
- This will update the roles in your app with any changes made in the source.

Use “Subscribe” when roles must stay consistent across multiple apps.

Key Differences: Copy vs. Subscribe

Feature	Copy	Subscribe
One-time import	Yes	No
Automatically updates	No	Yes (when refreshed)
Editable in target	Yes	No (must update in source)
Best for	Isolated apps or custom role handling	Shared apps or centralized role control

Use Cases

Copying Roles is useful when branching a project or creating a sandbox version of an app.
Subscribing to Roles is ideal for enterprise applications with centralized user/role governance, where multiple apps share a consistent security model.

Best Practices

Always use clear role names like ADMIN, APP_USER, or GUEST for consistency.
Document the source application if you subscribe to roles, so future developers understand the dependency.
Use build options or authorization schemes in combination with roles for advanced control.
Test after copying/subscribing to ensure pages and components behave as expected.

Conclusion

Copying or subscribing to Access Control Roles in Oracle APEX gives you flexibility in managing security across applications. Whether you're aiming for independent control or synchronized governance, these features make it easier to scale role-based access across your APEX development ecosystem. Use copy when you need control and independence and subscribe when you need consistency and centralized updates.

Create an Application Access Control Role in Oracle APEX

To define user access within your APEX application, you can create custom Access Control Roles. Follow these steps to create a new role:

Access the Shared Components Page

Navigate to the Workspace home page and click App Builder.
Select the desired application.
On the Application home page, click Shared Components to open the Shared Components page.

Open Application Access Control

Under the Security section, click Application Access Control to access the role management page.

Add a New Role

Under the Roles section, click Add Role to open the role creation dialog.

Define Role Attributes

Name: Enter a meaningful name for the role. The name must contain only alphanumeric characters and underscores (_).
Static Identifier: Provide an alternate unique identifier for this role.
Description: Optionally, enter a brief description of the role’s purpose.

Create the Role

Click Create Role to save the new role. Once created, the role will be listed under the Roles section on the Application Access Control page.

This newly created role can now be assigned to users and utilized within authorization schemes to enforce security across your application.

Apply Access Control in Oracle APEX

Access control in Oracle APEX allows you to define and manage user permissions within an application. This is achieved through an Access Control List (ACL), which you can create using the Access Control Wizard. This wizard is accessible via the Create Application Wizard or the Create Page Wizard.

When you run the Access Control Wizard, it:

Generates a management page for the access control list.
Creates two tables in the application's default parsing schema to store access control data.

Understanding Access Levels and Roles

The access control list enables you to assign specific privileges to users within the application. These privileges determine what actions users can perform and correspond to predefined access roles:

View Access (READER Role) – Users can view content but cannot make modifications.
Edit Access (CONTRIBUTOR Role) – Users can make changes but do not have administrative control.
Administration Access (ADMINISTRATOR Role) – Users have full control, including the ability to manage access control settings.

To enforce access restrictions on application pages and components, you must create an Authorization Scheme and associate it with the application.

Defining Additional Roles

Beyond the default roles, you can define custom roles through the Application Access Control page. Since roles are assigned to users, it is important to define roles before adding users.

Oracle APEX provides system views that allow you to review the access control settings:

APEX_APPL_ACL_USERS – Displays user access details.
APEX_APPL_ACL_USER_ROLES – Shows the roles assigned to users.
APEX_APPL_ACL_ROLES – Lists all roles defined in the application.

Creating Custom Access Control Roles

To enhance security and customize access control, you can create new roles within the application. Before assigning users to roles, ensure that the necessary roles have been created. This structured approach ensures that each user has the appropriate level of access based on their role in the application.

Copy or Subscribe to an Authorization Scheme in Oracle APEX

To copy or subscribe to an authorization scheme, follow these steps:

Access the Authorization Schemes Page:

On the Workspace home page, click App Builder.
Select the application where you want to copy or subscribe to an authorization scheme.
On the Application home page, click Shared Components to open the Shared Components page.
Under the Security section, click Authorization Schemes.
The Authorization Schemes page will display, including details such as Subscribed From, Subscription Status, and Subscribers.

Initiate the Copy Process:

In the Tasks list, click Copy from another app.

Select the Source Application:

Under Copy From Application, choose the application that contains the authorization scheme you want to copy.
Click Next to proceed.

Set the Name and Copy Options:

In the To Name field, optionally modify the name of the copied authorization scheme.
Choose a copy action:

Yes – Copy the authorization scheme without subscribing.
No – Do not copy the authorization scheme.
Copy and Subscribe – Copy the authorization scheme and subscribe to it. Subscribing ensures that any updates to the original (master) scheme automatically apply to the copied version.

After completing these steps, the copied or subscribed authorization scheme will be available for use in your application.

EXAMPLE:

Step 1 - To create a new scheme, click create.

A screenshot of a computer

Description automatically generated

Step 2- Follow the wizard

A screenshot of a black box

AI-generated content may be incorrect.