I had one interesting task: to enable application end-users to manage users (to create new users from the app). Of course, I'm talking about APEX users and authentication.
Sounds simple, but is it?! I've done this 10 years ago...no problem...
To make it work I've used apex_util.create_user API:
As noted in a comment above, you need to add Workspace Admin privilege to the user you create so that this user can create other users. Sounds good...but you have one big problem. This user can login to the APEX Builder (of course, you can disable APEX builder access on test/production environments, but who does that in reality 😉).
The thing that worked before (I think last in APEX 5.1) was that you could create a new user that is locked by default:
You can't login to the APEX builder, but unfortunately, you can't login to the app neither.
So I came to a new solution, and it's a simple one.
By default I add new end-users to predefined User Group (don't forget to create user group before):
After that, on the APEX workspace instance level (Manage Instance > Security > Development Environment Authentication Schemes > APEX Accounts), I've added Post-Authentication procedure that doesn't allow users from that group (in my case APP_END_USERS) to login to the APEX Builder: