Oracle XS_ACL
Version 21c

General Information
Library Note Morgan's Library Page Header
ACE Director Alum Daniel Morgan, founder of Morgan's Library, is scheduling complimentary technical Workshops on Database Security for the first 30 Oracle Database customers located anywhere in North America, EMEA, LATAM, or APAC that send an email to asra_us@oracle.com. Request a Workshop for your organization today.
Purpose Real Application Security Access Control Lists
AUTHID CURRENT_USER
Constants
Name Data Type Value
 Parent ACL Types
EXTENDED PLS_INTEGER 1
CONSTRAINED PLS_INTEGER 2
 Principal's Types
PTYPE_XS PLS_INTEGER 1
PTYPE_DB PLS_INTEGER 2
PTYPE_DN PLS_INTEGER 3
PTYPE_EXTERNAL PLS_INTEGER 4
 Parameter Value Types
TYPE_NUMBER PLS_INTEGER 1
TYPE_VARCHAR PLS_INTEGER 2
Data Types TYPE SYS.XS$ACE_LIST

TYPE SYS.XS$ACE_TYPE
Dependencies
DBA_XS_ACES DBMS_UTILITY XS_ADMIN_INT
DBMS_ASSERT XS$ACE_LIST XS_ADMIN_UTIL
DBMS_NETWORK_ACL_ADMIN XS$ACE_TYPE XS_SECURITY_CLASS_INT
DBMS_SFW_ACL_ADMIN XS_ACL_INT  
Documented No
Exceptions
Error Code Reason
ORA-46152 XS Security - invalid ACE specified
ORA-46215 XS entity by the name <string> did not exist.
First Available 11.2
Security Model Owned by SYS with EXECUTE granted to PUBLIC and DBSFWUSER
Source {ORACLE_HOME}/rdbms/admin/xsacl.sql
Subprograms
ADD_ACL_PARAMETER GRANT_PRIVILEGE SET_DESCRIPTION
APPEND_ACES REMOVE_ACES SET_PARENT_ACL
CREATE_ACL REMOVE_ACL_PARAMETERS SET_SECURITY_CLASS
DELETE_ACL REVOKE_PRIVILEGE  
 
ADD_ACL_PARAMETER
Add a numeric parameter value

Overload 1		 xs_acl.add_acl_parameter(
acl       IN VARCHAR2,
policy    IN VARCHAR2,
parameter IN VARCHAR2,
value     IN NUMBER);
TBD
Add a string parameter value

Overload 2		 xs_acl.add_acl_parameter(
acl       IN VARCHAR2,
policy    IN VARCHAR2,
parameter IN VARCHAR2,
value     IN VARCHAR2);
exec xs_acl.add_acl_parameter('DBSECWORXACL','XPOLICY','GEO', 'EMEA');
 
APPEND_ACES
Append one ACE to the ACL

Overload 1		 xs_acl.append_aces(
acl IN VARCHAR2,
ace IN XS$ACE_TYPE);
DECLARE
 atype xs$ace_type;
BEGIN
  atype := xs$ace_type(privilege_list=>xs$name_list('"SELECT"'),
                       granted=>TRUE,
                       principal_name=>'DBA',
                       principal_type=>xs_acl.ptype_db);
  xs_acl_append_aces('DBSECWORXACL', atype);
END;
/
Append ACEs to the ACL

Overload 2		 xs_acl.append_aces(
acl      IN VARCHAR2,
ace_list IN XS$ACE_LIST);
TBD
 
CREATE_ACL
Create ACL API xs_acl.create_acl(
name         IN VARCHAR2,
ace_list     IN XS$ACE_LIST,
sec_class    IN VARCHAR2    := NULL,
parent       IN VARCHAR2    := NULL,
inherit_mode IN PLS_INTEGER := NULL,
description  IN VARCHAR2    := NULL);
col acl format a45
col owner format a20
col privilege format a20
col security_class format a20

SELECT acl, owner, privilege, security_class
FROM dba_xs_aces
ORDER BY 1;

DECLARE
 alist xs$ace_list;
BEGIN
  alist := xs$ace_list(
             xs$ace_type(privilege_list=>xs$name_list('"SELECT"','VIEW_SENSITIVE_INFO'),
                         granted=>TRUE,
                         principal_name=>'CSR'),
             xs$ace_type(privilege_list=>xs$name_list('UPDATE_INFO'),
                         granted=>TRUE,
                         principal_name=>'MGR'));
  xs_acl.create_acl('DBSECWORXACL', alist, 'SECPRIVS', description=>'Data Access');
END;
/

SELECT acl, owner, privilege, security_class
FROM dba_xs_aces
WHERE acl = 'DBSECWORXACL';

ACL           OWNER  PRIVILEGE            SECURITY_CLASS
------------- ------ -------------------- ---------------
DBSECWORXACL  SYS    SELECT               SECPRIVS
DBSECWORXACL  SYS    VIEW_SENSITIVE_INFO  SECPRIVS
DBSECWORXACL  SYS    UPDATE_INFO          SECPRIVS
 
DELETE_ACL
Delete an ACL xs_acl.delete_acl(
acl           IN VARCHAR2,
delete_option IN PLS_INTEGER := XS_ADMIN_UTIL.DEFAULT_OPTION);
exec xs_acl.delete_acl('DBSECWORXACL');
 
GRANT_PRIVILEGE (new 21c)
Grant a privilege xs_acl.grant_privilege(
acl            IN VARCHAR2,
privilege      IN VARCHAR2,
principal      IN VARCHAR2,
principal_type IN BINARY_INTEGER);
TBD
 
REMOVE_ACES
Remove all ACEs from the ACL xs_acl.remove_aces(acl IN VARCHAR2);
exec xs_acl.remove_aces('UWACL');
 
REMOVE_ACL_PARAMETERS
Remove all parameters
Overload 1		 xs_acl.remove_acl_parameters(acl IN VARCHAR2);
exec xs_acl.remove_acl_parameters('UWACL');
Remove a single parameter
Overload 2		 xs_acl.remove_acl_parameters(
acl       IN VARCHAR2,
parameter IN VARCHAR2);
exec xs_acl.remove_acl_parameters('UWACL', 'GEO');
Remove a parameter associate with a policy

Overload 3		 xs_acl.remove_acl_parameters(
acl       IN VARCHAR2,
policy    IN VARCHAR2,
parameter IN VARCHAR2);
exec xs_acl.remove_acl_parameters('DBSECWORXACL', 'XPOLICY', 'GEO');
 
REVOKE_PRIVILEGE (new 21c)
Revoke a granted privilege xs_acl.revoke_privilege(
acl            IN VARCHAR2,
privilege      IN VARCHAR2,
principal      IN VARCHAR2,
principal_type IN BINARY_INTEGER);
TBD
 
SET_DESCRIPTION
Set an ACL description xs_acl.set_description(
acl         IN VARCHAR2,
description IN VARCHAR2);
exec xs_acl.set_description('UWACL', 'UW Secure ACL');
 
SET_PARENT_ACL
Sets the parent ACL xs_acl.set_parent_acl(
acl          IN VARCHAR2,
parent       IN VARCHAR2,
inherit_mode IN PLS_INTEGER);
TBD
 
SET_SECURITY_CLASS
Sets the security class xs_acl.set_security_class(
acl       IN VARCHAR2,
sec_class IN VARCHAR2);
TBD

Related Topics
Built-in Functions
Built-in Packages
Database Security
DBMS_NETWORK_ACL_ADMIN
DBMS_SFW_ACL_ADMIN
XS_ACL_INT
XS_ADMIN_INT
XS_ADMIN_UTIL
XS_ADMIN_UTIL_INT
XS_DATA_SECURITY
XS_DATA_SECURITY_INT
XS_DATA_SECURITY_UTIL
XS_DATA_SECURITY_UTIL_INT
XS_DIAG
XS_DIAG_INT
XS_MTCACHE_INT
XS_NAMESPACE
XS_NAMESPACE_INT
XS_PRINCIPAL
XS_PRINCIPAL_INT
XS_ROLESET
XS_ROLESET_INT
XS_SECURITY_CLASS
XS_SECURITY_CLASS_INT
What's New In 21c
What's New In 23c

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2023 Daniel A. Morgan All Rights Reserved
  DBSecWorx