Corralling APEX Applicationsin a Corporate Environment

Scott ChaplowHCL Technologies

2

Introduction

Scott ChaplowSystems Architect, HCL Technologies

Level 4, ACC Building18 London StHamilton  3204New Zealand

+64 7 858 7129+64 27 233 0615scott.chaplow@hcl.comscott.chaplow@fonterra.com

3

HCL Overview

59.5%

26.7%

13.8%Asia Pacific

Europe

US

12.1% Telecom

25.5%Financial Services

26.7% Manufacturing

7.6% BPO

22.2%InfrastructureServices

19.0%EngineeringServices

21.4%EnterpriseApps

29.9% Custom Apps

Geo MixGeo Mix Vertical Mix

Vertical Mix

Service Line MixService Line Mix

Highlights

Total Revenues

$6.3 B

Clients

500+

Employees

93,000

Countries

31

HCL Technologies HCL Infosystems

Diversified and De-Risked Portfolio

6.9% Retail & CPG

5.0% MPE6.3% Life Sciences

8.9% E&U

6.9% Others

4

HCL in New Zealand

Auckland

Wellington

NZ300+Consultants

Hamilton

Locally registered since 1999

100 seat Development Centre in Auckland,

offices in Hamilton and Wellington

300+ onsite consultants

200+ off-shore

5

Fonterra APEX

PayrollReporting

DARSy Conv Cost

FTSConfig

ManuCapacity

RX7

Ozone

PortalRequests

FSRPM

ES

PCA

SNO

ComplianceSystem

OperationalExcellence

Cost ofQuality

eBudget

PWMR

IS ReportData Load

BIPP

FAM Data

INJMANeProject

RUCS

ActivityMapping

WEBREM

A3

WEBDOCS

RFM / GSRBusiness Proc

ASMR

FSKAT

CustomerVisit Tool

2006 2007 201320122011201020092008

ProFin

Rework

MFU StarterCulture

Upload Sheet

OPT1

Value Portal

MOMPA

RP

BioscienceStarter Culture

WMLOG

RequestTracker

PMR Perform Reporting

TrainingPortal

APEX Portal

e-HRPerformWEBFORMS

6

Fonterra APEX Environments

RX7

MAX

WEBREM

InformPayroll BPR-

MDS

Edit My Details

e-HR Admin

WEBREMPayroll report

WEB-DOCS INJMAN

WEBLEAVE

A3

OPT1

RPMOMPA

MFUStarter

BiosciCulture

FAM

RX7

eBudget

DARSy

OperExcel

eProject

FTS

CostQual

ConvCost

Comply

ASMR

WMLOG

ManuCap

RUCSOzone

ES

PCA

SNO

FSRPM

BIPP

ProFin

Rework

TrainPortal

PortalRequest

APEX Portal

Active Map

PMR

RFM/GSR

IS Data Load

Upload

Value Portal

PWMR

FSKAT

Visit Tool

Request Tracker

A3

Developed over eight years by more than 30 developers

At least twelve APEX themes in use

Examples…

7

Application Examples

8

The Problem

Variation

Twelve different themes

Duplication of effort

User access maintenance

Other functions

Lack of internal application security

No Authorization Schemes (security through obscurity)

Page Access Protection not enabled (URL tampering)

Report columns not escaping special characters (XSS)

Inappropriate use of &ITEM. syntax (SQL injection)

9

The Journey

201220112010

Shared securityschema

User Security Tables & Functions

Authentication

Parameters

Lookup Lists

Import Template

(base)

Import Template (pages)

Auditing

Jobs

Standard Admin Pages

Configuration Export / Import

Dropdown Menu

Single sign-on

Shared Pages

Security Assurance

2013

HR Data

AuthenticationAccess

Administration

Oracle

APEX Database

10

The Vision

Email AddressUser NameHR Data Preferred Name Last Name Person ID Manager ID Position

Cost CentreTermination Date LocationContact DetailsOrganisation

Hire Date

Shared Area

security

data

codeSecurity

ApplicationSharedPages

11

The Result – A3

Three areas of focus

Authentication

Access

Administration

Three Applications

A3 (Security Data)Application

Shared Application

APEX Portal

12

A3 Structure

A3Application(A3A)

SharedPages(A30)

User-selectedApplication’sData

Shared Area(A3)

13

A3 Features

14

Authentication

Checks if there’s an outage

Refreshes user’s automatically assigned roles

Checks the user has access to the application

Randomly selects authentication host from list

Authenticates username and password

15

Access – Security Structure

Users

Actions

RolesSecurity Codes

Pages

16

Security Structure

Range of Functionality

Ran

ge o

f D

ata

17

Access – Security Structure

Users

Actions

RolesSecurity Codes

Pages

18

Application Security Functions

19

Page Security Functions

20

Administration – Security Structure

List Parameter AuditImport TemplateJobs

Users

Actions

RolesSecurity Codes

Pages

21

Other Features

Standard Theme

Messages

Logging

Configuration Export and Import

Dropdown Menu

Single Sign-on

Shared Pages

APEX Portal

Security Assurance

Comply to Fonterra branding guidelines

Test all templates

Create guide on how each template should be used

Remove any extra templates

22

Standard Theme

23

Messages

Information and Outage messages

Use standard APEX notification variablesapex_application.g_notification (outage)

apex_application.g_print_success_message (information)

24

Logging

Standard functions for writing to log table

Debug message only generated if debugging switched on in APEX

or a3_log_pkg.gv_debug is TRUE

Procedure / Functionv_group_id := a3_log_group( ‘Group’ );

a3_log_info( ‘Information’, v_group_id );

a3_log_debug( ‘Debug’, v_group_id );

a3_log_error( ‘Error’, v_group_id );

a3_log_warning( ‘Warning’, v_group_id );

25

Configuration Export & Import

Configuration Export, by

Object type or specific object

Grouping of objects by change date

Entire application

Configuration Import

26

Dropdown Menu

Started as a bit of “bling” for the applications

Integrated nicely with shared security

Integral for seamlessly adding shared pages

27

Dropdown Menu Technical

Started with a Plugin from http://www.apex-plugin.com/

Moved PL/SQL to shared schema

Moved images, CSS and JavaScript files to shared directory

Included menu HTML as JavaScript file with document.write(‘’);

Added page footer to shift last menu items left

28

Single Sign-on Overview

Uses Session Initialization and Authentication Function

Triggered via the APEX request item

f?p=App:Page:Session:Request:Debug:ClearCache:Items:Values:PrinterFriendly

A3-REDIRECT~Database~App~Page~Request~ClearCache~Items~Values

f?p=App:Page:Session:Request:Debug:ClearCache:Items:Values:PrinterFriendly

wwv_flow.accept ?p_flow_id=2001 &p_flow_step_id=101 &p_arg_names=Username-Item-ID &p_t01=username &p_arg_names=Password-Item-ID &p_t02=password

29

APEX Login

Authentication

Authenticate toActive Directory

Post Authentication

Redirect to Home Page

f?p=2001:1:95563177109636::NO::::

wwv_flow.accept ?p_flow_id=120 &p_flow_step_id=101 &p_request=A3-REDIRECT-LOGIN &p_arg_names=Username-Item-ID &p_t01=username &p_arg_names=Password-Item-ID &p_t02=A3-Redirect-key

f?p=2001:1:955631877109636:A3-REDIRECT~MAX~120~4000~~~~:NO::::&cs=384D

Initialise Session (VPD)

Generate A3 Redirect Key

f?p=2001:1:95563177109636::NO::::

Authentication

Authenticate toActive Directory

A3 RedirectKey

30

Single Sign-on (new session)

Redirect to login process

on target application

Post Authentication

Redirect to Target URL

f?p=120:4000:863177109636::NO::::

A3-REDIRECT~MAX~120~4000~~~~

f?p=2001:1:95563177109636::NO::::f?p=120:4000:863177109636::NO::::

f?p=120:4000:863177109636:A3-REDIRECT~MAX~2001~1~~~~:NO::::&cs=591X

Initialise Session (VPD)

31

Single Sign-on (existing session)

Redirect to target page in

application reusing session

A3-REDIRECT~MAX~2001~1~~~~

Found Session ID95563177109636 for App 2001 in Session Group

32

Shared Pages

Original plan was to include a set of administration pages in the

standard application template

Foundations

Consistent theme

Consistent variable naming

Shared security framework

Drop-down menu

Captures session state prior to accessing shared page

Shared application adopts security and session state of calling

application

33

APEX Portal

Home page for users listing the applications they have access to

Centralized reporting

Place for users to request further access

34

Security Assurance

Report checks application is set up correctly

Checks compliance to the security standards

Authorization Scheme for entire application

Page Access Protection on

Report fields restrict HTML characters

&ITEM. Syntax not used in SQL queries

Checks page relationships

35

APEX Base Tables

Workspaces WWV_FLOW_COMPANIES

Workspace Schemas WWV_FLOW_COMPANY_SCHEMAS

Workspace Users WWV_FLOW_FND_USER

Applications WWV_FLOWS

Application Processes WWV_FLOW_PROCESSING

Application Items WWV_FLOW_ITEMS

Authentication Schemes WWV_FLOW_CUSTOM_AUTH_SETUPS

Authorization Schemes WWV_FLOW_SECURITY_SCHEMES

Parent Tabs WWV_FLOW_TOPLEVEL_TABS

Standard Tabs WWV_FLOW_TABS

Pages WWV_FLOW_STEPS

Page Regions WWV_FLOW_PAGE_PLUGS

Page Region Columns WWV_FLOW_REGION_REPORT_COLUMN

Interactive Reports WWV_FLOW_WORKSHEETS

Interactive Report Columns WWV_FLOW_WORKSHEET_COLUMNS

Page Buttons WWV_FLOW_STEP_BUTTONS

Page Items WWV_FLOW_STEP_ITEMS

Page Processes WWV_FLOW_STEP_PROCESSING

Page Branches WWV_FLOW_STEP_BRANCHES

APEX Activity Log WWV_FLOW_ACTIVITY_LOG

Tables available in the APEX_040000 schema (version 4.0)

Don’t alter these tables, or you’ll void your support

36

Final Words

37

Caveats

Applications are no longer stand-alone

Not using all standard features

References to base APEX tables

38

Benefits

Application administration and support is easier

Application development is streamlined

Application security is assured

Application quality is improved

User access is controlled and auditable

User experience is consistent

Custom applications become trusted

39

Questions

www.hcl.com

Thanks