Why Authorization Schemes Matter
Authentication tells your application who the user is. Authorization tells your application what the user is allowed to do. APEX’s authorization scheme framework provides a centralized, reusable way to control access to pages, regions, buttons, items, and virtually any component in your application. Without authorization schemes, developers end up scattering access control logic across dozens of page processes and conditions, which is difficult to audit and easy to get wrong.
Creating an Authorization Scheme
In Shared Components, navigate to Authorization Schemes and create a new one. The most common type is PL/SQL Function Returning Boolean:
-- Authorization Scheme: IS_MANAGER
RETURN apex_util.current_user_in_group('MANAGERS');
-- Authorization Scheme: CAN_EDIT_DEPARTMENT
DECLARE
l_count NUMBER;
BEGIN
SELECT COUNT(*)
INTO l_count
FROM department_editors
WHERE username = :APP_USER
AND department_id = NVL(:P10_DEPT_ID, :G_USER_DEPT_ID);
RETURN l_count > 0;
END;Applying Authorization Schemes
Once created, you can apply an authorization scheme to any component. On a page, set the Authorization Scheme property to restrict who can access the entire page. On a region, button, or item, set it to control visibility and functionality. On a navigation menu entry, set it to hide menu items the user cannot access.
APEX evaluates authorization schemes once per page view and caches the result for that page rendering cycle. This means you can apply the same scheme to multiple components on the same page without performance concerns from repeated evaluation.
Evaluation Points
Authorization schemes can be evaluated at two points: Once Per Page View (the default, cached for the page) or Once Per Session (cached for the entire session). Use per-session evaluation for role checks that will not change during a user’s session to avoid repeated database queries. Use per-page evaluation for context-sensitive checks that depend on page item values.
Testing and Error Handling
When an authorization scheme fails for a page, APEX displays an error page. Customize this by setting the Authorization Error Message in the scheme definition. For a better user experience, consider redirecting unauthorized users to a friendly landing page rather than showing a raw error. Test your authorization schemes by impersonating different users through the APEX builder’s Run As feature.