Storm Petrel, LLC

APEX_ACL

Oracle APEX Low-Code User Management – Part II

by

Date

25 June 2021 | Version APEX 20.2

Low-Code User Managment – EEK!

In Part I, I asked: can I create an effective user management system using a low-code approach within Oracle APEX (v20.2)?

The answer is “No” or ought to be “No”. Maybe technically one might say “YES”, but it should NOT be done. I’ll will discuss why and how to fix this problem in this article.

When I envisioned writing this article, even through yesterday, I thought I would issue a series of warnings and caveats, which I will go through later. Then this morning while testing and polishing the sample application for publication, I locked myself out (again). A day’s worth of work is locked up, error messages blow, and while I am confident that with another couple of hours of effort, I can un-mess this mess, there are just too many risks.

As a newbie APEX developer, I spent hours reading articles and following the footprints of others. My feeling now is that if I lay a track of prints, some other well-intentioned human being will follow my path and miss my warnings, dismiss my risks, ignore my pointing fingers, and try anyway.

Of course, you are welcome to try to create a low-code user management system that incorporates the internal APEX users and APEX’s Access Control features. I’ll give you the links, but I’ll not give you the application.

In nearly a decade of reading articles and posts about Oracle APEX, I do not believe I have run across an author/developer who said: “Just Don’t Do It!”. Today, that is me.

Low-Code – A Definition

Low-code software application development involves techniques focusing on drag-n-drop, select lists, and check boxes to create an application. Oracle Application Express (APEX) is a free tool available for every modern Oracle database. It provides robust and professional level tools for the design, development, and operation of high-quality, secure, web-based applications.

This cloud-based tool has demonstrated its capabilities. One of our commercial applications underwent scrutiny by the U.S. Department of Homeland Security (DHS) cybersecurity teams. Our application has utilized by inspectors general. This application incorporates 58,000 lines of code in packages and uses over 300 tables. Granted this application has successfully managed $5B USD in federal funds and while managing/storing 400,000 PDF documents. This application is not low code.

My business partner has written a few low-code and no-code APEX applications. One of his low-code applications fetches the pool temperature and weather statistics of the pool outside of his Florida home and graphs changes the during the day. Low code because he used our template for the API with this weather station he bought and the rest was basic skills with a mouse. Maybe one or two simple queries for his graph. He’s also done a no-code application to help the homeowner’s group manage documents and photographs. It provided more power and capabilities than WordPress with nearly no more need for coding skills. APEX met the demands.

In each case, John creates users within APEX then assigns them to an application with the APEX Access Control Feature.

Low-code – write a few queries with SELECT statements, call a procedure or function as needed. Likely does not have any packages of compiled code.

No-code applications don’t even require queries or calls to procedures/functions. APEX can do it – does it all the time for people, even me!

Why Low-Code / No-Code?

Isn’t that the dream? How many of us have heard the line: “I’ve got an app for you” followed with some version of well all be rich. Anyone can write an application, that’s the promise. We have spent decades lowering the threshold for entry and making database application development more approachable and more accessible.

I love low-code/no-code because it serves me as a rapid prototyping and demonstration tool. I can do things immediately, now! It will work. I don’t have to destroy a prototype as ideas mature, as clients provide feedback. Low-code/no-code serves both as the pencil sketch pad foray to finished product.

Low-code / no-code works great for John and thousands like him. Toss Excel to the bin and have a website that uses data for managing and viewing data dynamically. Perfection.

A Gap

As mentioned in Part I, APEX includes a feature that can be installed with a new application called “Access Control”. Implied in this feature is that this Access Control process predicate on APEX users. This is not the case, this feature can be used with custom authentication process as described by Doug Gault in his article.

Given Oracle and the great team at developing our APEX tools emphasize the no-code/low-code benefits of APEX for rapid application development, I decided to explore using a low-code techniques for user management. In short, although I did not technically fail, the risks of what I explored significantly outweigh the benefits.

And, in subtle ways Oracle reinforces my positions.

Low-Code User Management

I decided that my low-code approach for user management should rely on Oracle data storage and Oracle procedures/functions. If I do need to write PL/SQL blocks of code, they ought to be:

  1. Within APEX and not in a package, procedure, or function
  2. A few lines long, certainly under 50 lines

In time, I conceded that if I can write a sample application that pushed these code limits a bit, but provided that application as a free download from my Github (don’t look, it is not there). Then sample app could be used by others risk-free in a low-code/no-code environment.

I was 99.999% successful. I was ready to push to GitHub and give the app to John for his homeowner’s association and his weather station thingy. Then, for the third time, I entirely fried my APEX environment. I believe myself to be expert, and the severity of the mistakes I made informed me that the architectural foundation of my premise and experiment Failed.

If this were an episode of Myth Busters, I’d stamp “Busted” on this effort.

Risk Identifier #1 – No Sample App from Oracle

I did ask myself why doesn’t Oracle, who is promoting low-code/no-code, provide a sample app for user management? Or even a softer edge to APEX that permits incorporation into an application?

This is a clue.

A low-code method would have to gain access to “Application Express Accounts” as show here. This is an image from Shared Components > Security Authentication Schemes.

Oracle provides a strong set of tools to manage APEX accounts.

A sample app, which can be installed by any developer, would require:

  1. Administrator Rights to APEX;
  2. Would have access to modify the rights to nearly any developer and administrator within APEX.

When I examined Risk Identify #1, I thought Oracle was protecting itself from lawsuits and the malice a disgruntled developer having a bad day at work. I was wrong. It protected APEX from me, a well-intentioned, experience developer working alone in a private space.

APEX relies on “Application Express Accounts” for proper access, and function. Sample applications are often treated as learning tools, toys, and templates. It is a bad idea to let a toy destroy your work environment.

Risk Identifier #2 – Removing Important Security Feature

In order to let developers and APEX applications modify APEX users accounts, you must remove a layer of protection from APEX. Buried deep in the security attributes for an application (Shared Components), there is a Check Box at the bottom of a page that reads:

Runtime API Usage

When checking the “Modify Workspace Repository”, you’ve now let application developers modify APEX user accounts and all sort of internal stuff.

If you want a security for your corporate or institutional environment, if you value your job, if you value your data, leave that box unchecked.

Risk Identifier #3 – Must be APEX Workspace Administrator

Within APEX there are classes of users and permissions. The king is Internal/Admin as this user sets up workspaces and users. Next down the ranks are Workspace Administrators. These folk can edit user permissions within a workspace: change passwords, do that cool stuff. Down the ranks another step: Workspace Developers. Developers can write applications and depending on toggles, access SQL and other stuff. The bottom rank are the Not-an-Admin and Not-a-Developer. This is the group of application users.

In order for an application to Modify Workspace Repository (APEX accounts) the application user must be a Workspace Administrator.

Seriously, we should never give the user of an application Workspace Administrator rights. It is an evil idea. What could possibly go wrong?

Risk Management

These protections exist on purpose!

Before starting I assess the risks and developed strategies to minimize the risks

  1. Developed app at the free tier of Oracle Cloud Infrastructure with APEX installed
    1. I did NOT do this on my own systems
    1. I did NOT do this on my corporate systems
  2. Know my PST (Primary, Secondary, Tertiary Actions)
    1. Primary recovery action: Run application backups
    1. Secondary recovery action: Have spare users, don’t mess with Internal/Admin
    1. Tertiary recovery action: Wipe my OCI space clean and start again

I still found trouble – I mean, I created my own trouble.

Mistake #1 – Update APEX Account with Null data

Whilst I did a complete fetch user and populated matching page items, I really didn’t want to update every parameter when I pushed the data back with Edit User.

First, I tried to limit the data I fetched but commenting out parameters I did not want. The code would not verify. Fail!

Next, I limited the data I pushed by commenting lines from apex_util.edit_user. Hey, this code compiled just fine! I edited my name and destroyed my APEX account. Yes, sent nulls back to all sort of important stuff.

I set my group IDs and developer roles to nulls. I turned my own account from Workspace Administrator to a User.

Recovery Step – Log in as Internal/Admin and fix my own account.

Mistake #2 – Remove All Administrators from Application

When using the APEX Access Management feature, you must have at least one account identified as an “Administrator” within the access control list for the application. That account must also be a Workspace Administrator.

I am working through the process of changing rights from application administrator to application contributor to application reader.

One can not just execute the repair code from SQL Developer. You must be within an APEX Session (essentially within an APEX application). I wrote code that executed blindly on page 1 to add myself back to the application administrator group.

Recovery Step – Execute a PL/SQL block from within an APEX session to add a workspace administrator user to access control list as an application administrator.

Prevention Step – I wrote come elegant code that prevent the user from removing the rights of the last administrator. This was not a novice level query, but it was short. This code does not qualify for “low-code/no-code”. It did prevent me from repeating this mistake.

Mistake #3 – WTF?

At Mistake #3, I decided I’d had just enough. I thought to myself: “Oh, I should permit a user to change their own password”. I popped in a quick modal page with two page items: old password, and new password. I dropped in the necessary reset password call, definitely a low-code effort (if you really want to leap after me, it is apex_util.reset_password).

I change my user’s password.

Now none of my users can log into my sample application. I couldn’t log into APEX. I fixed my APEX account with Internal/Admin (again). Found the application wrecked-beyond-recognition and decided I had enough evidence to write this article.

Don’t Do It

Hot coffee is often served in cups that read: Contents Maybe Hot. Fuel stations provide warning signs about gasoline being flammable.

If you care about your APEX environment, do not permit an external application to modify workspace repository stuff such as APEX user accounts. Hot stuff is hot. Don’t touch a hot stove top.

Do not give the administrator of an application the full permissions needed to be an APEX Workspace Administrator.

As a long-time paramedic and chief of an emergency medical service, I underwent annual training on infectious disease prevention. The lesson often started and ended with: “Don’t touch it; Don’t touch it; Don’t touch it.” Today, it would include, “wear a mask”.

Oracle APEX requires a secure and non-volatile environment in order to operate well, that includes the parameters and passwords for APEX administrators and developers. Please do isolate your applications from your development environment.

Hey Oracle, Help Us!

In striving to capture more marketspace in the low-code/no-code environment, the team at Oracle has the opportunity to provide an application-specific suite of tools for low-code/no-code user management.

Maybe there is a place for developers initially use their own developer accounts, but even that fosters bad security practices.

We should ask Oracle to remove the ability to permit applications to be authenticated against developer accounts. Instead, rely on a distinct and isolated dataset for application user accounts.

With cybersecurity risks front-and-center in news, we should all do every thing we can to envision a more secure world. Linking your database security, your developer’s security, and your application security with a single account is unwise.

Yes, No Code & No Sample Application

I am not providing sample code, code to copy, or a sample application. If you wish to recreate my stupid mistakes, go do your own research. I will not enable that level of stupid. Oracle has all the documentation you need.

Yes, this is an Oracle APEX blog post with no code.

Christina Moore

25JUN2021

Oracle APEX Low-Code Authentication and Authorization

by

Date

June 2021 | Version APEX 18.1 and higher

Context

When working with Oracle APEX whether on Oracle Cloud Infrastructure (OCI) or within your own environment, the wizard for creating a new application permits one to check a box that adds Oracle’s internal user management tools. Selecting this option only starts the process. More is needed to provide a complete security model for authentication and authorization. Let’s explore the robust features that Oracle APEX provides for free within this rapid-development/low-code tool – Application Express (APEX).

Doug Gault wrote a terrific article in September of 2019 (Twitter: @DougAGault) that provides insights into customizing and blending the internal Oracle toolset with hand-coded “custom” options.

For years, my team and I have only ever engaged in custom user authentication schemes augmented with complicated and hand-written authorization schemes. I carried the arrogance: I can do it better.

But can I?

Who has more experience securing massive amounts of important data? Me… or Oracle? Is my way better? Am I as current as I need to be with user authentication? I ought to have ignored that arrogance and explore the toolkit at our fingertips. These tools do a great job with username and password style authentication.

Progressively, our team has been engaging external service providers and API for Multifactor Authentication (MFA) and Single-Sign On (SSO). We’ve been using Okta and Microsoft and other solutions for both single-sign-on (SSO) and MFA. Adrian Png (Twitter: @fuzzieBrain) helped us repeatedly when we get in over our heads with SSO. The recent article by Plamen Mushkov (twitter: @plamen_9) is very good too: https://apexapplab.dev/2021/05/31/okta-authentication-for-apex-in-5-minutes/

Please acknowledge that hosting an application and the associated data on the internet carries risks. The risks and burden to protect these data rests on our shoulders, your shoulders.

Sometimes username and password are the right solution right now. And why not examine the free tools from Oracle before doing what I did and writing hundreds of lines of code, creating a series of custom tables, etc.

Why This Article

#1: John

My business partner of 10+ years specializes in servers, networks, and cybersecurity. Now and again, he puts together an APEX application – a true demonstration how Oracle has created a low-code/no-code system for building web-based software. He wanted to make changes to the user security feature that installed automatically. We both had to reverse engineer where those features came from. We both learned he ticked a box that read: “Access Control Enable Role-based user authorization” when on the “Create an Application” wizard. In a quick effort to replicate the feature, we failed when running them within SQL Developer. I then read, researched, and discovered a surprise treat someone left for me (and you).

After understanding and playing, I recognized that this feature ought to have been including in many of our early development efforts… especially when I often preach “lean into APEX” – embrace the spirit and efficiencies of someone else’s labors, and of a damned good tool.

#2: The Gap

In time I saw the gap. I failed to discover how to update a user’s password. I recognized that this feature emphasized user authorization – who has access to what, once in. Where is the user authentication part? Authentication asks: “Are you, you?”.

The APEX feature, as shown, is called “Access Control”, another phrase for authorization. So where are the elements needed to manage user authentication? They are in the package APEX_UTIL. There is a gap in our Low-Code User Management presentation from Oracle.

Take a look at the section called “APEX Users” below for more information.

Low-Code User Management

My friends at Oracle included the “user authorization” part of user management in the New Application Wizard. The inference is that users will be managed through the APEX developer’s interface. APEX does provide functions and procedures within APEX_UTIL that permit the real management of users. Raised by parent who wrote a lot, one earning a major in English, I grew up hearing the phrase “Maintain Parallel Construction” – which is not a tenet of Oracle. In this case, when you need the data, you query views with public synonyms. When you want to modify data, you call APEX_UTIL, and sometimes you can use APEX_UTIL to fetch out data too. If you want to modify the permissions of a user within an application, then you want to use the package APEX_ACL and a different set of views.

Inventory

In the table below, I am going to inventory the major components needed. There are some smaller functions that are super useful, but slightly redundant.

PurposeDescriptionPackageView
Authentication
Add/Create UserAdd a user to the APEX user environment, including application usersAPEX_UTIL.CREATE_USERapex_workspace_apex_users
Edit UserEdit a UserAPEX_UTIL.EDIT_USERapex_workspace_apex_users
Reset PasswordReset a password for APEX/application userAPEX_UTIL.RESET_PASSWORD APEX_UTIL.CHANGE_CURRENT_USER_PWNot Applicable (seriously, we’re not querying passwords!)
Password StrengthTest a password against established criteriaAPEX_UTIL.STRONG_PASSWORD_CHECKNot Applicable
Delete UserDelete or remove a user from APEX/applicationAPEX_UTIL.REMOVE_USERapex_workspace_apex_users
Find APEX User IDRetrieve APEX User ID (Primary Key) with known usernameAPEX_UTIL.GET_USER_IDapex_workspace_apex_users
Create User Group/RoleCreating a Group which is used for Authorization RolesAPEX_UTIL.CREATE_USER_GROUPapex_appl_acl_roles apex_workspace_groups
Authorization
Assign User to ApplicationAssign a user to an application with a role (admin/ contributor/ reader)APEX_ACL.ADD_USER_ROLEapex_appl_acl_users
Change or Remove User’s rolesChange or remove a user’s authorization level or roleAPEX_ACL.REMOVE_USER_ROLE APEX_ACL.REPLACE_USER_ROLESapex_appl_acl_user_roles
Feature Control
Toggle User ACLTurn User access control management on or off (Access control list)apex_app_setting.set_value ( p_name  => ‘ACCESS_CONTROL_SCOPE’, p_value => ‘ALL_USERS’); 
Query User ACLIdentify if User ACL is running or nowapex_app_setting.get_value( p_name => ‘ACCESS_CONTROL_SCOPE’ ) 

Notes & Warnings

Many of the procedures listed above require that one calls them from within APEX. Additionally, the user must have sufficient permissions within APEX to add users – so an APEX Admin.

This is a situation where one ought to play within one’s personal APEX space. Please do not mess up a corporate environment without permissions. That may cause an unexpected change in employment status.

APEX Setting

You will not be able to use an API to edit users unless you permit it. You’ll need to go tick the following:

Shared Components > Security > Runtime API Usage

Add a check to “Modify Workspace Repository” thereby permitting an application to reach back into APEX to modify user profiles.

Low-Code versus No-Code

Low-Code means that a developer has a reduced burden for application development. The procedures and views listed above provide a superlative low-code approach to user management. To cross the threshold to No-Code, we’d have to have a sample application with a full suite of user management features included, ideally introduced to an application with a cool little checkbox such as we see with Access Management in the Create Application Wizard.

My goal for next week is to write a robust application in APEX 20.x using the modern DML features. I’ll post this on my GitHub as an APEX application one can install.

I gave myself a giggle about including this code in a Sample App. It could be a bit of a risk for Oracle to do this. You let someone install a sample app as a developer, then maybe it doesn’t work so well without Admin permissions. A developer installs an application that requires admin rights. Now developer wants admin rights, blah, blah, blah. I understand the hesitancy. Providing administrative level access for one application is a different risk level than giving administrative level access to your APEX. I’ll publish the application on Github ensuring my personal stuff and our corporate stuff is safe. And in the blog, I’ll provide code samples for ye olde copy-n-paste.

APEX Users

Can you use the Oracle APEX view/table apex_workspace_apex_users to provide all of the features you need for a proper user table. The basics are covered with fields including username, first name, last name, email. Fields needed for APEX are visible with expiry date for the password, failed attempt counter, and toggles for APEX admin and APEX developer. We also have 10 flexible fields called “attributes”. They are numbered 1 through 10 and can be use to enhance the user table to suit your needs. Maybe you put the user’s language preference in attribute 1, the code (run from within an APEX page and session):

BEGIN 
    APEX_UTIL.SET_ATTRIBUTE ( 
        p_userid => apex_util.get_user_id(p_username => 'FRED'), 
        p_attribute_number => 1, 
        p_attribute_value => 'en'); -- Language preference
END;

Observe that this function uses the numeric primary key for the User ID. When getting the same attribute, use the “username” as shown below:

DECLARE  
    l_language VARCHAR2(4000);
BEGIN 
    l_language	:= APEX_UTIL.GET_ATTRIBUTE ( 
        p_username => 'FRED', 
        p_attribute_number => 1
		);
		APEX_UTIL.SET_SESSION_LANG( P_LANG => l_language);
END;

Of course, if your needs for a user table exceeds the capabilities of this internal APEX table, then you can build a one-to-one relationship to your own table.

Accessing the APEX user table can only be done within an APEX session, requires correct permissions within APEX. Updating data in the APEX user table must be done through functions/procedures provided by the APEX_UTIL package.

Better than Custom?

This approach may be better than custom, but not perfect. A custom table would normally be stored in the same database schema. Most of us store data in plain text except for the hashed password. Hashed passwords are better than encrypted passwords. Our early user tables had encrypted passwords – not good. Later we hashed. Putting user data including password information one step removed from your application schema requires bad actors to take that extra step. That is incrementally better. Better is better.

While these actions add layers and improve the shielding of user data, the responsibility to ensuring the security of data and access to applications belongs to the developers. These decisions rest with you.

APEX User Access

The APEX User Access Management feature assigns users to roles (groups) that are application specific. The native feature does not technically “add a user”, even though there is a button that says “Add User” – poor button, it doesn’t know it is lying to you. Once adding a user to a role within an application, you build out the Shared Component Authorization Scheme for these roles. With the Authorization Schemes created, you then add these to pages, menus, lists, etc.

The Steps

  1. Add a user to the APEX environment – make sure this person is not a developer, nor an APEX admin.
  2. “Add” the user to the application using the Access Control features described above as part of creating a new application.
  3. Assign a user to a role.
  4. Create or update the Authorization scheme (Shared Components)
  5. Assign Authorization to buttons, pages, navigation menu, lists, and other places as needed.

I noted that the APEX User Access Management feature installs with the legacy DML tools, predating the APEX forms. I spent most of my winter migrating hundreds of pages to the newer Forms. Normally, I am done with a few clicks. Instead, I got both stuck and frustrated with errors. With effort that involved returning to a known-good baseline (legacy DML), changing one variable at a time, I demonstrated to myself that the primary key must not be returned to the page item.

When installing this on APEX 20.x, we see the tag “legacy” which inspires us to push forward. That is shown in the illustration below.

We add the page elements to create a form, as shown.

Then confirm that the primary key is set correctly (Pxxx_USER_ID) as primary key.

Following those steps go to the page process to add the form DML. In there, de-select the return primary key option as shown.

Link It!

The APEX User Access Management feature includes a button that reads “Add User”. This button does not “Add User” to APEX. It adds permissions (roles) to a user. And this only works if the user exists within APEX. So how about a validation link between the two. Set the Pxxxx_USER_NAME to a select list, then add a query as shown:

select 
	user_name d,
	user_name r
from apex_workspace_apex_users
where user_name not in
	(select user_name from apex_appl_acl_users where APPLICATION_ID = :APP_ID)
order by user_name;

A screen shot to provide context on where this query would go…

This will reinforce the distinction between the ACL User (Access Control) and the APEX User who gets authenticated.

Remember set theory? We all live in the land of set theory from the first moment we query a database with an SQL statement. The ACL User list ought to be a subset of the APEX Users list. We certainly had fun adding Fred and Barney and Wilma to our ACL list, but none of my Flintstone characters found a way to log in, not without solving the authentication problem first.

Toggle On / Off

An application can be available to all APEX users, or you can restrict the user’s access using the Access Control features. When installing the User Access Management feature, APEX turns on the Access Control Scope for your application. When “On”, only users assigned roles and assigned to your application have access, also stated as “Access Control List”. When off, there is no ACL (access control list) and any APEX user has access.

To toggle the feature, use this pair of functions. One sets the value, the other queries it. These must be run from with in an APEX application and session.

begin
    if :P10010_ALLOW_OTHER_USERS = 'Y' then
        apex_app_setting.set_value (
            p_name  => 'ACCESS_CONTROL_SCOPE',
            p_value => 'ALL_USERS');
    else
        apex_app_setting.set_value (
            p_name  => 'ACCESS_CONTROL_SCOPE',
            p_value => 'ACL_ONLY');
    end if;
end;

if apex_app_setting.get_value( p_name => 'ACCESS_CONTROL_SCOPE' ) = 'ACL_ONLY' then
    return 'N';
else
    return 'Y';
end if;

Authorization Schemes

While researching this article, I came to appreciate scheme type “Is in Role or Group”. For all of my years writing applications in APEX, I focused on the very database-ness of what I saw – the exists query, the equality to an item, and PL/SQL functions. Certainly, my functions and query demonstrated the cleverest I could be (ok, complicated). Our team created groups of users without using the native groups or functions roles within APEX. I would not likely go backwards to re-do the authorization scheme. That said, I would not again undertake authorization without the simpler approach with Roles / Groups.

Please do go visit Doug’s article on setting this up.

What’s Next?

Seems like a fun challenge to make a sample application that “leans into APEX” for user management.

Update (What could possibly go wrong?!)

Hey reader, I am updating this article on the same day I published it. I started the aforementioned sample app to manage APEX User profile from within an APEX application. While I listed some risks including a sudden change in employment if mistakes happen.

Well… I am the only user on my own Oracle Cloud Infrastructure APEX instance. When I edited the profile, I entirely nullified my administrator permissions. I could not even view or edit the APEX code. In short, I blew myself up entirely. Oops.

oh my

I had to login into APEX Internal as Admin, then reset my lonely little user back to being an Administrator for APEX.

Please do this better than I did!