Oracle XS_ACL
Version 21c

General Information
Library Note Morgan's Library Page Header
Which has the higher priority in your organization: Deploying a new database or securing the ones you already have? Looking for a website, and resources, dedicated solely to securing Oracle databases? Check out DBSecWorx.
Purpose Real Application Security Access Control Lists
AUTHID CURRENT_USER
Constants
Name Data Type Value
 Parent ACL Types
EXTENDED PLS_INTEGER 1
CONSTRAINED PLS_INTEGER 2
 Principal's Types
PTYPE_XS PLS_INTEGER 1
PTYPE_DB PLS_INTEGER 2
PTYPE_DN PLS_INTEGER 3
PTYPE_EXTERNAL PLS_INTEGER 4
 Parameter Value Types
TYPE_NUMBER PLS_INTEGER 1
TYPE_VARCHAR PLS_INTEGER 2
Data Types TYPE SYS.XS$ACE_LIST

TYPE SYS.XS$ACE_TYPE
Dependencies
DBA_XS_ACES DBMS_UTILITY XS_ADMIN_INT
DBMS_ASSERT XS$ACE_LIST XS_ADMIN_UTIL
DBMS_NETWORK_ACL_ADMIN XS$ACE_TYPE XS_SECURITY_CLASS_INT
DBMS_SFW_ACL_ADMIN XS_ACL_INT  
Documented No
Exceptions
Error Code Reason
ORA-46152 XS Security - invalid ACE specified
ORA-46215 XS entity by the name <string> did not exist.
First Available 11.2
Security Model Owned by SYS with EXECUTE granted to PUBLIC and DBSFWUSER
Source {ORACLE_HOME}/rdbms/admin/xsacl.sql
Subprograms
ADD_ACL_PARAMETER GRANT_PRIVILEGE SET_DESCRIPTION
APPEND_ACES REMOVE_ACES SET_PARENT_ACL
CREATE_ACL REMOVE_ACL_PARAMETERS SET_SECURITY_CLASS
DELETE_ACL REVOKE_PRIVILEGE  
 
ADD_ACL_PARAMETER
Add a numeric parameter value

Overload 1		 xs_acl.add_acl_parameter(
acl       IN VARCHAR2,
policy    IN VARCHAR2,
parameter IN VARCHAR2,
value     IN NUMBER);
TBD
Add a string parameter value

Overload 2		 xs_acl.add_acl_parameter(
acl       IN VARCHAR2,
policy    IN VARCHAR2,
parameter IN VARCHAR2,
value     IN VARCHAR2);
exec xs_acl.add_acl_parameter('DBSECWORXACL','XPOLICY','GEO', 'EMEA');
 
APPEND_ACES
Append one ACE to the ACL

Overload 1		 xs_acl.append_aces(
acl IN VARCHAR2,
ace IN XS$ACE_TYPE);
DECLARE
 atype xs$ace_type;
BEGIN
  atype := xs$ace_type(privilege_list=>xs$name_list('"SELECT"'),
                       granted=>TRUE,
                       principal_name=>'DBA',
                       principal_type=>xs_acl.ptype_db);
  xs_acl_append_aces('DBSECWORXACL', atype);
END;
/
Append ACEs to the ACL

Overload 2		 xs_acl.append_aces(
acl      IN VARCHAR2,
ace_list IN XS$ACE_LIST);
TBD
 
CREATE_ACL
Create ACL API xs_acl.create_acl(
name         IN VARCHAR2,
ace_list     IN XS$ACE_LIST,
sec_class    IN VARCHAR2    := NULL,
parent       IN VARCHAR2    := NULL,
inherit_mode IN PLS_INTEGER := NULL,
description  IN VARCHAR2    := NULL);
col acl format a45
col owner format a20
col privilege format a20
col security_class format a20

SELECT acl, owner, privilege, security_class
FROM dba_xs_aces
ORDER BY 1;

DECLARE
 alist xs$ace_list;
BEGIN
  alist := xs$ace_list(
             xs$ace_type(privilege_list=>xs$name_list('"SELECT"','VIEW_SENSITIVE_INFO'),
                         granted=>TRUE,
                         principal_name=>'CSR'),
             xs$ace_type(privilege_list=>xs$name_list('UPDATE_INFO'),
                         granted=>TRUE,
                         principal_name=>'MGR'));
  xs_acl.create_acl('DBSECWORXACL', alist, 'SECPRIVS', description=>'Data Access');
END;
/

SELECT acl, owner, privilege, security_class
FROM dba_xs_aces
WHERE acl = 'DBSECWORXACL';

ACL           OWNER  PRIVILEGE            SECURITY_CLASS
------------- ------ -------------------- ---------------
DBSECWORXACL  SYS    SELECT               SECPRIVS
DBSECWORXACL  SYS    VIEW_SENSITIVE_INFO  SECPRIVS
DBSECWORXACL  SYS    UPDATE_INFO          SECPRIVS
 
DELETE_ACL
Delete an ACL xs_acl.delete_acl(
acl           IN VARCHAR2,
delete_option IN PLS_INTEGER := XS_ADMIN_UTIL.DEFAULT_OPTION);
exec xs_acl.delete_acl('DBSECWORXACL');
 
GRANT_PRIVILEGE (new 21c)
Grant a privilege xs_acl.grant_privilege(
acl            IN VARCHAR2,
privilege      IN VARCHAR2,
principal      IN VARCHAR2,
principal_type IN BINARY_INTEGER);
TBD
 
REMOVE_ACES
Remove all ACEs from the ACL xs_acl.remove_aces(acl IN VARCHAR2);
exec xs_acl.remove_aces('UWACL');
 
REMOVE_ACL_PARAMETERS
Remove all parameters
Overload 1		 xs_acl.remove_acl_parameters(acl IN VARCHAR2);
exec xs_acl.remove_acl_parameters('UWACL');
Remove a single parameter
Overload 2		 xs_acl.remove_acl_parameters(
acl       IN VARCHAR2,
parameter IN VARCHAR2);
exec xs_acl.remove_acl_parameters('UWACL', 'GEO');
Remove a parameter associate with a policy

Overload 3		 xs_acl.remove_acl_parameters(
acl       IN VARCHAR2,
policy    IN VARCHAR2,
parameter IN VARCHAR2);
exec xs_acl.remove_acl_parameters('DBSECWORXACL', 'XPOLICY', 'GEO');
 
REVOKE_PRIVILEGE (new 21c)
Revoke a granted privilege xs_acl.revoke_privilege(
acl            IN VARCHAR2,
privilege      IN VARCHAR2,
principal      IN VARCHAR2,
principal_type IN BINARY_INTEGER);
TBD
 
SET_DESCRIPTION
Set an ACL description xs_acl.set_description(
acl         IN VARCHAR2,
description IN VARCHAR2);
exec xs_acl.set_description('UWACL', 'UW Secure ACL');
 
SET_PARENT_ACL
Sets the parent ACL xs_acl.set_parent_acl(
acl          IN VARCHAR2,
parent       IN VARCHAR2,
inherit_mode IN PLS_INTEGER);
TBD
 
SET_SECURITY_CLASS
Sets the security class xs_acl.set_security_class(
acl       IN VARCHAR2,
sec_class IN VARCHAR2);
TBD

Related Topics
Built-in Functions
Built-in Packages
DBMS_NETWORK_ACL_ADMIN
DBMS_SFW_ACL_ADMIN
XS_ACL_INT
XS_ADMIN_INT
XS_ADMIN_UTIL
XS_ADMIN_UTIL_INT
XS_DATA_SECURITY
XS_DATA_SECURITY_INT
XS_DATA_SECURITY_UTIL
XS_DATA_SECURITY_UTIL_INT
XS_DIAG
XS_DIAG_INT
XS_MTCACHE_INT
XS_NAMESPACE
XS_NAMESPACE_INT
XS_PRINCIPAL
XS_PRINCIPAL_INT
XS_ROLESET
XS_ROLESET_INT
XS_SECURITY_CLASS
XS_SECURITY_CLASS_INT
What's New In 19c
What's New In 20c-21c

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2021 Daniel A. Morgan All Rights Reserved
  DBSecWorx