Role-based access control (RBAC) in VBCS applications operates at two levels: the UI layer (what users see and can interact with) and the data layer (what they’re actually permitted to read and write). Both matter, and they’re not the same thing.
The critical distinction
Client-side role checks control UX — not security.
Hiding a button or a section based on a user’s roles prevents accidental access and keeps the interface clean. It does not prevent a technically capable user from calling the underlying REST endpoint directly. Security must be enforced at the API/integration layer.
This is not a VBCS limitation — it’s true of every client-rendered application framework. Design with this in mind.
Accessing user roles in VBCS
VBCS exposes the current user’s authenticated roles via $application.user.roles. This is a string array populated from the user’s Oracle IDCS or OCI IAM roles.
Conditional visibility:
[[ $application.user.roles.includes('FINANCE_MANAGER') ]]
Conditional in an action chain (If action):
Condition: $application.user.roles.includes('FINANCE_MANAGER')
True path: show approval panel
False path: show read-only view
Page-level and flow-level access
Use VBCS’s Page Entry Guard (beforeEnter lifecycle event) to redirect unauthorised users before a page renders:
// In beforeEnter action chain
if (!$application.user.roles.includes('REQUIRED_ROLE')) {
// Navigate to access denied page
}
This prevents page rendering and provides a clean “access denied” experience rather than a page that loads and then hides everything.
Role hierarchy design
Define role constants in an app-level JavaScript module rather than scattering role strings through your action chains and expressions. When a role name changes in IDCS, you change it in one place:
export const Roles = {
FINANCE_APPROVER: 'FusionORA_FINANCE_APPROVER_CUSTOM',
READ_ONLY: 'FusionORA_READ_ONLY_USER',
};
Testing RBAC
Test every role permutation with actual test users assigned those roles — not by toggling variables in the designer. Role behaviour is one of the most common sources of production bugs that pass internal testing because testing was done with admin accounts.