Apex Authorization issues. Building APEX authorization schemes and use authorization in Apex objects

 This article describes some considerations about how APEX authorization works and describes ways of building authorization schemes and applying the defined authorization schemes to pages or objects within a page.

After creating an APEX application, if the application is accessed by multiple users that have multiple roles or rights and you want to find a way to limit their access to the pages and objects that they are allowed to view then authorization schemes are the answer. You can limit the users' access to pages, tabs, lists or pretty much any object within the regions of the page.

Let's consider a simple application that has only two types of users: admin and regular users. And also a regular user can have edit rights or only view rights. Obviously there will be pages and tabs that only the admin users should be able to access and use. Also a user that doesn't have edit rights will not be able to create/modify any information on the pages that he has access to. As said, this can be done easily with the help of authorization schemes.

An authorization scheme can be created in the Shared Components->Authorization Schemes section. The user has multiple options of setting the schema type:

Let's consider that you have developed two functions in the database that return true if the user is an administrator and if he has edit rights respectively. After creating the two authorization schemes the call could look like this:

where isAdministrator and hasEditRights are two functions from the pkgAuth package that return true if the current apex user is an administrator and if the user has edit rights on the application.

Now if you want to make a page accessible only to admin users, all you need to do is to enter the page and edit the page attributes by setting the Authorization Scheme field to the name of the Admin User authorization scheme.

Now if a non-admin user tries to access this page either directly by entering the link or by the tab or list entry assigned to it or a branch then he will not be able to see it and will receive the message that you filled in the Identify error message displayed when scheme violated field of the authorization scheme that was set for the page.

But obviously it is not too good to allow users to access a page and inform them that they are not allowed to view it. Therefore you need to stop them from getting to it by tab, list entry or branch. In order to achieve this, what you have to do is to add authorization schemes to any tabs, list entries or branches that direct to the page that only admin users can see. This is done simply by setting the Authorization Scheme field with the desired authorization scheme for any of these objects.

This will make these objects available only to admin users.

Now let's consider that a regular user, that doesn't have edit rights, accesses a page that offers edit options, like adding or modifying a certain information. This user must not be able to submit the data he modifies. Therefore he must add the Edit Rights authorization scheme to all the submit buttons that trigger the modification processes. Or if the modification process is triggered differently, then add authorization scheme to the process as well, so even if the page is submitted the process will not be executed.

You might also need to limit access to other objects in a page. For example it is very common that in the same page report an admin user has to be able to see some columns that a regular user shouldn't see. By adding the Admin User authorization scheme to certain admin-only columns you will make sure that even though two different users view the same report in the same page, an admin user will view certain columns that are hidden to a regular user.

Therefore if you don't want to show a certain page, list entry, tab, region, item, report field, button or not execute certain processes, computations or branches, then you can use the authorization scheme option on any of them, which will determine the objects to be conditioned by the assigned authorization scheme, besides the other conditions that are attached to them.

Leave a Reply