Hi APEX community,
I’m exploring ways to enforce proxy user authentication for developers working in APEX Builder (Page Designer), similar to how Oracle Database allows ALTER USER proxy_user GRANT CONNECT THROUGH actual_user.
Goal:
Track individual developer actions (e.g., page edits) reliably, even when connections are routed through ORDS (which masks the original IP).
Ensure accountability by binding changes to specific developers via proxy authentication.
Current Challenges:
ORDS connections show the ORDS server IP, not the developer’s IP.
SYS_CONTEXT('USERENV', 'PROXY_USER') returns NULL in APEX Builder sessions.
APEX’s built-in "Last Updated By" field doesn’t distinguish between direct and proxy connections.
Question:
Is there a supported way to:
Force developers to connect to APEX Builder (or the underlying database) via a proxy user?
Capture the original developer’s identity (e.g., proxy chain) in APEX_APPLICATION_PAGES.LAST_UPDATED_BY or audit logs?
Attempted Workarounds:
Database Triggers: Limited to DDL, not APEX metadata changes.
ORDS Custom Headers: Headers like X-Dev-User are stripped before reaching the database session.
Has anyone implemented this successfully? Would Oracle consider adding native proxy support for APEX Builder sessions?
Thank you!