APEX

Hi Folks.

I want to do the following...

I have an APEX website which has both INTERNAL and EXTERNAL users.

The INTERNAL users (employees) should be able to see all data in all tables.
The EXTERNAL users (clients) should only see their own data within the same tables.

The intention here is to enforce the data that employees and clients can interact with using VPD.

Within the application we have our own CONTACT table that will be used by our system for controlling user-access. Only Valid system users will have an entry in the CONTACT table. Currently, this is partially enforced by APEX.

It is also, our intention that all the users of our APEX system, connect to the database as a single user – currently APP_PUBLIC_USER. As we do not want the overhead of database user account management.

Note in the future we hope to integrate the APEX system with Oracle Business Intelligence (BI).


VPD
---
If we create a DATABASE account with the same username as that stored in our own CONTACT table and connect using SQL/PLUS then the VPD policy is successful.

When we connect using APEX we are able to authenticate the APEX username is in our own CONTACT table but we cannot pass the APEX username to the database for testing with regards the VPD policy. It is always APEX_PUBLIC_USER as far as the database is confirmed.


The username as far as the database is concerned is always APEX_PUBLIC_USER.
As such we cannot distinguish between the users.


We have tried setting an oracle application context (XXX_App_CTX) that has an attribute ‘USER_NAME’ with value of :APP_USER in the APEX application. This was done in the Apex VPD security section. We’ve queried the value when running the APEX application and the value displays correctly.

But on the database the value of USER_NAME appears as null.


How can we pass the APEX user name to the database for the purposes of enforcing VPD?

Also, we have a database on-logon trigger which initialises application contexts attributes/values that are used to implement our VPD, see below.

Any suggestions?


Note : DEVYYY is the schema owner.


DECLARE

-- Fetch valid user information which is required for set the application
-- context.
CURSOR csr_user_info (cp_user_name IN VARCHAR2) IS
sELECT con.contact_id
,con.master_entity_id
FROM DEVYYY.contact con
WHERE con.user_name = cp_user_name ;

r_user_info csr_user_info%ROWTYPE;
v_user VARCHAR2(30);


BEGIN

/*
IF v('APP_USER') != 'APEX_PUBLIC_USER' AND
v('APP_USER') IS NOT NULL THEN
v_user := v('APP_USER');
ELSE
v_user := UPPER(SYS_CONTEXT('USERENV','SESSION_USER'));
END IF;
*/


v_user := SYS_CONTEXT('XXX_App_CTX','user_name') ;


-- Validate/Authenticate that the user exists in the contacts table
OPEN csr_user_info (cp_user_name => v_user );
FETCH csr_user_info INTO r_user_info;
CLOSE csr_user_info;


-- Set application context for a valid user, else set the the context
-- to invalid.
IF r_user_info.contact_id IS NOT NULL THEN

DEVYYY.XXX_app_CTX_mgr.set_contact_id_CTX(p_contact_id => r_user_info.contact_id );
DEVYYY.XXX_app_CTX_mgr.set_user_name_CTX (p_user_name => v_user);

DEVYYY.XXX_app_CTX_mgr.set_master_entity_id_CTX(p_master_entity_id => r_user_info.master_entity_id);

ELSE

-- invalid user, i.e does not exist in .contact table.
DEVYYY.XXX_app_CTX_mgr.set_contact_id_CTX(p_contact_id => -99 );
DEVYYY.XXX_app_CTX_mgr.set_user_name_CTX(p_user_name => 'INVALID_USER');
DEVYYY.XXX_app_CTX_mgr.set_master_entity_id_CTX(p_master_entity_id => -99);

END IF;


EXCEPTION
WHEN OTHERS THEN
RAISE_APPLICATION_ERROR(-20001, 'ON-LOGON TRG Error: ' ||SQLERRM);
END trg_db_logon;