This chapter describes the PL/SQL packages that are available with Oracle Database Real Application Security.
Table 11-1 lists these packages. Detailed information on each package follows this table.
Table 11-1 Oracle Database Real Application Security PL/SQL Packages
| PL/SQL Package | Description |
|---|---|
|
Includes subprograms to manage an application session. |
|
|
Includes subprograms to create, manage, and delete Access Control Lists (ACLs) and to add and remove parameter values. |
|
|
Includes helper subprograms. |
|
|
Includes subprograms to create, manage, and delete data security policies, associated data realm constraints, column constraints, and ACL parameters. |
|
|
Includes subprograms to schedule automatic refreshment for static ACL to a user table and change the ACL refreshment mode to on-commit or on-demand refresh. |
|
|
Includes subprograms to diagnose potential problems in Real Application Security objects and report identified inconsistencies. |
|
|
Includes subprograms to create, manage, and delete namespace templates and attributes. |
|
|
Includes subprograms to create, manage, and delete application users and roles. |
|
|
Includes subprograms to create, manage, and delete security classes and their privileges. Also includes subprograms for managing security class inheritance. |
The DBMS_XS_SESSIONS package manages an application session.
The DBMS_XS_SESSIONS package is created in the SYS schema. The privilege to execute the package is granted to PUBLIC. The executing user must have the appropriate privilege for the particular operation.
The following constants define operation codes passed into namespace event handling functions:
attribute_first_read_operation CONSTANT PLS_INTEGER := 1; modify_attribute_operation CONSTANT PLS_INTEGER := 2;
The following constants represent bit values that identify events of interest for a particular attribute in a namespace that has an event handling function:
attribute_first_read_event CONSTANT PLS_INTEGER := 1; modify_attribute_event CONSTANT PLS_INTEGER := 2;
The following constants define return codes that can be returned by a namespace event handling function:
event_handling_succeeded CONSTANT PLS_INTEGER := 0; event_handling_failed CONSTANT PLS_INTEGER := 1;
The following constants are used as input into the ADD_GLOBAL_CALLBACK, DELETE_GLOBAL_CALLBACK, and ENABLE_GLOBAL_CALLBACK procedures:
create_session_event CONSTANT PLS_INTEGER := 1; attach_session_event CONSTANT PLS_INTEGER := 2; guest_to_user_event CONSTANT PLS_INTEGER := 3; proxy_to_user_event CONSTANT PLS_INTEGER := 4; revert_to_user_event CONSTANT PLS_INTEGER := 5; enable_role_event CONSTANT PLS_INTEGER := 6; disable_role_event CONSTANT PLS_INTEGER := 7; enable_dynamic_role_event CONSTANT PLS_INTEGER := 8; disable_dynamic_role_event CONSTANT PLS_INTEGER := 9; detach_session_event CONSTANT PLS_INTEGER := 10; terminate_session_event CONSTANT PLS_INTEGER := 11; direct_login_event CONSTANT PLS_INTEGER := 12; direct_logoff_event CONSTANT PLS_INTEGER := 13;
The following object types, constructor functions, synonyms, and GRANT statements are defined for this package.
CREATE OR REPLACE TYPE DBMS_XS_NSATTR AS OBJECT (
--- Member variables
namespace varchar2(130),
attribute varchar2(4000),
attribute_value varchar2(4000),
--- Constructor for DBMS_XS_NSATTR type
--- Only namespace name is mandatory
CONSTRUCTOR FUNCTION DBMS_XS_NSATTR(
namespace IN VARCHAR2,
attribute IN VARCHAR2 DEFAULT NULL,
attribute_value IN VARCHAR2 DEFAULT NULL)
RETURN SELF AS RESULT);
CREATE OR REPLACE PUBLIC SYNONYM DBMS_XS_NSATTR FOR SYS.DBMS_XS_NSATTR;
CREATE OR REPLACE TYPE DBMS_XS_NSATTRLIST AS VARRAY(1000) OF DBMS_XS_NSATTR;
CREATE OR REPLACE PUBLIC SYNONYM DBMS_XS_NSATTRLIST FOR SYS.DBMS_XS_NSATTRLIST;
GRANT EXECUTE ON DBMS_XS_NSATTR TO PUBLIC;
GRANT EXECUTE ON DBMS_XS_NSATTRLIST TO PUBLIC;
CREATE OR REPLACE PUBLIC SYNONYM DBMS_XS_SESSIONS FOR SYS.DBMS_XS_SESSIONS;
GRANT EXECUTE ON DBMS_XS_SESSIONS TO PUBLIC;
Table 11-2 Summary of DBMS_XS_SESSIONS Subprograms
| Subprogram | Description |
|---|---|
|
Creates a new application session for the specified application user name. |
|
|
Attaches the current traditional database session to the application session identified by the session ID. |
|
|
Assigns a named user to the currently attached anonymous Real Application Security session. |
|
|
Switches the application user in the currently attached session. |
|
|
Creates a new application namespace in the currently attached application session. |
|
|
Creates a new custom attribute for the specified application namespace in the currently attached application session. |
|
|
Sets a new value for the specified attribute in the namespace in the currently attached application session. |
|
|
Gets the value of an attribute in the namespace in the currently attached application session. |
|
|
Resets an application namespace attribute to its original value in the specified namespace in the currently attached application session. |
|
|
Deletes the specified attribute from the specified namespace in the currently attached application session. |
|
|
Deletes the specified namespace and its attributes from the currently attached application session. |
|
|
Enables a real application role in the currently attached application session. |
|
|
Disables a real application role from the currently attached application session. |
|
|
Sets a new cookie value with the specified session ID. |
|
|
Updates the last authentication time for the session identified by specified session ID. |
|
|
Sets an inactivity timeout value, in minutes, for the specified session. |
|
|
Saves or persists the changes performed in the currently attached session. |
|
|
Detaches the current traditional database session from the application session to which it is attached. |
|
|
Destroys or terminates the session specified by the session ID. |
|
|
Registers an existing event handler with the database. |
|
|
Enables or disables the global callback for the session event specified by the |
|
|
Deletes an existing global callback association. |
The CREATE_SESSION procedure creates a new application session for the specified user name. It returns a session identifier that you can use to reference the session in future calls.
The session can be created with a regular application user or an external application user. The session can be created in trusted mode or secure mode. In trusted mode, data security checks are bypassed; in secure mode, they are enforced.
The combination of regular session in trusted mode is not supported. Other combinations, regular session in secure mode, external session in trusted mode, or external session in secure mode are supported.
The namespaces parameter is a list of triplet namespaces to be created, the attribute to be created, and the attribute value to be set. This is an optional parameter. The default value is NULL. The XS$GLOBAL_VAR and XS$SESSION namespaces and their attributes are always available to the session.
This function does not attach the current traditional session to the newly created application session. Use the ATTACH_SESSION Procedure to perform this task.
The user executing the procedure must have the CREATE_SESSION application privilege for the application user specified by the username parameter. You can also specify a list of namespaces to be created when the session is created. If you specify namespaces during creation of the session, the caller is required to be granted application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or be granted the ADMIN_NAMESPACE system privilege.
CREATE_SESSION ( username IN VARCHAR2, sessionid OUT NOCOPY RAW, is_external IN BOOLEAN DEFAULT FALSE, is_trusted IN BOOLEAN DEFAULT FALSE, namespaces IN DBMS_XS_NSATTRLIST DEFAULT NULL, cookie IN VARCHAR2 DEFAULT NULL);
| Parameter | Description |
|---|---|
username |
The name of a regular application user or an external application user for which to create the application session.
To find a listing of the user names and application roles for the current session, query the DBA_XS_USERS data dictionary view. To find all application users and roles, query the DBA_XS_PRINCIPALS data dictionary view as follows: Users: SELECT NAME FROM DBA_XS_USERS; Roles: SELECT NAME FROM DBA_XS_ROLES; SELECT NAME FROM DBA_XS_DYNAMIC_ROLES; |
sessionid |
Session ID of the newly created application session. You can get the session ID by using one of the following methods:
|
is_external |
Specifies whether the session is to be created as an external principal session. This is an optional parameter. The default value is FALSE, indicating that a regular session is to be created. A NULL value is taken to mean FALSE. |
is_trusted |
Specifies if the session is to be created in trusted mode or secure mode. In trusted mode, data security checks are bypassed; in secure mode, they are enforced. This is an optional parameter. The default value is FALSE, indicating secure mode. A NULL value is taken to mean FALSE. |
namespaces |
The list of name, attribute, and attribute value triplet. If the namespace is not accessible to the session or no such namespace template exists, an error is thrown. |
cookie |
Specifies the server cookie to be set for the session. This is an optional parameter. The default value is NULL. The maximum allowed length of the cookie is 1024 bytes. |
DECLARE
nsList DBMS_XS_NSATTRLIST;
sessionid RAW(16);
BEGIN
nsList := DBMS_XS_NSATTRLIST(DBMS_XS_NSATTR('ns1'),DBMS_XS_NSATTR('ns2'));
SYS.DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid, FALSE, FALSE, nsList);
END;
The ATTACH_SESSION procedure attaches the current traditional database session to the application session identified by the session ID (session_id). The attached session enables the roles granted (directly or indirectly) to the application user with which the session was created and the session scope dynamic application roles that were enabled until the last detach of this session. If you execute ATTACH_SESSION with a list of dynamic application roles using the optional parameter enable_dynamic_roles, the provided dynamic application roles are enabled for the session. To disable a list of dynamic roles, specify the list using the optional parameter disable_dynamic_roles.
You can specify a list of triplet values (namespace, attribute, attribute value) during the attach operation. The namespaces and attributes are then created and attribute values set. This is in addition to any namespaces and attributes that were present in the session.
To execute this procedure, the traditional session user must have the ATTACH_SESSION application privilege. If you specify namespaces, then the user is required to be granted application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or ADMIN_NAMESPACE system privilege.
A self password change is allowed using the SQL*Plus PASSWORD command if invoked from an explicitly attached session (a session attached using the ATTACH_SESSION procedure or the attachSession() method in Java), provided that session has the ALTER_USER privilege and the user name is provided with the PASSWORD command.
ATTACH_SESSION ( sessionid IN RAW, enable_dynamic_roles IN XS$NAME_LIST DEFAULT NULL, disable_dynamic_roles IN XS$NAME_LIST DEFAULT NULL, external_roles IN XS$NAME_LIST DEFAULT NULL, authentication_time IN TIMESTAMP WITH TIME ZONE DEFAULT NULL, namespaces IN DBMS_XS_NSATTRLIST DEFAULT NULL);
| Parameter | Description |
|---|---|
sessionid |
Session ID of the application session. You can get the session ID by using one of the following methods:
|
enable_dynamic_roles |
A list of dynamic roles to be granted to be enabled in the application session. This is an optional parameter. If any of the dynamic roles specified does not exist, the attach session fails. If the session is an external principal session, a list of external roles can be specified for enabling. These roles will remain enabled until detach and will not be enabled in the next attach by default.
To find a listing of the application roles for the current session, query the DBA_XS_SESSION_ROLES data dictionary view. To find a listing of all dynamic application roles, query the DBA_XS_PRINCIPALS data dictionary view as follows: SELECT NAME, TYPE FROM DBA_XS_PRINCIPALS; |
disable_dynamic_roles |
A list of dynamic roles to be disabled from the session. This is an optional parameter. |
external_roles |
A list of external roles if the session is an external principal session. This is an optional parameter. These external roles remain enabled until a detach operation and are not enabled again in the next attach by default. |
authentication_time |
The updated authentication time for the session. This is an optional parameter. The time must be specified in the following format:
|
namespaces |
The list of name, attribute, and attribute value triplet. If the namespace is not accessible to the session or no such namespace template exists, an error is thrown. |
DECLARE
nsList DBMS_XS_NSATTRLIST;
sessionid RAW(16);
BEGIN
nsList := DBMS_XS_NSATTRLIST(DBMS_XS_NSATTR('ns1'),DBMS_XS_NSATTR('ns2'));
SYS.DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
SYS.DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid, NULL, NULL, NULL, NULL, nsList);
END;
The ASSIGN_USER procedure assigns a named application user to the currently attached anonymous application session.
Roles enabled in the current session are retained after this operation. The optional parameters enable_dynamic_roles and disable_dynamic_roles specify the additional lists of dynamic roles to be enabled or disabled. If the assigned user is external, you can specify a list of external roles to be enabled.
You can specify a list of triplet values (namespace, attribute, attribute value) during the assign operation. The namespaces and attributes are then created in the session and attribute values set. This is in addition to any namespaces and attributes that were already present in the session.
To execute this procedure, the dispatcher or connection user must have the ASSIGN_USER application privilege. If you specify namespaces, then the user is required to be granted application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or ADMIN_NAMESPACE system privilege.
DBMS_XS_SESSIONS.ASSIGN_USER ( username IN VARCHAR2, is_external IN BOOLEAN DEFAULT FALSE, enable_dynamic_roles IN XS$NAME_LIST DEFAULT NULL, disable_dynamic_roles IN XS$NAME_LIST DEFAULT NULL, external_roles IN XS$NAME_LIST DEFAULT NULL, authentication_time IN TIMESTAMP WITH TIME ZONE DEFAULT NULL, namespaces IN DBMS_XS_NSATTRLIST DEFAULT NULL);
| Parameter | Description |
|---|---|
username |
The name of the real application user.
To find a listing of existing application users, query the DBA_XS_PRINCIPALS data dictionary view as follows: SELECT NAME FROM DBA_XS_PRINCIPALS; |
is_external |
Specifies whether the named application user is an external user. This is an optional parameter. The default value is FALSE, indicating that a regular application user is assigned. A NULL value is taken to mean FALSE. |
enable_dynamic_roles |
A list of dynamic roles to be enabled in an application session. This is an optional parameter.
To find a listing of the application roles for the current session, query the V$XS_SESSION_ROLES data dictionary view. To find a listing of all dynamic application roles, query the DBA_XS_DYNAMIC_ROLES data dictionary view as follows: SELECT NAME FROM DBA_XS_DYNAMIC_ROLES; |
disable_dynamic_roles |
A list of dynamic roles to be disabled from the session. This is an optional parameter. |
external_roles |
A list of external roles if the application user is an external application user. This is an optional parameter. |
authentication_time |
The updated authentication time for the session. This is an optional parameter. The time must be specified in the following format:
|
namespaces |
The list of name, attribute, and attribute value triplet. If the namespace is not accessible to the session or no such namespace template exists, an error is thrown. |
DECLARE
nsList DBMS_XS_NSATTRLIST;
sessionid RAW(16);
BEGIN
nsList := DBMS_XS_NSATTRLIST(DBMS_XS_NSATTR('ns1'),DB);
SYS.DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
SYS.DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
SYS.DBMS_XS_SESSIONS.ASSIGN_USER(username => 'lwuser2',
namespaces => nsList);
END;
The SWITCH_USER procedure switches the application user in the currently attached session. The current application user must be a proxy user for the target application user before performing the switch operation by using the XS_PRINCIPAL.ADD_PROXY_USER PL/SQL API to acquire the proxy of another application user privilege. The list of filtering application roles of the target user gets enabled in the session.
You can retain current application namespaces of the session or discard them. You can also specify a list of namespaces to be created and attribute values to be set after the switch. If you specify namespaces, then the user is required to be granted application privileges MODIFY_NAMESPACE or MODIFY_ATTRIBUTE on the namespaces, or ADMIN_NAMESPACE system privilege.
SWITCH_USER ( username IN VARCHAR2, keep_state IN BOOLEAN DEFAULT FALSE, namespaces IN DBMS_XS_NSATTRLIST DEFAULT NULL);
| Parameter | Description |
|---|---|
username |
User name of the user whose security context you want to switch to.
To find a listing of existing application users, query the DBA_XS_USERS data dictionary view as follows: SELECT NAME FROM DBA_XS_USERS; |
keep_state |
Controls whether application namespaces are retained.
Possible values are:
|
namespaces |
The list of name, attribute, and attribute value triplet. If the namespace is not accessible to the session or no such namespace template exists, an error is thrown. |
DECLARE
nsList := DBMS_XS_NSATTRLIST(DBMS_XS_NSATTR('ns1'),DBMS_XS_NSATTR('ns2'));
sessionid RAW(16);
BEGIN
SYS.DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
SYS.DBMS_XS_SESSIONS.ATTACH_SESSION(sessionid);
SYS.DBMS_XS_SESSIONS.SWITCH_USER(username => 'lwuser2',
keep_state => TRUE,
namespaces => nsList);
END;
The CREATE_NAMESPACE procedure creates a new namespace in the currently attached application session. The namespace template corresponding to the namespace must exist in the system, else this operation throws an error. After this operation, the namespace along with its attributes as they are created in the template are available to the session.
The calling user must have the MODIFY_NAMESPACE application privilege.
CREATE_NAMESPACE( namespace IN VARCHAR2);
| Parameter | Description |
|---|---|
namespace |
The name of the namespace to create. There must be an existing namespace template document with this name. The maximum size of the case sensitive character string is 128 characters.
To find a listing of existing namespaces for the current session, once attached, query the You can query the |
BEGIN
SYS.DBMS_XS_SESSIONS.CREATE_NAMESPACE('J_NS1');
END;
The CREATE_ATTRIBUTE procedure creates a new custom attribute in the specified namespace in the currently attached application session. If the namespace is not already available in the session or no such namespace templates exist, an error is thrown.
The calling user is required to be granted the MODIFY_ATTRIBUTE application privilege.
PROCEDURE create_attribute( namespace IN VARCHAR2, attribute IN VARCHAR2, value IN VARCHAR2 DEFAULT NULL, eventreg IN PLS_INTEGER DEFAULT NULL);
| Parameter | Description |
|---|---|
namespace |
The namespace in which the attribute gets created. If the namespace does not exist in the session, an error is thrown. The maximum size of the case sensitive character string is 128 characters. |
attribute |
The name of the attribute to be created. The maximum size of the case sensitive character string is 4000 characters. |
value |
The default value for the attribute. The maximum size of the case sensitive character string is 4000 characters. |
eventreg |
The event for which the handler is executed for the attribute. This is an optional parameter. This parameter can take the following values:
If the attribute is registered for first read event, then the handler is executed if the attribute is uninitialized, before returning the value. If the update event is registered, the handler gets called whenever the attribute is modified. Events can be registered only if the namespace has an event handler, else an error is thrown. |
BEGIN
SYS.DBMS_XS_SESSIONS.CREATE_ATTRIBUTE('NS1','NS1CUSTOM','NS1CUSTOMDEFAULT');
END;
-- Example with firstRead event set
BEGIN
SYS.DBMS_XS_SESSIONS.create_Attribute('ns1','attr4',NULL,
DBMS_XS_SESSIONS.attribute_first_read_event);
END;
The SET_ATTRIBUTE procedure sets a new value for the specified attribute in the namespace associated with the currently attached session. The handler function is called if the update event is set for the attribute. If the namespace does not exist or is deleted, an error is thrown. If there is no template corresponding to the namespace that exists, an error is thrown.
The calling user is required to be granted the MODIFY_ATTRIBUTE application privilege.
SET_ATTRIBUTE ( namespace IN VARCHAR2, attribute IN VARCHAR2, value IN VARCHAR2);
| Parameter | Description |
|---|---|
namespace |
Name of the namespace associated with the attribute. The maximum size of the case sensitive character string is 128 characters.
To find a listing of existing namespaces for the current session, once attached, query the You can query the |
attribute |
Name of an existing attribute in an existing namespace.
To find a listing of existing namespace attributes, query the V$XS_SESSION_NS_ATTRIBUTES data dictionary view. |
value |
New value for the attribute. The maximum size of the case sensitive character string is 4000 characters.
To find an listing of existing values associated with the attribute, query the V$XS_SESSION_NS_ATTRIBUTES data dictionary view. |
BEGIN
SYS.DBMS_XS_SESSIONS.SET_ATTRIBUTE('J_NS','JohnNSAttr1','John bio');
END;
The GET_ATTRIBUTE procedure gets the value of the specified attribute in the namespace in the currently attached session. If no template corresponding to the namespace exists, an error is thrown. If the specified attribute does not exist, it returns empty string.
If the attribute value is NULL, the firstRead event is set, and it is the first time that the attribute value is being fetched, then the handler function for the attribute is called.
The calling user is not required to be granted any privileges.
GET_ATTRIBUTE ( namespace IN VARCHAR2, attribute IN VARCHAR2, value OUT NOCOPY VARCHAR2);
| Parameter | Description |
|---|---|
namespace |
The namespace of the attribute to retrieve. The maximum size of the case sensitive character string is 128 characters.
To find a listing of existing namespaces for the current session, once attached, query the |
attribute |
The name of the attribute to retrieve. The maximum size of the case sensitive character string is 4000 characters. To find a listing of available attributes, query the V$XS_SESSION_NS_ATTRIBUTES data dictionary view. |
value |
The value of the attribute to retrieve.
To find a listing of available attribute values, query the V$XS_SESSION_NS_ATTRIBUTES data dictionary view. |
BEGIN
SYS.DBMS_XS_SESSIONS.GET_ATTRIBUTE('J_NS1','JohnNS1Attr1',attrVal);
END;
The RESET_ATTRIBUTE procedure resets the value of an attribute to its default value (if present) or to NULL in the namespace in the current attached session. If the attribute has a default value specified, then the value is reset to the default value. If the attribute was created without a default value and marked for the attribute_first_read_event, then the value is set to NULL and the attribute is marked as uninitialized. If the attribute was created without a default value and not marked for the attribute_first_read_event, then the value is set to NULL.
The calling user is required to be granted the MODIFY_ATTRIBUTE application privilege.
PROCEDURE reset_attribute( namespace IN VARCHAR2, attribute IN VARCHAR2);
| Parameter | Description |
|---|---|
namespace |
The name of the namespace containing the attribute. The maximum size of the case sensitive character string is 128 characters. |
attribute |
The name of the attribute to be reset. The maximum size of the case sensitive character string is 4000 characters. |
BEGIN
SYS.DBMS_XS_SESSIONS.RESET_ATTRIBUTE('ns2','attr1');
END;
The DELETE_ATTRIBUTE procedure deletes the specified attribute and its associated value from the specified namespace in the currently attached session. Only custom attributes can be deleted. Template attributes cannot be deleted. If the specified attribute does not exist, an error is thrown.
The calling application is required to be granted the MODIFY_ATTRIBUTE application privilege.
DELETE_ATTRIBUTE ( namespace IN VARCHAR2, attribute IN VARCHAR2);
| Parameter | Description |
|---|---|
namespace |
The namespace associated with the attribute to delete. The maximum size of the case sensitive character string is 128 characters.
To find a listing of existing namespaces for the current session, once attached, query the You can query the |
attribute |
The attribute to delete.
To find a listing of existing namespaces for the current session, once attached, query the |
BEGIN
SYS.DBMS_XS_SESSIONS.DELETE_ATTRIBUTE('JohnNS1','JohnNS1Attr1');
END;
The DELETE_NAMESPACE procedure deletes a namespace and its attributes from the currently attached application session.
The calling user must have the MODIFY_NAMESPACE application privilege.
DELETE_NAMESPACE ( namespace IN VARCHAR2);
| Parameter | Description |
|---|---|
namespace |
The name of the namespace to delete. The maximum size of the case sensitive character string is 128 characters.
To find a listing of existing namespaces for the current session, once attached, query the You can query the |
BEGIN
SYS.DBMS_XS_SESSIONS.DELETE_NAMESPACE('JohnNS1');
END;
The ENABLE_ROLE procedure enables a real application role in the currently attached application session. If the role is already enabled, then ENABLE_ROLE procedure performs no action. This procedure can only enable a regular application role directly granted to the current application user. You cannot enable dynamic application roles.
This operation does not require the calling user to have any additional privilege.
ENABLE_ROLE ( role IN VARCHAR2);
| Parameter | Description |
|---|---|
role |
The name of the role to enable. The maximum size of the case sensitive character string is 128 characters.
To find a listing of the application roles for the current session, query the V$XS_SESSION_ROLES data dictionary view. To find all application roles, query the DBA_XS_SESSION_ROLES data dictionary view as follows: SELECT ROLE_NAME FROM V$XS_SESSION_ROLES; SELECT SESSIONID, ROLE FROM DBA_XS_SESSION_ROLES; |
BEGIN
SYS.DBMS_XS_SESSIONS.ENABLE_ROLE('auth2_role');
END;
The DISABLE_ROLE procedure disables a real application role from the specified application session. If the role is already disabled or not enabled in the currently attached application session, then DISABLE_ROLE performs no action. You cannot disable dynamic application roles. You can only disable a regular application role, which is directly granted to the application user with which the session is created.
This operation does not require the calling user to have any additional privilege.
DISABLE_ROLE ( role IN VARCHAR2);
| Parameter | Description |
|---|---|
role |
The name of the role to disable. The maximum size of the case sensitive character string is 128 characters.
To find a listing of the application roles for the current session, query the V$XS_SESSION_ROLES data dictionary view. To find all application roles, query the DBA_XS_SESSION_ROLES data dictionary view as follows: SELECT ROLE_NAME FROM V$XS_SESSION_ROLES; SELECT SESSIONID, ROLE FROM DBA_XS_SESSION_ROLES; |
BEGIN
SYS.DBMS_XS_SESSIONS.DISABLE_ROLE('auth1_role');
END;
The SET_SESSION_COOKIE procedure sets a new cookie value with the specified session ID. If the specified session does not exist or the cookie name is not unique among all the user application sessions, then an error is thrown.
To execute this procedure, the user is required to be granted the MODIFY_SESSION application privilege.
SET_SESSION_COOKIE ( cookie IN VARCHAR2, sessionid IN RAW DEFAULT NULL);
| Parameter | Description |
|---|---|
cookie |
A name for the new cookie. The maximum allowed length for the cookie is 1024 characters. Cookie names must be unique.
To find a listing of existing cookies for the current session, query |
sessionid |
Session ID of the application session. The default value is NULL. You can get the session ID by using one of the following methods:
If you do not specify a session ID or enter |
DECLARE
sessionid RAW(16);
BEGIN
SYS.DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
SYS.DBMS_XS_SESSIONS.SET_SESSION_COOKIE('cookie1', sessionid);
END;
The REAUTH_SESSION procedure updates the last authentication time for the specified session ID as the current time. Applications must call this procedure when it has reauthenticated an application user.
Use the REAUTH_SESSION procedure to enable a role that has timed out because of a lack of recent authentication in the application or middle-tier server. You can also call the reauthSession Java method.
To execute this function, the user is required to be granted the MODIFY_SESSION application privilege.
REAUTH_SESSION ( sessionid IN RAW DEFAULT NULL);
| Parameter | Description |
|---|---|
sessionid |
Session ID of the application session. This parameter is optional. The default value is NULL. You can get the session ID by using one of the following methods:
If you do not specify a session ID or enter |
DECLARE sessionid RAW(16); BEGIN SYS.DBMS_XS_SESSIONS.REAUTH_SESSION(sessionid); END;
The SET_INACTIVITY_TIMEOUT procedure sets an inactivity time-out value, in minutes, for the current attached session. The inactivity time-out value represents the maximum period of inactivity allowed before Oracle Database terminates the application session and the resource is reclaimed. Trying to set a negative value for the time parameter throws an error. If an invalid session ID is specified or the session does not exist, an error is thrown.
Another way to set the time-out value is to use the setInactivityTimeout Java method. You can set a default global time-out value in the xmlconfig.xml configuration file. Oracle recommends 240 (4 hours).
An application session cannot time-out due to inactivity while a traditional session is attached. The last access time is updated each time a traditional session attaches to the application session.
To execute this procedure, the calling user is required to be granted the MODIFY_SESSION application privilege.
SET_INACTIVITY_TIMEOUT ( time IN NUMBER, sessionid IN RAW DEFAULT NULL);
| Parameter | Description |
|---|---|
time |
Inactivity time-out value in minutes. Oracle recommends setting the time parameter to 240 (4 hours). A zero (0) value means the value is infinite and that the session never expires due to inactivity. |
sessionid |
Session ID of the application session. The default value is NULL. You can get the session ID by using one of the following methods:
If you do not specify a session ID or enter |
DECLARE
sessionid RAW(16);
BEGIN
SYS.DBMS_XS_SESSIONS.CREATE_SESSION('lwuser1', sessionid);
SYS.DBMS_XS_SESSIONS.SET_INACTIVITY_TIMEOUT (300, sessionid);
END;
/
The SAVE_SESSION procedure saves all changes performed in the currently attached session and remains attached to the session as it was before saving changes.
The calling user requires no privileges to perform this operation.
SAVE_SESSION;
None.
BEGIN SYS.DBMS_XS_SESSIONS.SAVE_SESSION; END;
The DETACH_SESSION procedure detaches the current traditional database session from the application session to which it is attached. The database sessions goes back to the context it was in prior to attaching to the application session. Any user can execute this procedure as the operation does not require any privileges to execute.
DETACH_SESSION (abort IN BOOLEAN DEFAULT FALSE);
| Parameter | Description |
|---|---|
abort |
If specified as TRUE, it rolls back the changes performed in the current session. If specified as FALSE, the default value, all changes performed in the session are persisted. If a NULL value is specified for this parameter, it is treated as FALSE. |
BEGIN SYS.DBMS_XS_SESSIONS.DETACH_SESSION; END;
The DESTROY_SESSION procedure destroys the specified session. This procedure also implicitly detaches all traditional sessions from the application session. After the session is destroyed no further attaches can be made to the session. This operation cannot destroy sessions created through direct logon of the application user.
To execute this procedure, the user must have the TERMINATE_SESSION application privilege.
DESTROY_SESSION ( sessionid IN RAW, force IN BOOLEAN DEFAULT FALSE);
| Parameter | Description |
|---|---|
sessionid |
Session ID of the application session. You can get the session ID by using one of the following methods:
If you do not specify a session ID or enter |
force |
If set to FALSE, this operation throws an error, in case the specified session is currently attached. If set to TRUE, the currently attached application session can be destroyed. This is an optional parameter. |
DECLARE
sessionid RAW(16);
BEGIN
SYS.DBMS_XS_SESSIONS.CREATE_SESSION('lwtSession1', sessionid);
SYS.DBMS_XS_SESSIONS.DESTROY_SESSION (sessionid);
END;
The ADD_GLOBAL_CALLBACK procedure registers an existing PL/SQL procedure as the event handler with the session operation specified by the event_type parameter. You can add more than one event handler for the same session operation for execution when the associated event occurs. Adding the global callback procedure automatically enables the callback procedure for execution. If more than one callback is added for the same session event, they are executed in according to their registration sequence, that is, the callback procedure that was registered first, is executed first. This procedure throws an error if an invalid event type is specified or the callback procedure does not exist.
Successful execution of this procedure requires the CALLBACK application privilege. This role can be obtained through PROVISIONER database role.
ADD_GLOBAL_CALLBACK( event_type IN PLS_INTEGER, callback_schema IN VARCHAR2, callback_package IN VARCHAR2, callback_procedure IN VARCHAR2);
| Parameter | Description |
|---|---|
event_type |
Select from the following event types:
|
callback_schema |
Enter the name of the schema in which the callback procedure was created. |
callback_package |
Enter the name of the package in which the callback procedure was created. If callback procedure is standalone, NULL should be passed as callback_package parameter. This parameter is optional only if the callback procedure is in a package. |
callback_procedure |
Enter the name of the procedure that defines the global callback. |
BEGIN SYS.DBMS_XS_SESSIONS.ADD_GLOBAL_CALLBACK ( DBMS_XS_SESSIONS.CREATE_SESSION_EVENT, 'APPS1_SCHEMA','APPS2_PKG','CREATE_SESSION_CB'); END;
The ENABLE_GLOBAL_CALLBACK procedure enables or disables the global callback procedure for execution. If a callback procedure associated with this event is not specified, all callback procedures associated with this global callback are enabled or disabled. If an invalid event type is specified or invalid callback procedure is specified, an error is thrown.
ENABLE_GLOBAL_CALLBACK( event_type IN PLS_INTEGER, enable IN BOOLEAN DEFAULT TRUE, callback_schema IN VARCHAR2 DEFAULT NULL, callback_package IN VARCHAR2 DEFAULT NULL, callback_procedure IN VARCHAR2 DEFAULT NULL);
| Parameter | Description |
|---|---|
event_type |
Select from the following event types:
|
enable |
Specifies whether the global callback is to be enabled or disabled. The default value is TRUE, meaning enable. |
callback_schema |
Enter the name of the schema in which the global callback was created. |
callback_package |
Enter the name of the package in which the global callback was created. |
callback_procedure |
Enter the name of the procedure that defines the global callback. |
BEGIN SYS.DBMS_XS_SESSIONS.ENABLE_GLOBAL_CALLBACK ( DBMS_XS_SESSIONS.CREATE_SESSION_EVENT, TRUE, 'APPS1_SCHEMA','APPS2_PKG','CREATE_SESSION_CB'); END;
The DELETE_GLOBAL_CALLBACK procedure removes the global callback from registration. (It does not delete the global callback itself.) If a callback procedure is not specified, all callback procedures associated with this global callback are deleted. If an invalid event type is specified, an error is thrown.
DELETE_GLOBAL_CALLBACK( event_type IN PLS_INTEGER, callback_schema IN VARCHAR2 DEFAULT NULL, callback_package IN VARCHAR2 DEFAULT NULL, callback_procedure IN VARCHAR2 DEFAULT NULL);
| Parameter | Description |
|---|---|
event_type |
Select from the following event types:
|
callback_schema |
Enter the name of the schema in which the global callback was created. |
callback_package |
Enter the name of the package in which the global callback was created. |
callback_procedure |
Enter the name of the procedure that defines the global callback. |
BEGIN SYS.DBMS_XS_SESSIONS.DELETE_GLOBAL_CALLBACK ( DBMS_XS_SESSIONS.CREATE_SESSION_EVENT, 'APPS1_SCHEMA','APPS2_PKG','CREATE_SESSION_CB'); END;
The XS_ACL package creates procedures to create and manage Access Control Lists (ACLs).
The XS_ACL package is created under the SYS schema.
The DBA role is granted the ADMIN_ANY_SEC_POLICY privilege, which allows it to administer schema objects like ACLs, security classes, and security policies across all schemas.
Users can administer schema objects in their own schema if they have been granted the RESOURCE role for the schema. The RESOURCE role and the XS_RESOURCE application role include the ADMIN_SEC_POLICY privilege, required to administer schema objects in the schema.
The following object types, constructor functions, synonyms, and GRANT statements are defined for this package.
-- Type definition for ACE
CREATE OR REPLACE TYPE XS$ACE_TYPE AS OBJECT (
-- Member Variables
privilege_list XS$NAME_LIST,
is_grant_ace NUMBER,
is_invert_principal NUMBER,
principal_name VARCHAR2(130),
principal_type NUMBER,
start_date TIMESTAMP WITH TIME ZONE,
end_date TIMESTAMP WITH TIME ZONE,
CONSTRUCTOR FUNCTION XS$ACE_TYPE (
privilege_list IN XS$NAME_LIST,
granted IN BOOLEAN := TRUE,
inverted IN BOOLEAN := FALSE,
principal_name IN VARCHAR2,
principal_type IN PLS_INTEGER := 1,
start_date IN TIMESTAMP WITH TIME ZONE := NULL,
end_date IN TIMESTAMP WITH TIME ZONE := NULL)
RETURN SELF AS RESULT,
MEMBER PROCEDURE set_privileges(privilege_list IN XS$NAME_LIST),
MEMBER FUNCTION get_privileges RETURN XS$NAME_LIST,
MEMBER PROCEDURE set_grant(granted IN BOOLEAN),
MEMBER FUNCTION is_granted RETURN BOOLEAN,
MEMBER PROCEDURE set_inverted_principal(inverted IN BOOLEAN),
MEMBER FUNCTION is_inverted_principal RETURN BOOLEAN,
MEMBER PROCEDURE set_principal(principal_name IN VARCHAR2),
MEMBER FUNCTION get_principal RETURN VARCHAR2,
MEMBER PROCEDURE set_principal_type (principal_type IN PLS_INTEGER),
MEMBER FUNCTION get_principal_type RETURN PLS_INTEGER,
MEMBER PROCEDURE set_start_date(start_date IN TIMESTAMP WITH TIME ZONE),
MEMBER FUNCTION get_start_date RETURN TIMESTAMP WITH TIME ZONE,
MEMBER PROCEDURE set_end_date(end_date IN TIMESTAMP WITH TIME ZONE),
MEMBER FUNCTION get_end_date RETURN TIMESTAMP WITH TIME ZONE
);
CREATE OR REPLACE TYPE XS$ACE_LIST AS VARRAY(1000) OF XS$ACE_TYPE;
The following constants define the parent ACL type:
EXTENDED CONSTANT PLS_INTEGER := 1; CONSTRAINED CONSTANT PLS_INTEGER := 2;
The following constants define the principal's type:
PTYPE_XS CONSTANT PLS_INTEGER := 1; PTYPE_DB CONSTANT PLS_INTEGER := 2; PTYPE_DN CONSTANT PLS_INTEGER := 3; PTYPE_EXTERNAL CONSTANT PLS_INTEGER := 4;
The following constants define the parameter's value type:
TYPE_NUMBER CONSTANT PLS_INTEGER := 1; TYPE_VARCHAR CONSTANT PLS_INTEGER := 2;
Table 11-3 Summary of XS_ACL Subprograms
| Subprogram | Description |
|---|---|
|
Creates an Access Control List (ACL). |
|
|
Adds one or more Access Control Entries (ACEs) to an existing ACL. |
|
|
Removes all ACEs from an ACL. |
|
|
Sets or modifies the security class for an ACL. |
|
|
Sets or modifies the parent ACL for an ACL. |
|
|
Adds an ACL parameter value for a data security policy. |
|
|
Removes ACL parameters and values for an ACL. |
|
|
Sets a description string for an ACL. |
|
|
Deletes the specified ACL. |
The CREATE_ACL procedure creates a new Access Control List (ACL).
XS_ACL.CREATE_ACL ( name IN VARCHAR2, ace_list IN XS$ACE_LIST, sec_class IN VARCHAR2 := NULL, parent IN VARCHAR2 := NULL, inherit_mode IN PLS_INTEGER := NULL, description IN VARCHAR2 := NULL);
| Parameter | Description |
|---|---|
name |
The name of the ACL to be created.
The name is schema qualified, for example, |
ace_list |
The list of Access Control Entries (ACEs) in the ACL. |
sec_class |
The name of the security class that specifies the scope or type of the ACL. If no security class is specified, then the DML class is used as the default security class.
The name is schema qualified, for example, |
parent |
The parent ACL name, if any.
The name is schema qualified, for example, |
inherit_mode |
The inheritance mode if a parent ACL is specified. The allowed values are: EXTENDED or CONSTRAINED. |
description |
An optional description for the ACL. |
The following example creates an ACL called HRACL. This ACL includes ACEs contained in ace_list. The privileges used in ace_list are part of the HRPRIVS security class.
DECLARE
ace_list XS$ACE_LIST;
BEGIN
ace_list := XS$ACE_LIST(
XS$ACE_TYPE(privilege_list=>XS$NAME_LIST('"SELECT"','VIEW_SENSITIVE_INFO'),
granted=>true,
principal_name=>'HRREP'),
XS$ACE_TYPE(privilege_list=>XS$NAME_LIST('UPDATE_INFO'),
granted=>true,
principal_name=>'HRMGR'));
SYS.XS_ACL.CREATE_ACL(name=>'HRACL',
ace_list=>ace_list,
sec_class=>'HRPRIVS',
description=>'HR Representative Access');
END;
The APPEND_ACES procedure adds one or more ACE to an existing ACL.
XS_ACL.APPEND_ACES ( acl IN VARCHAR2, ace IN XS$ACE_TYPE); XS.ACL.APPEND_ACES ( acl IN VARCHAR2, ace_list IN XS$ACE_LIST);
| Parameter | Description |
|---|---|
acl |
The name of the ACL to which the ACE is to be added.
The name is schema qualified, for example, |
ace |
The ACE to be added to the ACL. |
ace_list |
The list of ACEs to be added to the ACL. |
The following example adds an ACE to the HRACL ACL. The ACE grants the SELECT privilege to the DB_HR database user.
DECLARE
ace_entry XS$ACE_TYPE;
BEGIN
ace_entry := XS$ACE_TYPE(privilege_list=>XS$NAME_LIST('"SELECT"'),
granted=>true,
principal_name=>'DB_HR',
principal_type=>XS_ACL.PTYPE_DB);
SYS.XS_ACL.APPEND_ACES('HRACL',ace_entry);
END;
The REMOVE_ACES procedure removes all ACEs from an ACL.
XS_ACL.REMOVE_ACES ( acl IN VARCHAR2);
| Parameter | Description |
|---|---|
acl |
The name of the ACL from which the ACEs are to be removed.
The name is schema qualified, for example, |
The following example removes all ACEs from the ACL called HRACL:
BEGIN
SYS.XS_ACL.REMOVE_ACES('HRACL');
END;
The SET_SECURITY_CLASS procedure sets or modifies the security class for an ACL.
XS_ACL.SET_SECURITY_CLASS ( acl IN VARCHAR2, sec_class IN VARCHAR2);
| Parameter | Description |
|---|---|
acl |
The name of the ACL for which the security class is to be set.
The name is schema qualified, for example, |
sec_class |
The name of the security class that defines the ACL scope or type.
The name is schema qualified, for example, |
The following example associates the HRPRIVS security class with the HRACL ACL:
BEGIN
SYS.XS_ACL.SET_SECURITY_CLASS('HRACL','HRPRIVS');
END;
The SET_PARENT_ACL sets or modifies the parent ACL for an ACL.
XS_ACL.SET_PARENT_ACL( acl IN VARCHAR2, parent IN VARCHAR2, inherit_mode IN PLS_INTEGER);
| Parameter | Description |
|---|---|
acl |
The name of the ACL whose parent needs to be set.
The name is schema qualified, for example, |
parent |
The name of the parent ACL.
The name is schema qualified, for example, |
inherit_mode |
The inheritance mode. This can be one of the following values:
|
The following example sets the AllDepACL ACL as the parent ACL for the HRACL ACL. The inheritance type is set to EXTENDED.
BEGIN
SYS.XS_ACL.SET_PARENT_ACL('HRACL','AllDepACL',XS_ACL.EXTENDED);
END;
The ADD_ACL_PARAMETER adds an ACL parameter value for a data security policy.
XS_ACL.ADD_ACL_PARAMETER ( acl IN VARCHAR2, policy IN VARCHAR2, parameter IN VARCHAR2, value IN NUMBER); XS_ACL.ADD_ACL_PARAMETER ( acl IN VARCHAR2, policy IN VARCHAR2, parameter IN VARCHAR2, value IN VARCHAR2);
| Parameter | Description |
|---|---|
acl |
The name of the ACL to which the parameter is to be added.
The name is schema qualified, for example, |
policy |
The name of the data security policy for which the ACL parameter has been created.
The name is schema qualified, for example, |
parameter |
The name of the ACL parameter as defined by the data security policy. |
value |
The value of the ACL parameter to be used. |
The following example adds the REGION parameter for ACL1. The name of the data security policy for which the ACL parameter is created is TEST_DS. The value of the REGION parameter is WEST.
BEGIN
SYS.XS_ACL.ADD_ACL_PARAMETER('ACL1','TEST_DS','REGION', 'WEST');
END;
The REMOVE_ACL_PARAMETERS removes the specified ACL parameter for an ACL. If no parameter name is specified, then all ACL parameters for the ACL are removed.
XS_ACL.REMOVE_ACL_PARAMETERS ( acl IN VARCHAR2, parameter IN VARCHAR2); XS_ACL.REMOVE_ACL_PARAMETERS ( acl IN VARCHAR2);
| Parameter | Description |
|---|---|
acl |
The name of the ACL from which the parameter(s) are to be removed.
The name is schema qualified, for example, |
parameter |
The name of the parameter that needs to be removed from the ACL. |
The following example removes the REGION parameter from the ACL1 ACL:
BEGIN
SYS.XS_ACL.REMOVE_ACL_PARAMETERS('ACL1', 'REGION');
END;
The following example removes all ACL parameters for ACL1.
BEGIN
SYS.XS_ACL.REMOVE_ACL_PARAMETERS('ACL1');
END;
The SET_DESCRIPTION procedure sets a description string for an ACL.
XS_ACL.SET_DESCRIPTION ( acl IN VARCHAR2, description IN VARCHAR2);
| Parameter | Description |
|---|---|
acl |
The name of the ACL for which the description is to be set.
The name is schema qualified, for example, |
description |
A string description for the ACL. |
The following example sets a description for the HRACL ACL:
BEGIN
SYS.XS_ACL.SET_DESCRIPTION('HRACL','Grants privileges to HR representatives and
managers.');
END;
The DELETE_ACL procedure deletes the specified ACL.
XS_ACL.DELETE_ACL ( acl IN VARCHAR2, delete_option IN PLS_INTEGER := XS_ADMIN_UTIL.DEFAULT_OPTION);
| Parameter | Description |
|---|---|
acl |
The name of the ACL to be deleted.
The name is schema qualified, for example, |
delete_option |
The delete option to use. To the data security policy, the behavior of the following options is the same:
|
The following example deletes the HRACL ACL using the default delete option:
BEGIN
SYS.XS_ACL.DELETE_ACL('HRACL');
END;
The XS_ADMIN_UTIL package contains helper subprograms to be used by other packages.
The XS_ADMIN_UTIL package is created in the SYS schema. The caller has invoker's rights on this package. The SYS privilege is required to grant or revoke a Real Application Security system privilege to or from a user or role.
The following object types, constructor functions, synonyms, and GRANT statements are defined for this package.
CREATE OR REPLACE TYPE XS$LIST IS VARRAY(1000) OF VARCHAR2(4000); CREATE OR REPLACE TYPE XS$NAME_LIST IS VARRAY(1000) OF VARCHAR2(261);
The following constants define the delete options:
DEFAULT_OPTION CONSTANT PLS_INTEGER := 1; CASCADE_OPTION CONSTANT PLS_INTEGER := 2; ALLOW_INCONSISTENCIES_OPTION CONSTANT PLS_INTEGER := 3;
The following constants define the principal's type:
PTYPE_XS CONSTANT PLS_INTEGER := 1; PTYPE_DB CONSTANT PLS_INTEGER := 2; PTYPE_DN CONSTANT PLS_INTEGER := 3; PTYPE_EXTERNAL CONSTANT PLS_INTEGER := 4;
Table 11-4 Summary of XS_ADMIN_UTIL Subprograms
| Subprogram | Brief Description |
|---|---|
|
Grant a Real Application Security system privilege to a user or role. |
|
|
Revoke a Real Application Security system privilege from a user or role. |
The GRANT_SYSTEM_PRIVILEGE procedure is used to grant a Real Application Security system privilege to a user or role. Only the user with SYS privilege can perform this operation.
XS_ADMIN_UTIL.GRANT_SYSTEM_PRIVILEGE ( priv_name IN VARCHAR2, user_name IN VARCHAR2, user_type IN PLS_INTEGER := XS_ADMIN_UTIL.PTYPE_DB);
| Parameter | Description |
|---|---|
priv_name |
Specifies the name of the Real Application Security system privilege to be granted. |
user_name |
Specifies the name of the user or role to which the Real Application Security system privilege is to be granted. |
user_type |
The type of user. By default the database user. |
SYS.XS_ADMIN_UTIL.GRANT_SYSTEM_PRIVILEGE('CREATE_USER', 'user1', XS_ADMIN_UTIL.PTYPE_DB);
The REVOKE_SYSTEM_PRIVILEGE is used to revoke a Real Application Security system privilege from a user or role. Only the user with SYS privilege can perform this operation.
XS_ADMIN_UTIL.REVOKE_SYSTEM_PRIVILEGE ( priv_name IN VARCHAR2, user_name IN VARCHAR2, user_type IN PLS_INTEGER := XS_ADMIN_UTIL.PTYPE_DB);
| Parameter | Description |
|---|---|
priv_name |
Specifies the name of the Real Application Security system privilege to be revoked. |
user_name |
Specifies the name of the user or role from which the Real Application Security system privilege is to be revoked. |
user_type |
The type of user. By default the database user. |
SYS.XS_ADMIN_UTIL.REVOKE_SYSTEM_PRIVILEGE('DROP_USER','user1', XS_ADMIN_UTIL.PTYPE_DB);
The XS_DATA_SECURITY package includes procedures to create, manage, and delete data security policies, associated data realm constraints, column constraints, and ACL parameters.
The following object types, constructor functions, synonyms, and GRANT statements are defined for this package.
-- Create a type for key
CREATE OR REPLACE TYPE XS$KEY_TYPE AS OBJECT (
primary_key VARCHAR2(130),
foreign_key VARCHAR2(4000),
-- Foreign key type; 1 = col name, 2 = col value
foreign_key_type NUMBER,
-- Constructor function
CONSTRUCTOR FUNCTION XS$KEY_TYPE
(primary_key IN VARCHAR2,
foreign_key IN VARCHAR2,
foreign_key_type IN NUMBER)
RETURN SELF AS RESULT,
MEMBER FUNCTION GET_PRIMARY_KEY RETURN VARCHAR2,
MEMBER FUNCTION GET_FOREIGN_KEY RETURN VARCHAR2,
MEMBER FUNCTION GET_FOREIGN_KEY_TYPE RETURN NUMBER,
);
CREATE OR REPLACE TYPE XS$KEY_LIST AS VARRAY(1000) OF XS$KEY_TYPE;
CREATE OR REPLACE TYPE XS$REALM_CONSTRAINT_TYPE AS OBJECT (
-- Member variables
realm_type NUMBER,
-- Member evaluation rule
realm VARCHAR2(4000),
-- acl list of instance set
acl_list XS$NAME_LIST,
-- isStatic variable for instance set. Stored as INTEGER. No boolean datatype
-- for objects. False is stored as 0 and TRUE is stored as 1
is_static INTEGER,
-- Indicate if the realm is parameterized.
parameterized INTEGER,
-- parent schema name for inherited from
parent_schema VARCHAR2(130),
-- parent object name for inherited from
parent_object VARCHAR2(130),
-- keys for inherited from
key_list XS$KEY_LIST,
-- when condition for inherited from
when_condition VARCHAR2(4000),
-- Constructor function - row_level realm
CONSTRUCTOR FUNCTION XS$REALM_CONSTRAINT_TYPE
(realm IN VARCHAR2,
acl_list IN XS$NAME_LIST,
is_static IN BOOLEAN := FALSE)
RETURN SELF AS RESULT,
-- Constructor function - parameterized row_level realm
CONSTRUCTOR FUNCTION XS$REALM_CONSTRAINT_TYPE
(realm IN VARCHAR2,
is_static IN BOOLEAN := FALSE)
RETURN SELF AS RESULT,
-- Constructor function - master realm
CONSTRUCTOR FUNCTION XS$REALM_CONSTRAINT_TYPE
(parent_schema IN VARCHAR2,
parent_object IN VARCHAR2,
key_list IN XS$KEY_LIST,
when_condition IN VARCHAR2:= NULL)
RETURN SELF AS RESULT,
-- Accessor functions
MEMBER FUNCTION GET_TYPE RETURN NUMBER,
MEMBER FUNCTION GET_REALM RETURN VARCHAR2,
MEMBER FUNCTION GET_ACLS RETURN XS$NAME_LIST,
MEMBER FUNCTION IS_DYNAMIC_REALM RETURN BOOLEAN,
MEMBER FUNCTION IS_STATIC_REALM RETURN BOOLEAN,
MEMBER FUNCTION IS_PARAMETERIZED_REALM RETURN BOOLEAN,
MEMBER FUNCTION GET_KEYS RETURN XS$KEY_LIST,
MEMBER FUNCTION GET_PARENT_SCHEMA RETURN VARCHAR2,
MEMBER FUNCTION GET_PARENT_OBJECT RETURN VARCHAR2,
MEMBER FUNCTION GET_WHEN_CONDITION RETURN VARCHAR2,
MEMBER PROCEDURE SET_REALM(realm IN VARCHAR2),
MEMBER PROCEDURE ADD_ACLS(acl IN VARCHAR2),
MEMBER PROCEDURE ADD_ACLS(acl_list IN XS$NAME_LIST),
MEMBER PROCEDURE SET_ACLS(acl_list IN XS$NAME_LIST),
MEMBER PROCEDURE SET_DYNAMIC,
MEMBER PROCEDURE SET_STATIC,
MEMBER PROCEDURE ADD_KEYS(key IN XS$KEY_TYPE),
MEMBER PROCEDURE ADD_KEYS(key_list IN XS$KEY_LIST),
MEMBER PROCEDURE SET_KEYS(key_list IN XS$KEY_LIST),
MEMBER PROCEDURE SET_PARENT_SCHEMA(parent_schema IN VARCHAR2),
MEMBER PROCEDURE SET_PARENT_OBJECT(parent_object IN VARCHAR2),
MEMBER PROCEDURE SET_WHEN_CONDITION(when_condition IN VARCHAR2)
);
-- Create a list of realm constraint type
CREATE OR REPLACE TYPE XS$REALM_CONSTRAINT_LIST AS VARRAY(1000)
OF XS$REALM_CONSTRAINT_TYPE;
-- Create a type for column(attribute) security
CREATE OR REPLACE TYPE XS$COLUMN_CONSTRAINT_TYPE AS OBJECT (
-- column list
column_list XS$LIST,
-- privilege for column security
privilege VARCHAR2(261),
-- Constructor function
CONSTRUCTOR FUNCTION XS$COLUMN_CONSTRAINT_TYPE
(column_list IN XS$LIST,
privilege IN VARCHAR2)
return SELF AS RESULT,
MEMBER FUNCTION GET_COLUMNS RETURN XS$LIST,
MEMBER FUNCTION GET_PRIVILEGE RETURN VARCHAR2,
MEMBER PROCEDURE ADD_COLUMNS(column IN VARCHAR2),
MEMBER PROCEDURE ADD_COLUMNS(column_list IN XS$LIST),
MEMBER PROCEDURE SET_COLUMNS(column_list IN XS$LIST),
MEMBER PROCEDURE SET_PRIVILEGE(privilege IN VARCHAR2)
);
-- Create a list of column constraint for column security
CREATE OR REPLACE TYPE XS$COLUMN_CONSTRAINT_LIST
IS VARRAY(1000) of XS$COLUMN_CONSTRAINT_TYPE;
The XS_DATA_SECURITY package is created under the SYS schema. The DBA role is granted the ADMIN_ANY_SEC_POLICY, which allows it to administer schema objects like ACLs, security classes, and security policies across all schemas. In addition, users granted the ADMIN_ANY_SEC_POLICY can call the following procedures: ENABLE_OBJECT_POLICY, DISABLE_OBJECT_POLICY, APPLY_OBJECT_POLICY, and REMOVE_OBJECT_POLICY.
Users can administer schema objects in their own schema if they have been granted the RESOURCE role for the schema. The RESOURCE role and the XS_RESOURCE application role include the ADMIN_SEC_POLICY privilege, required to administer schema objects in the schema.
Table 11-5 Summary of XS_DATA_SECURITY Subprograms
| Subprogram | Brief Description |
|---|---|
|
Creates a new data security policy. |
|
|
Adds one or more data realm constraints to an existing data security policy. |
|
|
Removes all data realm constraints for the specified data security policy. |
|
|
Adds one or more column constraint to the specified data security policy. |
|
|
Removes all column constraints from a data security policy. |
|
|
Creates an ACL parameter for the specified data security policy. |
|
|
Deletes an ACL parameter from the specified data security policy. |
|
|
Sets a description string for the specified data security policy. |
|
|
Deletes a data security policy. |
Table 11-6 Summary of XS_DATA_SECURITY Subprograms for Managing Data Security Policies on Tables or Views
| Subprogram | Brief Description |
|---|---|
|
Enables the data security policy for the specified table or view. |
|
|
Disables the data security policy for the specified table or view. |
|
|
Removes or drops the data security from the specified table or view without deleting it. |
|
|
Enables or reenables the data security policy for the specified table or view. |
The CREATE_POLICY procedure creates a new data security policy.
XS_DATA_SECURITY.CREATE_POLICY ( name IN VARCHAR2, realm_constraint_list IN XS$REALM_CONSTRAINT_LIST, column_constraint_list IN XS$COLUMN_CONSTRAINT_LIST := NULL, description IN VARCHAR2 :=NULL) ;
| Parameter | Description |
|---|---|
name |
The name for the data security policy to be created.
The name is schema qualified, for example, |
realm_constraint_list |
The list of data realm constraints, which determine the rows to be protected by the data security policy. |
column_constraint_list |
This is optional. The list of attributes and the privileges protecting them. |
description |
An optional description for the data security policy. |
The following example creates a data security policy called USER1.EMPLOYEES_DS. It uses a data realm constraint to protect data related to department numbers 60 and 100. In addition, access to the SALARY column (attribute) is restricted using an column constraint.
DECLARE
realm_cons XS$REALM_CONSTRAINT_LIST;
column_cons XS$COLUMN_CONSTRAINT_LIST;
BEGIN
realm_cons :=
XS$REALM_CONSTRAINT_LIST(
XS$REALM_CONSTRAINT_TYPE(realm=> 'DEPARTMENT_ID in (60, 100)',
acl_list=> XS$NAME_LIST('HRACL')));
column_cons :=
XS$COLUMN_CONSTRAINT_LIST(
XS$COLUMN_CONSTRAINT_TYPE(column_list=> XS$LIST('SALARY'),
privilege=> 'VIEW_SENSITIVE_INFO'));
SYS.XS_DATA_SECURITY.CREATE_POLICY(
name=>'USER1.EMPLOYEES_DS',
realm_constraint_list=>realm_cons,
column_constraint_list=>column_cons);
END;
The APPEND_REALM_CONSTRAINTS procedure adds one or more data realm constraints to an existing data security policy.
XS_DATA_SECURITY.APPEND_REALM_CONSTRAINTS ( policy IN VARCHAR2, realm_constraint IN XS$REALM_CONSTRAINT_TYPE); XS_DATA_SECURITY.APPEND_REALM_CONSTRAINTS ( policy IN VARCHAR2, realm_constraint_list IN XS$REALM_CONSTRAINT_LIST);
| Parameter | Description |
|---|---|
policy |
The name of the data security policy to which the data realm constraints are to be added.
The name is schema qualified, for example, |
realm_constraint |
The data realm constraint to be added to the data security policy. |
realm_constraint_list |
The list of data realm constraints to be added to the data security policy. |
The following example appends a new data realm constraint to the EMPLOYEES_DS data security policy.
DECLARE
realm_cons XS$REALM_CONSTRAINT_TYPE;
BEGIN
realm_cons :=
XS$REALM_CONSTRAINT_TYPE(realm=> 'DEPARTMENT_ID in (40, 50)',
acl_list=> XS$NAME_LIST('HRACL'));
SYS.XS_DATA_SECURITY.APPEND_REALM_CONSTRAINTS(
policy=>'EMPLOYEES_DS',
realm_constraint=>realm_cons);
END;
The REMOVE_REALM_CONSTRAINTS procedure removes all data realm constraints from a data security policy.
XS_DATA_SECURITY.REMOVE_REALM_CONSTRAINTS ( policy IN VARCHAR2);
| Parameter | Description |
|---|---|
policy |
The name of the data security policy from which the data realm constraints are to be removed.
The name is schema qualified, for example, |
The following example removes all data realm constraints from the EMPLOYEES_DS data security policy.
BEGIN
SYS.XS_DATA_SECURITY.REMOVE_REALM_CONSTRAINTS('EMPLOYEES_DS');
END;
The ADD_COLUMN_CONSTRAINTS procedure adds one or more column constraint to a data security policy.
XS_DATA_SECURITY.ADD_COLUMN_CONSTRAINTS ( policy IN VARCHAR2, column_constraint IN XS$COLUMN_CONSTRAINT_TYPE); XS_DATA_SECURITY.ADD_COLUMN_CONSTRAINTS ( policy IN VARCHAR2, column_constraint_list IN XS$COLUMN_CONSTRAINT_LIST);
| Parameter | Description |
|---|---|
policy |
The name of the data security policy to which the attribute constraints are to be added.
The name is schema qualified, for example, |
column_constraint |
The column constraint to be added. |
column_constraint_list |
The list of column constraints to be added. |
The following example adds a column constraint on the COMMISSION_PCT column in the EMPLOYEES_DS data security policy:
DECLARE
column_cons XS$COLUMN_CONSTRAINT_TYPE;
BEGIN
column_cons :=
XS$COLUMN_CONSTRAINT_TYPE(column_list=> XS$LIST('COMMISSION_PCT'),
privilege=> 'VIEW_SENSITIVE_INFO');
SYS.XS_DATA_SECURITY.ADD_COLUMN_CONSTRAINTS(
policy=>'EMPLOYEES_DS',
column_constraint=>column_cons);
END;
The REMOVE_COLUMN_CONSTRAINTS procedure removes all column constraints from a data security policy.
XS_DATA_SECURITY.REMOVE_COLUMN_CONSTRAINTS ( policy IN VARCHAR2,);
| Parameter | Description |
|---|---|
policy |
The name of the data security policy for which the column constraints are to be removed.
The name is schema qualified, for example, |
The following example removes all column constraints from the EMPLOYEES_DS data security policy:
BEGIN
SYS.XS_DATA_SECURITY.REMOVE_COLUMN_CONSTRAINTS('EMPLOYEES_DS');
END;
The CREATE_ACL_PARAMETER procedure creates an ACL parameter for a data security policy.
XS_DATA_SECURITY.CREATE_ACL_PARAMETER ( policy IN VARCHAR2, parameter IN VARCHAR2, param_type IN NUMBER);
| Parameter | Description |
|---|---|
policy |
The name of the data security policy for which the ACL parameter needs to be created.
The name is schema qualified, for example, |
parameter |
The name of the ACL parameter to be created. |
param_type |
The data type of the parameter. This can be 1 (NUMBER) or 2 (VARCHAR). |
The following examples creates an ACL parameter, called DEPT_POLICY, for the EMPLOYEES_DS data security policy:
BEGIN
SYS.XS_DATA_SECURITY.CREATE_ACL_PARAMETER('EMPLOYEES_DS','DEPT_POLICY',1);
END;
The DELETE_ACL_PARAMETER procedure deletes an ACL parameter for a data security policy.
XS_DATA_SECURITY.DELETE_ACL_PARAMETER ( policy IN VARCHAR2, parameter IN VARCHAR2, delete_option IN PLS_INTEGER := XS_ADMIN_UTIL.DEFAULT_OPTION);
| Parameter | Description |
|---|---|
policy |
The name of the data security policy for which the ACL parameter is to be deleted.
The name is schema qualified, for example, |
parameter |
The name of the ACL parameter to be deleted. |
delete_option |
The delete option to use. The following options are available:
|
The following example deletes the DEPT_POLICY ACL parameter from the EMPLOYEES_DS data security policy, using the default option.
BEGIN
SYS.XS_DATA_SECURITY.DELETE_ACL_PARAMETER('EMPLOYEES_DS','DEPT_POLICY',
XS_ADMIN_UTIL.DEFAULT_OPTION);
END;
The SET_DESCRPTION procedure sets a description string for the specified data security policy.
XS_DATA_SECURITY.SET_DESCRIPTION ( policy IN VARCHAR2, description IN VARCHAR2);
| Parameter | Description |
|---|---|
policy |
The name of the data security policy for which the description is to be set.
The name is schema qualified, for example, |
description |
A description string for the specified data security policy. |
The following example sets a description string for the EMPLOYEES_DS data security policy:
BEGIN
SYS.XS_DATA_SECURITY.SET_DESCRIPTION('EMPLOYEES_DS',
'Data Security Policy for HR.EMPLOYEES');
END;
The DELETE_POLICY procedure deletes a data security policy.
XS_DATA_SECURITY.DELETE_POLICY( policy IN VARCHAR2, delete_option IN PLS_INTEGER := XS_ADMIN_UTIL.DEFAULT_OPTION);
| Parameter | Description |
|---|---|
policy |
The name of the data security policy to be deleted.
The name is schema qualified, for example, |
delete_option |
The delete option to use. To the security policy, the behavior of the following options is the same:
|
The following example deletes the EMPLOYEES_DS data security policy using the default option.
BEGIN
SYS.XS_DATA_SECURITY.DELETE_POLICY('EMPLOYEES_DS',
XS_ADMIN_UTIL.DEFAULT_OPTION);
END;
The ENABLE_OBJECT_POLICY procedure enables the data security policy for the specified table or view. ENABLE_OBJECT_POLICY enables the ACL-based row level security policy for the table or view.
You may want to enable data security policies after you perform an import or export on the tables that it affects, or for debugging purposes.
To find the status of the data security policies for tables or views available for the current user, query the DBA_XS_APPLIED_POLICIES data dictionary view.
XS_DATA_SECURITY.ENABLE_OBJECT_POLICY ( policy IN VARCHAR2, schema IN VARCHAR2, object IN VARCHAR2);
| Parameter | Description |
|---|---|
policy |
The name of the data security policy to be enabled.
The name is schema qualified, for example, |
schema |
The name of the schema that contains the table or view to enable. |
object |
The name of the table or view to enable the data security policy. |
The following example enables XDS for the products table in the sales schema.
BEGIN SYS.XS_DATA_SECURITY.ENABLE_OBJECT_POLICY(policy =>'CUST_DS', schema=>'sales', object=>'products'); END;
The DISABLE_OBJECT_POLICY procedure disables the data security policy for the specified table or view. DISABLE_OBJECT_POLICY disables the ACL-based row level security policy for the table or view.
You may want to disable Real Application Security if you are performing an import or export on the tables that it affects, or for debugging purposes.
To find the status of the data security policies for tables or views available for the current user, query the DBA_XS_APPLIED_POLICIES data dictionary view.
XS_DATA_SECURITY.DISABLE_OBJECT_POLICY ( policy IN VARCHAR2, schema IN VARCHAR2, object IN VARCHAR2);
| Parameter | Description |
|---|---|
policy |
The name of the data security policy to be disabled.
The name is schema qualified, for example, |
schema |
The name of the schema that contains the table or view to disable. |
object |
The name of the table or view to disable a data security policy. |
The following example disables XDS for the products table in the sales schema.
BEGIN SYS.XS_DATA_SECURITY.DISABLE_OBJECT_POLICY(policy =>'CUST_DS', schema=>'sales', object=>'products'); END;
The REMOVE_OBJECT_POLICY procedure drops the data security policy from the specified table or view without deleting it. REMOVE_OBJECT_POLICY drops the ACL Materialized View built by ENABLE_XDS on a static data realm constraint.
To find the status of the data security policies for tables or views available for the current user, query the DBA_XS_APPLIED_POLICIES data dictionary view.
XS_DATA_SECURITY.REMOVE_OBJECT_POLICY ( policy IN VARCHAR2, schema IN VARCHAR2, object IN VARCHAR2);
| Parameter | Description |
|---|---|
policy |
The name of the data security policy to be dropped.
The name is schema qualified, for example, |
schema |
The name of the schema that contains the table or view from which to remove the data security policy. |
object |
The name of the table or view from which to remove the data security. policy |
The following example drops the CUST_DS data security policy from the products table in the sales schema.
BEGIN SYS.XS_DATA_SECURITY.REMOVE_OBJECT_POLICY(policy=>'CUST_DS', schema=>'sales', object=>'products'); END;
The APPLY_OBJECT_POLICY procedure enables or reenables the data security policy for the specified database table or view.
To find the status of the data security policies for tables or views available for the current user, query the DBA_XS_APPLIED_POLICIES data dictionary view.
XS_DATA_SECURITY.APPLY_OBJECT_POLICY ( policy IN VARCHAR2, schema IN VARCHAR2, object IN VARCHAR2, row_acl IN BOOLEAN DEFAULT FALSE, owner_bypass IN BOOLEAN DEFAULT FALSE, statement_types IN VARCHAR2 DEFAULT NULL, aclmv IN VARCHAR2 DEFAULT NULL );
| Parameter | Description |
|---|---|
policy |
Name of the data security policy to be enabled.
The name is schema qualified, for example, |
schema |
The name of the schema that contains the relational table or view to enable or re-enable. |
object |
The name of the relational table or view to enable or re-enable for the data security policy. |
row_acl |
The default is FALSE. When set to TRUE, creates the hidden column SYS_ACLOD. |
owner_bypass |
The owner of the object can bypass the data security policy. The default is FALSE. |
statement_types |
The types can be: SELECT, INSERT, UPDATE, DELETE, and INDEX.
Note that if your application security requires that you must update table rows and also restrict read access to certain columns in the same table, you must use two |
aclmv |
Specifies a user-provided MV name that maintains static ACL information. The MV has two columns: TABLEROWID and ACLIDLIST. The default value for aclmv is NULL. |
The following example enables the DEPT_POLICY data security policy for the EMP table in the HR schema.
BEGIN
sys.xs_data_security.apply_object_policy(
policy => 'HR.EMPLOYEES_DS',
schema => 'HR',
object => 'EMPLOYEES',
statement_types => 'SELECT',
owner_bypass => true);
END;
The XS_DATA_SECURITY_UTIL package is a utility package that schedules automatic refreshment for static ACL to a user table and changes the ACL refreshment mode to on-commit or on-demand refresh.
The XS_DATA_SECURITY_UTIL package is created in the SYS schema. You need EXECUTE privileges on the package to be able to run the programs contained in this package.
The following are valid values for ACLMV refresh modes:
ACLMV_ON_DEMAND CONSTANT VARCHAR2(9) := 'ON DEMAND'; ACLMV_ON_COMMIT CONSTANT VARCHAR2(9) := 'ON COMMIT';
The following are types of refresh on static ACLMV:
XS_ON_COMMIT_MV CONSTANT BINARY_INTEGER := 0; XS_ON_DEMAND_MV CONSTANT BINARY_INTEGER := 1; XS_SCHEDULED_MV CONSTANT BINARY_INTEGER := 2;
The following are types of static ACLMV:
XS_SYSTEM_GENERATED_MV CONSTANT BINARY_INTEGER := 0; XS_USER_SPECIFIED_MV CONSTANT BINARY_INTEGER := 1;
Table 11-7 Summary of XS_DATA_SECURITY_UTIL Subprograms
| Subprogram | Brief Description |
|---|---|
|
Schedules automatic refreshment for static ACL to a user table |
|
|
Changes the ACL refreshment mode to on-commit or on-demand refresh. |
The SCHEDULE_STATIC_ACL_REFRESH procedure is used to invoke or schedule automatic refresh for static ACL to a user table. It can start the refresh immediately if NULL value is passed into the start_date and repeat_interval parameters.
To find the status of all latest static ACL refresh jobs done for tables or views available for the current user, query the ALL_XDS_LATEST_ACL_REFSTAT, DBA_XDS_LATEST_ACL_REFSTAT, and USER_XDS_LATEST_ACL_REFSTAT data dictionary views. All static ACL refresh job status history can be found in ALL_XDS_ACL_REFSTAT, DBA_XDS_ACL_REFSTAT, and USER_XDS_ACL_REFSTAT data dictionary views.
XS_DATA_SECURITY_UTIL.SCHEDULE_STATIC_ACL_REFRESH ( schema_name IN VARCHAR2 DEFAULT NULL, table_name IN VARCHAR2, start_date IN TIMESTAMP WITH TIME ZONE DEFAULT NULL, repeat_interval IN VARCHAR2 DEFAULT NULL, comments IN VARCHAR2 DEFAULT NULL );
| Parameter | Description |
|---|---|
schema_name |
Specifies the name for the schema to which the table belongs. |
table_name |
The table name which is used with above schema name to uniquely identify a table for the static ACL refreshment. |
start_date |
This attribute specifies the first date on which this refresh is scheduled to run. If the function is called repeatedly, then the latest given start_date and repeat_interval is used to schedule the job. Each execution result of ACL refresh done by immediate call, on-commit, or refresh job is added into XDS_ACL_REFSTAT.
If |
repeat_interval |
This attribute specifies how often the refresh should repeat. You can specify the repeat interval by using DBMS_SCHEDULER package calendaring syntax or using PL/SQL expressions. See Oracle Database PL/SQL Packages and Types Reference for more information about using calendering syntax.
The expression specified is evaluated to determine the next time the refresh should run. If The |
Comments |
This attribute specifies a comment about the job. By default, this attribute is NULL |
SYS.XS_DATA_SECURITY_UTIL.SCHEDULE_STATIC_ACL_REFRESH('aclmvuser', 'sales', SYSTIMESTAMP, 'freq=hourly; interval=2');
The ALTER_STATIC_ACL_REFRESH procedure is used to change the ACL refresh mode to on-commit or on-demand refresh.
XS_DATA_SECURITY_UTIL.ALTER_STATIC_ACL_REFRESH ( schema_name IN VARCHAR2 DEFAULT NULL, table_name IN VARCHAR2, refresh_mode IN VARCHAR2);
| Parameter | Description |
|---|---|
schema_name |
Specifies the name for the schema that the table belongs to. |
table_name |
The table name, which is used with the schema name to uniquely identify a table for altering the static ACL refreshment mode. |
refresh_mode |
ON COMMIT or ON DEMAND |
SYS.XS_DATA_SECURITY_UTIL.ALTER_STATIC_ACL_REFRESH('aclmvuser','sales', refresh_mode=>'ON COMMIT');
The XS_DIAG package includes subprograms to diagnose potential problems in data security for principals, security classes, acls, data security policies, namespaces, and all objects in the work space. All subprograms return TRUE if the object is valid; otherwise, each returns FALSE. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE validation table until the maximum number of inconsistencies you specify with the error_limit parameter is reached. Users can query this validation table to determine the identified inconsistencies for information that includes the message code, the description about the error, the path leading to the invalid object, and any other helpful information that might assist you in identifying the nature of the inconsistency.
The XS_DIAG package is created in the SYS schema. The caller has invoker's rights on this package and needs to have ADMIN_ANY_SEC_POLICY system privilege to run the XS_DIAG package. EXECUTE permission on the XS_DIAG package is granted to PUBLIC. SELECT permission on the XS$VALIDATION_TABLE validation table is granted to PUBLIC.
Table 11-8 Summary of XS_DIAG Subprograms
| Subprogram | Description |
|---|---|
|
Validates the principal. |
|
|
Validates the security class. |
|
|
Validates the ACL. |
|
|
Validates the data security policy or validates the data security policy against a specific table. |
|
|
Validates the namespace template. |
|
|
Validates an entire workspace. |
The VALIDATE_PRINCIPAL function validates the principal. This function returns TRUE if the object is valid; otherwise, it returns FALSE. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
validate_principal(name IN VARCHAR2,
error_limit IN PLS_INTEGER := 1)
RETURN BOOLEAN;
| Parameter | Description |
|---|---|
name |
The name of the object to be validated. |
error_limit |
The maximum number of inconsistencies that may be stored in the validation table. |
Validate the principal, user user1, then query the validation table in case there are inconsistencies.
begin
if sys.xs_diag.validate_principal('user1', 100) then
dbms_output.put_line('The user is valid.');
else
dbms_output.put_line('The user is invalid.');
end if;
end;
/
select * from xs$validation_table;
Validate the principal, role role1, then query the validation table in case there are inconsistencies.
begin
if sys.xs_diag.validate_principal('role1', 100) then
dbms_output.put_line('The role is valid.');
else
dbms_output.put_line('The role is invalid.');
end if;
end;
/
select * from xs$validation_table;
The VALIDATE_SECURITY_CLASS function validates the security class. This function returns TRUE if the object is valid; otherwise, it returns FALSE. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
validate_security_class(name IN VARCHAR2,
error_limit IN PLS_INTEGER := 1)
RETURN BOOLEAN;
| Parameter | Description |
|---|---|
name |
The name of the object to be validated. |
error_limit |
The maximum number of inconsistencies that may be stored in the validation table. |
Validate the security class, sec1, then query the validation table in case there are inconsistencies.
begin
if sys.xs_diag.validate_security_class('sec1', 100) then
dbms_output.put_line('The security class is valid.');
else
dbms_output.put_line('The security class is invalid.');
end if;
end;
/
select * from xs$validation_table;
The VALIDATE_ACL function validates the ACL. This function returns TRUE if the object is valid; otherwise, it returns FALSE. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
validate_acl(name IN VARCHAR2,
error_limit IN PLS_INTEGER := 1)
RETURN BOOLEAN;
| Parameter | Description |
|---|---|
name |
The name of the object to be validated. |
error_limit |
The maximum number of inconsistencies that may be stored in the validation table. |
Validate the ACL, acl1, then query the validation table in case there are inconsistencies.
begin
if sys.xs_diag.validate_acl('acl1', 100) then
dbms_output.put_line('The ACL is valid.');
else
dbms_output.put_line('The ACL is invalid.');
end if;
end;
/
select * from xs$validation_table;
The VALIDATE_DATA_SECURITY function validates the data security. This function returns TRUE if the object is valid; otherwise, it returns FALSE. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
This function has three styles of policy validation.
When policy is not NULL and table_name is NULL, the function validates the policy against all the tables to which the policy is applied. Note that when table_name is NULL, table_owner is ignored even if it is not NULL.
When both policy and table_name are not NULL, the function validates the policy against the specific table. If table_owner is not provided, the current schema is used.
When policy is NULL and table_name is not NULL, the function validates all policies applied to the table against the table. If table_owner is not provided, the current schema is used.
validate_data_security(policy IN VARCHAR2 :=NULL,
table_owner IN VARCHAR2 :=NULL,
table_name IN VARCHAR2 :=NULL,
error_limit IN PLS_INTEGER := 1)
RETURN BOOLEAN;
| Parameter | Description |
|---|---|
policy |
The name of the object to be validated. |
table_owner |
The name of the schema of the table or view. |
table_name |
The name of the table or view. |
error_limit |
The maximum number of inconsistencies that may be stored in the validation table. |
Validate a policy, policy1 on all the applied tables, then query the validation table in case there are inconsistencies.
begin
if sys.xs_diag.validate_data_security(policy => 'policy1',
error_limit => 100) then
dbms_output.put_line('The policy is valid on all the applied tables.');
else
dbms_output.put_line('The policy is invalid on some of the applied tables.');
end if;
end;
/
select * from xs$validation_table;
Validate a policy, policy1 on a given table, then query the validation table in case there are inconsistencies.
begin
if sys.xs_diag.validate_data_security(policy => 'policy1',
table_owner => 'HR',
table_name => 'EMPLOYEES',
error_limit => 100) then
dbms_output.put_line('The policy is valid on the table.');
else
dbms_output.put_line('The policy is invalid on the table.');
end if;
end;
/
select * from xs$validation_table;
Validate all the policies applied to a given table, then query the validation table in case there are inconsistencies.
begin
if sys.xs_diag.validate_data_security(table_owner => 'HR',
table_name => 'EMPLOYEES',
error_limit => 100) then
dbms_output.put_line('All the applied policies on the table are valid.');
else
dbms_output.put_line('Some applied policies on the table are invalid');
end if;
end;
/
select * from xs$validation_table;
The VALIDATE_NAMESPACE_TEMPLATE function validates the namespace. This function returns TRUE if the object is valid; otherwise, it returns FALSE. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
validate_namespace_template(name IN VARCHAR2,
error_limit IN PLS_INTEGER := 1)
RETURN BOOLEAN;
| Parameter | Description |
|---|---|
name |
The name of the object to be validated. |
error_limit |
The maximum number of inconsistencies that may be stored in the validation table. |
Validate the namespace, ns1, then query the validation table in case there are inconsistencies.
begin
if sys.xs_diag.validate_namespace_template('ns1', 100) then
dbms_output.put_line('The namespace template is valid.');
else
dbms_output.put_line('The namespace template is invalid.');
end if;
end;
/
select * from xs$validation_table;
The VALIDATE_WORKSPACE function validates all the artifacts, in other words, it validates all objects that exist in the work space by using this one function. This function returns TRUE if all the objects are valid; otherwise, it returns FALSE. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
validate_workspace(error_limit IN PLS_INTEGER := 1) RETURN BOOLEAN;
| Parameter | Description |
|---|---|
error_limit |
The maximum number of inconsistencies that may be stored in the validation table. |
Validate all the objects in the workspace, then query the validation table in case there are inconsistencies.
begin
if sys.xs_diag.validate_workspace(100) then
dbms_output.put_line('The objects are valid.');
else
dbms_output.put_line('The objects are invalid.');
end if;
end;
/
select * from xs$validation_table;
The XS_NAMESPACE package includes subprograms to create, manage, and delete namespace templates and attributes.
The XS_NAMESPACE package is created under the SYS schema. The DBA role is granted the ADMIN_ANY_SEC_POLICY, which allows it to administer namespace templates and attributes.
The following object types, constructor functions, synonyms, and GRANT statements are defined for this package.
-- Type definition for namespace template attribute
CREATE OR REPLACE TYPE XS$NS_ATTRIBUTE AS OBJECT (
-- Member Variables
-- Name of the namespace template attribute
-- Must be unique within a namespace template
-- Cannot be null
name VARCHAR2(4000),
-- Default value assigned to the attribute
default_value VARCHAR2(4000),
-- Trigger events associated with the attribute
-- Allowed values are :
-- 0 : NO_EVENT
-- 1 : FIRST_READ_EVENT
-- 2 : UPDATE_EVENT
-- 3 : FIRST_READ_PLUS_UPDATE_EVENT
attribute_events NUMBER,
-- Constructor function
CONSTRUCTOR FUNCTION XS$NS_ATTRIBUTE
(name IN VARCHAR2,
default_value IN VARCHAR2 := NULL,
attribute_events IN NUMBER := 0)
RETURN SELF AS RESULT,
-- Return the name of the attribute
MEMBER FUNCTION GET_NAME RETURN VARCHAR2,
-- Return the default value of the attribute
MEMBER FUNCTION GET_DEFAULT_VALUE RETURN VARCHAR2,
-- Return the trigger events associated with attribute
MEMBER FUNCTION GET_ATTRIBUTE_EVENTS RETURN NUMBER,
-- Mutator procedures
-- Set the default value for the attribute
MEMBER PROCEDURE SET_DEFAULT_VALUE(default_value IN VARCHAR2),
-- Associate trigger events to the attribute
MEMBER PROCEDURE SET_ATTRIBUTE_EVENTS(attribute_events IN NUMBER)
);
CREATE OR REPLACE TYPE XS$NS_ATTRIBUTE_LIST AS VARRAY(1000) OF XS$NS_ATTRIBUTE;
The following are attribute event constants:
NO_EVENT CONSTANT PLS_INTEGER := 0; FIRSTREAD_EVENT CONSTANT PLS_INTEGER := 1; UPDATE_EVENT CONSTANT PLS_INTEGER := 2; FIRSTREAD_PLUS_UPDATE_EVENT CONSTANT PLS_INTEGER := 3;
Table 11-9 Summary of XS_NAMESPACE Subprograms
| Subprogram | Description |
|---|---|
|
Creates a new namespace template. |
|
|
Adds one or more attributes to an existing namespace template. |
|
|
Removes one or more attributes from a namespace template. |
|
|
Assigns a handler function for the specified namespace template. |
|
|
Sets a description string for the specified namespace template. |
|
|
Deletes the specified namespace template. |
The CREATE_TEMPLATE procedure creates a new namespace template.
XS_NAMESPACE.CREATE_TEMPLATE ( name IN VARCHAR2, attr_list IN XS$NS_ATTRIBUTE_LIST := NULL, schema IN VARCHAR2 := NULL, package IN VARCHAR2 := NULL, function IN VARCHAR2 := NULL, acl IN VARCHAR2 := 'SYS.NS_UNRESTRICTED_ACL' description IN VARCHAR2 := NULL);
| Parameter | Description |
|---|---|
name |
The name of the namespace template to be created. |
attr_list |
The attributes contained in the namespace template together with their default values and associated attribute events, such as UPDATE_EVENT. |
schema |
The schema that contains the handler function for the namespace template. |
package |
The package that contains the handler function for the namespace template. |
function |
The handler function for the namespace template. The handler function is called when an attribute event occurs. |
acl |
The name of the ACL for this namespace template. If no ACL is provided, the default is the predefined ACL SYS.NS_UNRESTRICTED_ACL, which allows unrestricted attribute operations by the application user. |
description |
An optional description string for the namespace template. |
The following example creates a namespace template called POAttrs. The namespace template contains a list of attributes defined by attrlist. The handler function for the namespace template is called Populate_Order_Func. This handler function is part of the Orders_Pckg package, which is contained in the SCOTT schema. The namespace template has NS_UNRESTRICTED_ACL set on the template, which allows unrestricted operation on namespaces created from the template.
DECLARE
attrlist XS$NS_ATTRIBUTE_LIST;
BEGIN
attrlist := XS$NS_ATTRIBUTE_LIST();
attrlist.extend(2);
attrlist(1) := XS$NS_ATTRIBUTE('desc', 'general');
attrlist(2) := XS$NS_ATTRIBUTE(name=>'item_no',
attribute_events=>XS_NAMESPACE.FIRSTREAD_EVENT);
SYS.XS_NAMESPACE.CREATE_TEMPLATE('POAttrs', attrlist, 'SCOTT',
'Orders_Pckg','Populate_Order_Func',
'SYS.NS_UNRESTRICTED_ACL',
'Purchase Order Attributes');
END;
The ADD_ATTRIBUTES procedure adds one or more attributes to an existing namespace template.
XS_NAMESPACE.ADD_ATTRIBUTES ( template IN VARCHAR2, attribute IN VARCHAR2, default_value IN VARCHAR2 := NULL, attribute_events IN PLS_INTEGER := XS_NAMESPACE.NO_EVENT); XS_NAMESPACE.ADD_ATTRIBUTES ( template IN VARCHAR2, attr_list IN XS$NS_ATTRIBUTE_LIST);
| Parameter | Description |
|---|---|
template |
The name of the namespace templates to which the attribute(s) is/are to be added. |
attribute |
The name of the attribute to be added. |
attr_list |
The list of attributes to be added. |
default_value |
The default value of the attribute. |
attribute_events |
The attribute event associated with the attribute, such as update event. |
The following example adds an attribute called item_type to the POAttrs namespace. It also specifies a default value and attribute event for the new attribute that is added.
BEGIN
SYS.XS_NAMESPACE.ADD_ATTRIBUTES(template=>'POAttrs',attribute=>'item_type',
default_value=>'generic',
attribute_events=>XS_NAMESPACE.update_event);
END;
The REMOVE_ATTRIBUTES procedure removes one or more attributes from a namespace template. If no attribute names are specified, then all attributes are removed from the namespace template.
XS_NAMESPACE.REMOVE_ATTRIBUTES ( template IN VARCHAR2, attribute IN VARCHAR2); XS_NAMESPACE.REMOVE_ATTRIBUTES ( template IN VARCHAR2, attr_list IN XS$LIST); XS_NAMESPACE.REMOVE_ATTRIBUTES ( template IN VARCHAR2);
| Parameter | Description |
|---|---|
template |
The name of the namespace template from which the attribute(s) is/are to be removed. |
attribute |
The name of the attribute to be removed. |
attr_list |
The list of attribute names to be removed. |
The following example removes the item_type attribute from the POAttrs namespace.
BEGIN
SYS.XS_NAMESPACE.REMOVE_ATTRIBUTES('POAttrs','item_type');
END;
The following example removes all attributes from the POAttrs namespace template.
BEGIN
SYS.XS_NAMESPACE.REMOVE_ATTRIBUTES('POAttrs');
END;
The SET_HANDLER procedure assigns a handler function for the specified namespace template.
XS_NAMESPACE.SET_HANDLER ( template IN VARCHAR2, schema IN VARCHAR2, package IN VARCHAR2, function IN VARCHAR2);
| Parameter | Description |
|---|---|
template |
The name of the namespace template for which the handler function is to be set. |
schema |
The schema containing the handler package and function. |
package |
The name of the package that contains the handler function. |
function |
The name of the handler function for the namespace template. |
The following example sets a handler function, called Populate_Order_Func, for the POAttrs namespace template.
BEGIN
SYS.XS_NAMESPACE.SET_HANDLER('POAttrs','SCOTT',
'Orders_Pckg','Populate_Order_Func');
END;
The SET_DESCRIPTION procedure sets a description string for the specified namespace template.
XS_NAMESPACE.SET_DESCRIPTION ( template IN VARCHAR2, description IN VARCHAR2);
| Parameter | Description |
|---|---|
template |
The name of the namespace template whose description is to be set. |
description |
A description string for the specified namespace template. |
The following example sets a description string for the POAttrs namespace template.
BEGIN
SYS.XS_NAMESPACE.SET_DESCRIPTION('POAttrs','Purchase Order Attributes');
END;
The DELETE_TEMPLATE procedure deletes the specified namespace template.
XS_NAMESPACE.DELETE_TEMPLATE( template IN VARCHAR2, delete_option IN PLS_INTEGER := XS_ADMIN_UTIL.DEFAULT_OPTION);
| Parameter | Description |
|---|---|
template |
The name of the namespace template to be deleted. |
delete_option |
The delete option to use. To the namespace template, the behavior of the following options is the same:
|
The following example deletes the POAttrs namespace template using the default delete option.
BEGIN
SYS.XS_NAMESPACE.DELETE_TEMPLATE('POAttrs',XS_ADMIN_UTIL.DEFAULT_OPTION);
END;
The XS_PRINCIPAL package contains procedures used to create, manage, and delete application principals. These application principals include application users, regular application roles, and dynamic application roles.
The XS_PRINCIPAL package is created under the SYS schema.
The privileges required to create, modify, or drop application users and roles are governed by the same system privileges required to create, modify, or drop database users and roles.
The following object types, constructor functions, synonyms, and GRANT statements are defined for this package.
-- Type definition for roles granted to the principals
CREATE OR REPLACE TYPE XS$ROLE_GRANT_TYPE AS OBJECT (
-- Member Variables
-- Constants defined in other packages cannot be recognized in a type.
-- e.g. XS_ADMIN_UTIL.XSNAME_MAXLEN
-- name VARCHAR2(XS_ADMIN_UTIL.XSNAME_MAXLEN),
name VARCHAR2(130),
-- Start date of the effective date
start_date TIMESTAMP WITH TIME ZONE,
-- End date of the effective date
end_date TIMESTAMP WITH TIME ZONE,
CONSTRUCTOR FUNCTION XS$ROLE_GRANT_TYPE (
name IN VARCHAR2,
start_date IN TIMESTAMP WITH TIME ZONE:= NULL,
end_date IN TIMESTAMP WITH TIME ZONE:= NULL)
RETURN SELF AS RESULT,
MEMBER FUNCTION get_role_name RETURN VARCHAR2,
MEMBER PROCEDURE set_start_date(start_date IN TIMESTAMP WITH TIME ZONE),
MEMBER FUNCTION get_start_date RETURN TIMESTAMP WITH TIME ZONE,
MEMBER PROCEDURE set_end_date(end_date IN TIMESTAMP WITH TIME ZONE),
MEMBER FUNCTION get_end_date RETURN TIMESTAMP WITH TIME ZONE
);
CREATE OR REPLACE TYPE XS$ROLE_GRANT_LIST AS VARRAY(1000) OF XS$ROLE_GRANT_TYPE;
The following constants define the user's status:
ACTIVE CONSTANT PLS_INTEGER := 1; INACTIVE CONSTANT PLS_INTEGER := 2; UNLOCKED CONSTANT PLS_INTEGER := 3; EXPIRED CONSTANT PLS_INTEGER := 4; LOCKED CONSTANT PLS_INTEGER := 5;
The following constants define dynamic role scope:
SESSION_SCOPE CONSTANT PLS_INTEGER := 0; REQUEST_SCOPE CONSTANT PLS_INTEGER := 1;
The following constants define the verifier type:
XS_SHA512 CONSTANT PLS_INTEGER := 2 ; XS_SALTED_SHA1 CONSTANT PLS_INTEGER := 1 ;
Table 11-10 Summary of XS_PRINCIPAL Subprograms
| Subprogram | Description |
|---|---|
|
Creates an application user. |
|
|
Creates an application role. |
|
|
Creates a dynamic application role. |
|
|
Grants one or more application roles to an application principal. |
|
|
Revokes one or more roles from an application principal. |
|
|
Adds a proxy user for a target application user. |
|
|
Removes specified proxy user or all proxy users for a target application user. |
|
|
Add a proxy application user to a database user. |
|
|
Remove a proxy application user from a database user. |
|
|
Sets or modifies the effective dates for an application user or role. |
|
|
Sets or modifies the duration, in minutes, for a dynamic application role. |
|
|
Sets or modifies the scope of a dynamic application role, such as |
|
|
Enables or disables an application role. |
|
|
Enables or disables all directly granted roles for the specified user. |
|
|
Sets the database schema for an application user. |
|
|
Sets the GUID for an external user or role. |
|
|
Sets the application user's profile. This is a set of resource limits and password parameters that restrict database usage and database instance resources for a Real Application Security application user. |
|
|
Sets or modifies the status of an application user account, such as |
|
|
Sets or modifies the password for an application user account. |
|
|
Sets or modifies the verifier for an application user account. |
|
|
Sets the description string for an application user or role. |
|
|
Drops an application user or role. |
The CREATE_USER procedure creates a new application user. You need the CREATE USER system privilege to create an application user.
You can use the DBA_XS_USERS data dictionary view to get a list of all application users.
CREATE_USER ( name IN VARCHAR2, schema IN VARCHAR2 := NULL, status IN PLS_INTEGER := ACTIVE, start_date IN TIMESTAMP WITH TIME ZONE := NULL, end_date IN TIMESTAMP WITH TIME ZONE := NULL, guid IN RAW := NULL, external_source IN VARCHAR2 := NULL, description IN VARCHAR2 := NULL);
| Parameter | Description |
|---|---|
name |
The name of the application user to be created. |
status |
The status of the user on creation. This can be one of the following values:
The default value is The values |
schema |
The database schema to be associated with the user. This is optional. |
start_date |
The date from which the user account becomes effective. This is optional. |
end_date |
The date on which the user account becomes ineffective. This is optional.
If an |
guid |
GUID of the user. This is valid for external users only. |
external_source |
Name of the system that is the source for this user. This is optional. |
description |
A description for the user account. This is optional. |
The following example creates a user:
BEGIN
XS_PRINCIPAL.CREATE_USER('TEST1');
END;
The following example creates a user, and also specifies a schema and start date for the user:
DECLARE
st_date TIMESTAMP WITH TIME ZONE;
BEGIN
st_date := TO_TIMESTAMP_TZ('2010-06-18 11:00:00 -5:00','YYYY-MM-DD HH:MI:SS
TZH:TZM');
SYS.XS_PRINCIPAL.CREATE_USER(name=>'u2',
schema=>'scott',
start_date=>st_date);
END;
The CREATE_ROLE procedure creates a new application role. You need the CREATE ROLE system privilege to create a regular application role.
You can use the DBA_XS_ROLES data dictionary view to get the list of application roles together with their attributes, like start date and end date
CREATE_ROLE ( name IN VARCHAR2, enabled IN BOOLEAN := FALSE, start_date IN TIMESTAMP WITH TIME ZONE := NULL, end_date IN TIMESTAMP WITH TIME ZONE := NULL, guid IN RAW := NULL, external_source IN VARCHAR2 := NULL, description IN VARCHAR2 := NULL);
| Parameter | Description |
|---|---|
name |
The name of the application role to be created. |
enabled |
Specifies whether the role is enabled on creation. The default value is FALSE, which means that the role is disabled on creation. |
start_date |
The date from which the role becomes effective. This is optional. |
end_date |
The date on which the role becomes ineffective. This is optional.
If an |
guid |
GUID of the role. This is applicable for external roles only. |
external_source |
The name of the system that is the source for this role. This is optional. |
description |
An optional description for the role. |
The following example creates an application role, called hrmgr:
BEGIN
SYS.XS_PRINCIPAL.CREATE_ROLE('hrmgr');
END;
The following example creates an application role called hrrep. It also enables the role, and assigns the current date as start date for the role.
DECLARE
st_date TIMESTAMP WITH TIME ZONE;
BEGIN
st_date := SYSTIMESTAMP;
SYS.XS_PRINCIPAL.CREATE_ROLE(name=>'hrrep',
enabled=>true,
start_date=>st_date);
END;
The CREATE_DYNAMIC_ROLE procedure creates a new dynamic application role. Dynamic application roles can be dynamically enabled or disabled by an application, based on the criteria defined by the application. You need the CREATE ROLE system privilege to create an dynamic application role.
You can use the DBA_XS_DYNAMIC_ROLES data dictionary view to get a list of all dynamic application roles together with their attributes, like duration.
CREATE_DYNAMIC_ROLE ( name IN VARCHAR2, duration IN PLS_INTEGER := NULL, scope IN PLS_INTEGER := XS_PRINCIPAL.SESSION_SCOPE, description IN VARCHAR2 := NULL);
| Parameter | Description |
|---|---|
name |
The name of the dynamic application role to be created. |
duration |
The duration (in minutes) of the dynamic application role. This is an optional attribute. |
scope |
The scope attribute of the dynamic application role. The possible values are SESSION_SCOPE and REQUEST_SCOPE. The default value is XS_PRINCIPAL.SESSION_SCOPE. |
description |
An optional description for the dynamic application role. |
The following example creates a dynamic application role, called sslrole:
BEGIN
SYS.XS_PRINCIPAL.CREATE_DYNAMIC_ROLE('sslrole');
END;
The following example creates a dynamic application role called reprole. It also specifies a duration of 100 minutes for the role, and chooses the request scope for the role.
BEGIN
SYS.XS_PRINCIPAL.CREATE_DYNAMIC_ROLE(name=>'reprole',
duration=>100,
scope=>XS_PRINCIPAL.REQUEST_SCOPE);
END;
The GRANT_ROLES procedure grants one or more application roles to an application principal. You need the GRANT ANY ROLE system privilege to grant application roles.
You can use the DBA_XS_ROLE_GRANTS data dictionary view to get the list of all role grants together with their details, like start date and end date.
GRANT_ROLES ( grantee IN VARCHAR2, role IN VARCHAR2, start_date IN TIMESTAMP WITH TIME ZONE:= NULL, end_date IN TIMESTAMP WITH TIME ZONE:= NULL,); GRANT_ROLES ( grantee IN VARCHAR2, role_list IN XS$ROLE_GRANT_LIST);
| Parameter | Description |
|---|---|
grantee |
The name of the principal to which the role is granted. |
role |
The name of the role to be granted. |
role_list |
The list of roles to be granted. |
start_date |
The date on which the grant takes effect. This is an optional parameter. |
end_date |
The date until which the grant is in effect. This is an optional parameter. |
The following example grants the HRREP role to user SMAVRIS with a start date and an end date specified:
DECLARE
st_date TIMESTAMP WITH TIME ZONE;
end_date TIMESTAMP WITH TIME ZONE;
BEGIN
st_date := TO_TIMESTAMP_TZ('2010-06-18 11:00:00 -5:00','YYYY-MM-DD HH:MI:SS
TZH:TZM');
end_date := TO_TIMESTAMP_Tz('2011-06-18 11:00:00 -5:00','YYYY-MM-DD HH:MI:SS
TZH:TZM');
SYS.XS_PRINCIPAL.GRANT_ROLES('SMAVRIS', 'HRREP', st_date, end_date);
END;
The following example grants the HRREP and HRMGR roles to user SMAVRIS:
DECLARE
rg_list XS$ROLE_GRANT_LIST;
BEGIN
rg_list := XS$ROLE_GRANT_LIST(XS$ROLE_GRANT_TYPE('HRREP'),
XS$ROLE_GRANT_TYPE('HRMGR'));
SYS.XS_PRINCIPAL.GRANT_ROLES('SMAVRIS', rg_list);
END;
The REVOKE_ROLES procedure revokes the specified role(s) from the specified grantee. If no roles are specified, then all application roles are revoked from the grantee.You need the GRANT ANY ROLE system privilege to grant or revoke roles.
You can use the DBA_XS_ROLE_GRANTS data dictionary view to get the list of all role grants together with their details, like start date and end date.
REVOKE_ROLES ( grantee IN VARCHAR2, role IN VARCHAR2); REVOKE_ROLES ( grantee IN VARCHAR2, role_list IN XS$NAME_LIST); REVOKE_ROLES ( grantee IN VARCHAR2);
| Parameter | Description |
|---|---|
grantee |
The application principal from whom the role(s) are to be revoked. |
role |
The name of the application role that is to be revoked. |
role_list |
The list of role names that are to be revoked. |
The following example revokes the HRREP role from user SMAVRIS:
BEGIN
SYS.XS_PRINCIPAL.REVOKE_ROLES('SMAVRIS','HRREP');
END;
The following example revokes the HRREP and HRMGR roles from user SMAVRIS:
DECLARE
role_list XS$NAME_LIST;
BEGIN
role_list := XS$NAME_LIST('HRREP','HRMGR');
SYS.XS_PRINCIPAL.REVOKE_ROLES('SMAVRIS', role_list);
END;
The following example revokes all granted roles from user SMAVRIS:
BEGIN
SYS.XS_PRINCIPAL.REVOKE_ROLES('SMAVRIS');
END;
The ADD_PROXY_USER adds a target user for the specified application user. This allows the application user to proxy as the target user. There are two signatures for this procedure. The first signature allows you to specify a subset of roles of the target user using the target_roles parameter that are to be assigned to the proxy user. For the second signature there is no target_roles parameter, so all roles of the target user are assigned to the proxy user.
You need the ALTER USER system privilege to add or remove a proxy user.
ADD_PROXY_USER ( target_user IN VARCHAR2, proxy_user IN VARCHAR2, target_roles IN XS$NAME_LIST); ADD_PROXY_USER ( target_user IN VARCHAR2, proxy_user IN VARCHAR2);
| Parameter | Description |
|---|---|
target_user |
The name of the target application user that can be proxied to. |
proxy_user |
The name of the proxy application user. |
target_roles |
A list of target user roles that can be proxied by the proxy user. This parameter is mandatory. If you pass an explicit NULL value, then this would be a case of configuring the proxy user without any role of the target user; otherwise, the proxy_user parameter uses the value you specify for the target_roles parameter. |
The following example enables user DJONES to proxy as target user SMAVRIS. The target roles granted to DJONES are HRREP and HRMGR.
DECLARE
pxy_roles XS$NAME_LIST;
BEGIN
pxy_roles := XS$NAME_LIST('HRREP','HRMGR');
SYS.XS_PRINCIPAL.ADD_PROXY_USER('SMAVRIS','DJONES', pxy_roles);
END;
The following example passes an explicit NULL value for the target role; in other words, it assigns no roles of the target user 'SMAVRIS' to the proxy user 'DJONES'.
BEGIN
SYS.XS_PRINCIPAL.ADD_PROXY_USER('SMAVRIS','DJONES', NULL);
END;
The following example assigns all roles of target user 'SMAVRIS' to proxy user 'DJONES'.
BEGIN
SYS.XS_PRINCIPAL.ADD_PROXY_USER('SMAVRIS','DJONES');
END;
The REMOVE_PROXY_USERS procedure disassociates one or all proxy users for a target application user. The associated proxy roles are automatically removed for the proxy users.
You need the ALTER USER system privilege to add or remove a proxy user.
REMOVE_PROXY_USERS ( target_user IN VARCHAR2); REMOVE_PROXY_USERS ( target_user IN VARCHAR2, proxy_user IN VARCHAR2);
| Parameter | Description |
|---|---|
target_user |
The target application user whose proxies are to be disassociated. |
proxy_user |
The proxy application user that needs to be disassociated from the target user. |
The following example removes all proxy users for target user SMAVRIS:
BEGIN
SYS.XS_PRINCIPAL.REMOVE_PROXY_USERS('SMAVRIS');
END;
The following example disassociates the proxy user DJONES from the target user SMAVRIS:
BEGIN
SYS.XS_PRINCIPAL.REMOVE_PROXY_USERS('SMAVRIS','DJONES');
END;
The ADD_PROXY_TO_DBUSER adds the specified target proxy application user to the specified database user. The application user must be a direct logon user. This allows the application user to proxy as the target database user. By default, all roles assigned to the target user can be used by the proxy user. Similar to Oracle Database, the default roles of the target database users would be enabled after connection. Other roles assigned to the target database user can be set by using the SET ROLE statement.
You need the ALTER USER system privilege to add a proxy user to a database user.
ADD_PROXY_TO_DBUSER ( database_user IN VARCHAR2, proxy_user IN VARCHAR2, is_external IN BOOLEAN := FALSE);
| Parameter | Description |
|---|---|
database_user |
The name of the target database user that can be proxied to. |
proxy_user |
The name of the proxy application user. |
is_external |
The parameter to indicate whether the user is an external user or a regular Real Application Security application user. |
The following example enables application user DJONES to proxy as target database user SMAVRIS.
BEGIN
SYS.XS_PRINCIPAL.ADD_PROXY_TO_DBUSER('SMAVRIS','DJONES', TRUE);
END;
The REMOVE_PROXY_FROM_DBUSER procedure disassociates a proxy application user from a database user. The associated proxy roles are automatically removed from the application user.
You need the ALTER USER system privilege to remove a proxy user from a database user.
REMOVE_PROXY_FROM_DBUSER ( database_user IN VARCHAR2, proxy_user IN VARCHAR2);
| Parameter | Description |
|---|---|
database_user |
The target database user whose proxies are to be disassociated. |
proxy_user |
The proxy application user that needs to be disassociated from the target database user. |
The following example disassociates the proxy user DJONES from the target database user SMAVRIS:
BEGIN
SYS.XS_PRINCIPAL.REMOVE_PROXY_FROM_DBUSER('SMAVRIS','DJONES');
END;
The SET_EFFECTIVE_DATES procedure sets or modifies the effective dates for an application user or role. If the start_date and end_date values are specified as NULL by default, then the application user is not currently effective, so the session for the particular application user cannot be created.
You need the ALTER USER system privilege to run this procedure for an application user. You need the ALTER ANY ROLE system privilege to run this procedure for an application role.
SET_EFFECTIVE_DATES ( principal IN VARCHAR2, start_date IN TIMESTAMP WITH TIME ZONE:= NULL, end_date IN TIMESTAMP WITH TIME ZONE:= NULL);
| Parameter | Description |
|---|---|
principal |
The name of the application user or role for which effective dates are to be set. |
start_date |
The start date of the effective dates period. |
end_date |
The end date of the effective dates period. |
The following example sets the effective dates for user DJONES.
DECLARE
st_date TIMESTAMP WITH TIME ZONE;
end_date TIMESTAMP WITH TIME ZONE;
BEGIN
st_date := TO_TIMESTAMP_TZ('2010-06-18 11:00:00 -5:00','YYYY-MM-DD HH:MI:SS
TZH:TZM');
end_date := TO_TIMESTAMP_Tz('2011-06-18 11:00:00 -5:00','YYYY-MM-DD HH:MI:SS
TZH:TZM');
SYS.XS_PRINCIPAL.SET_EFFECTIVE_DATES(principal=>'DJONES',
start_date=>st_date,end_date=>end_date);
END;
The SET_DYNAMIC_ROLE_DURATION procedure sets or modifies the duration for a dynamic application role. The duration is specified in minutes.
You need the ALTER ANY ROLE system privilege to modify a role.
SET_DYNAMIC_ROLE_DURATION ( role IN VARCHAR2, duration IN PLS_INTEGER);
| Parameter | Description |
|---|---|
role |
The name of the dynamic application role. |
duration |
The duration of the dynamic application role in minutes. This cannot be a negative value. |
The following example sets the duration of the reprole dynamic application role to 60 minutes.
BEGIN
SYS.XS_PRINCIPAL.SET_DYNAMIC_ROLE_DURATION('reprole',60);
END;
The SET_DYNAMIC_ROLE_SCOPE procedure sets or modifies the scope of a dynamic application role. The session (SESSION_SCOPE) or request (REQUEST_SCOPE) scopes can be chosen.
You need the ALTER ANY ROLE system privilege to modify a role.
SET_DYNAMIC_ROLE_SCOPE ( role IN VARCHAR2, scope IN PLS_INTEGER);
| Parameter | Description |
|---|---|
role |
The name of the dynamic application role. |
scope |
The scope of the dynamic application role to be set. The allowed values are XS_PRINCIPAL.REQUEST_SCOPE and XS_PRINCIPAL.SESSION_SCOPE. |
The following example sets the scope of the reprole dynamic application role to request scope:
BEGIN
SYS.XS_PRINCIPAL.SET_DYNAMIC_ROLE_SCOPE('reprole',XS_PRINCIPAL.REQUEST_SCOPE);
END;
The ENABLE_BY_DEFAULT procedure enables or disables a regular application role.
If enabled, then the application role is automatically enabled for the principal to which it is granted. If disabled, then the privileges associated with the application role are not enabled even if the application role is granted to a principal.
You need the ALTER ANY ROLE system privilege to modify an application role.
ENABLE_BY_DEFAULT ( role IN VARCHAR2, enabled IN BOOLEAN := TRUE);
| Parameter | Description |
|---|---|
role |
The name of the regular application role. |
enabled |
The enabled attribute of the application role. Setting this to TRUE marks the application role as being enabled by default. The default value is TRUE. |
The following example sets the enabled attribute for the HRREP application role to TRUE:
BEGIN
SYS.XS_PRINCIPAL.ENABLE_BY_DEFAULT('HRREP',TRUE);
END;
The ENABLE_ROLES_BY_DEFAULT procedure enables or disables all application roles that have been directly granted to an application user.
You need the ALTER USER system privilege to run this procedure for an application user.
ENABLE_ROLES_BY_DEFAULT ( user IN VARCHAR2, enabled IN BOOLEAN := TRUE);
| Parameter | Description |
|---|---|
user |
The name of the application user. |
enabled |
The enabled attribute for all application roles that have been directly granted to the application user.
Setting the enabled attribute to Setting the enabled attribute to |
The following example enables all directly granted roles for application user SMAVRIS:
BEGIN
SYS.XS_PRINCIPAL.ENABLE_ROLES_BY_DEFAULT('SMAVRIS',TRUE);
END;
The SET_USER_SCHEMA procedure sets the database schema for an application user.
You need the ALTER USER system privilege to run this procedure for an application user.
SET_USER_SCHEMA ( user IN VARCHAR2, schema IN VARCHAR2);
| Parameter | Description |
|---|---|
user |
The name of the application user. |
schema |
The name of the database schema to be associated with the user. Setting this to NULL removes any schema association. |
The following example associates the HR schema with user DJONES.
BEGIN
SYS.XS_PRINCIPAL.SET_USER_SCHEMA('DJONES','HR');
END;
The SET_GUID procedure sets the GUID for a principal. The principal must be an external user or role, and the current GUID must be NULL.
You need the ALTER USER system privilege to run this procedure for an application user. You need the ALTER ANY ROLE system privilege to run this procedure for an application role.
Note:
Theexternal_source attribute for the user must have been set for SET_GUID to work.SET_GUID ( principal IN VARCHAR2, guid IN RAW);
| Parameter | Description |
|---|---|
principal |
The name of the external user or role. |
guid |
The GUID for the external user or role. |
The following example sets a GUID for user Alex:
BEGIN
SYS.XS_PRINCIPAL.SET_GUID('ALEX','7b6cb3a98f8a4e20ac31a37419cc7fa3');
END;
The SET_PROFILE procedure sets the application user's profile. The profile is a set of resource limits and password parameters that restrict database usage and database instance resources for a Real Application Security application user. Both the application user and the profile must be existing entities.
The user executing this procedure must have the ALTER_USER privilege.
If a profile that is assigned to an application user is dropped using the cascade option, then the default profile would automatically become activated for that user.
SET_PROFILE ( user IN VARCHAR2, profile IN VARCHAR2);
| Parameter | Description |
|---|---|
user |
The name of the Real Application Security application user. This must be an existing application user. |
profile |
The name of the profile. |
The following example creates a profile named prof and then sets the profile named prof to an application user named xsuser.
CREATE PROFILE prof LIMIT PASSWORD_REUSE_TIME 1/1440 PASSWORD_REUSE_MAX 3 PASSWORD_VERIFY_FUNCTION Verify_Pass;
BEGIN
SYS.XS_PRINCIPAL.SET_PROFILE('xsuser','prof');
END;
The SET_USER_STATUS procedure sets or modifies the status of an application user account.
You need the ALTER_USER privilege to run this procedure for an application user.
SET_USER_STATUS ( user IN VARCHAR2, status IN PLS_INTEGER);
| Parameter | Description |
|---|---|
user |
The name of the user account whose status needs to be set or updated. |
status |
The new status of the Real Application Security user account. The status values can be divided into several classes:
If you try to pass any other value for the parameter |
The following example sets the user status to LOCKED for user DJONES.
BEGIN
SYS.XS_PRINCIPAL.SET_USER_STATUS('DJONES',XS_PRINCIPAL.LOCKED);
END;
The SET_PASSWORD procedure sets or modifies the password for an application user account. When you use the SET_PASSWORD procedure, it creates a verifier for you based on the password and the type parameter and then inserts the verifier and the value of the type parameter into the dictionary table.
A direct login Real Application Security user can change his or her own password by providing its value using the oldpass parameter. If value of the old password is incorrect, then the failed login count is incremented with each attempt, returning an ORA-28008: invalid old password error. The new password is not set until the old supplied password is correct.
You need the ALTER_USER privilege to run this procedure for an application user or if you are changing the password of other Real Application Security users.
Native Real Application Security users synchronized from external ID stores are not allowed to change their own password. These users must change their password in the originating ID store.
The SET_PASSWORD operation and the SQL*Plus PASSWORD command are both blocked on the logical standby database.
SET_PASSWORD ( user IN VARCHAR2, password IN VARCHAR2, type IN PLS_INTEGER := XS_SHA512, opassword IN VARCHAR2 :=NULL);
| Parameter | Description |
|---|---|
user |
The name of the application user account for which the password is to be set. |
password |
The password to be set. |
type |
The verifier type to be used for the password. The default value is XS_SHA512. The verifier type must be one of the following types:
|
opassword |
The old password. This parameter is required if the Real Application Security user is changing his or her own password. If not provided, then the user must have the required privilege to change his or her own password. |
The following example sets a password for application user SMAVRIS. It also specifies the XS_SHA512 verifier type for the password.
BEGIN
SYS.XS_PRINCIPAL.SET_PASSWORD('SMAVRIS','2Hrd2Guess',XS_PRINCIPAL.XS_SHA512);
END;
The SET_VERIFIER procedure sets or modifies the verifier for an application user account. When you use the SET_VERIFIER procedure, the procedure directly inserts the verifier and the value of the type parameter into the dictionary table. This enables administrators to migrate users into Real Application Security with knowledge of the verifier and not the password.
You need the ALTER_USER privilege to run this procedure for an application user.
The SET_VERIFIER operation and the SQL*Plus PASSWORD command are both blocked on the logical standby database.
set_verifier ( user IN VARCHAR2, verifier IN VARCHAR2, type IN PLS_INTEGER := XS_SHA512);
| Parameter | Description |
|---|---|
user |
The name of the application user for whom the verifier is set. |
verifier |
A character string to be used as the verifier. |
type |
The verifier type to be used. This can be one of the following:
|
The following example sets a verifier for the user SMAVRIS.
BEGIN
SYS.XS_PRINCIPAL.SET_VERIFIER('SMAVRIS','6DFF060084ECE67F',XS_PRINCIPAL.XS_SHA512);
END;
The SET_DESCRIPTION procedure is used to set the description for an application principal.
You need the ALTER USER system privilege to run this procedure for an application user. You need the ALTER ANY ROLE system privilege to run this procedure for an application role.
SET_DESCRIPTION ( principal IN VARCHAR2, description IN VARCHAR2);
| Parameter | Description |
|---|---|
principal |
The name of the principal for which the description is set. |
description |
A descriptive string about the principal. |
The following example sets a description for the application role HRREP:
BEGIN
SYS.XS_PRINCIPAL.SET_DESCRIPTION('HRREP','HR Representative role');
END;
The DELETE_PRINCIPAL procedure drops an application user or application role.
You need the DROP USER system privilege to run this procedure for an application user. You need the DROP ANY ROLE system privilege to run this procedure for an application role.
delete_principal ( principal IN VARCHAR2, delete_option IN PLS_INTEGER:=XS_ADMIN_UTIL.DEFAULT_OPTION);
| Parameter | Description |
|---|---|
principal |
The name of the application user or application role that is to be deleted. |
delete_option |
The delete option to use. The following options are available:
|
The following example deletes the user SMAVRIS using the DEFAULT_OPTION:
BEGIN
SYS.XS_PRINCIPAL.DELETE_PRINCIPAL('SMAVRIS');
END;
The XS_SECURITY_CLASS package includes procedures to create, manage, and delete security classes and their privileges. The package also includes procedures for managing security class inheritance.
The XS_SECURITY_CLASS package is created under the SYS schema. The DBA role is granted the ADMIN_ANY_SEC_POLICY, which allows it to administer schema objects like ACLs, security classes, and security policies across all schemas.
Users can administer schema objects in their own schema if they have been granted the RESOURCE role for the schema. The RESOURCE role and the XS_RESOURCE application role include the ADMIN_SEC_POLICY privilege, required to administer schema objects in the schema.
Table 11-11 Summary of XS_SECURITY_CLASS Subprograms
| Subprogram | Description |
|---|---|
|
Creates a new security class. |
|
|
Adds one or more parent security classes for the specified security class. |
|
|
Removes one or more parent security classes for the specified security class. |
|
|
Adds one or more privileges to the specified security class. |
|
|
Removes one or more privileges for the specified security class. |
|
|
Adds one or more implied privileges for the specified aggregate privilege. |
|
|
Removes one or more implied privileges from an aggregate privilege. |
|
|
Sets a description string for the specified security class. |
|
|
Deletes the specified security class. |
The CREATE_SECURITY_CLASS creates a new security class.
XS_SECURITY_CLASS.CREATE_SECURITY_CLASS ( name IN VARCHAR2, priv_list IN XS$PRIVILEGE_LIST, parent_list IN XS$NAME_LIST := NULL, description IN VARCHAR2 := NULL);
| Parameter | Description |
|---|---|
name |
The name of the security class to be created.
The name is schema qualified, for example, |
priv_list |
The list of privileges to include in the security class. |
parent_list |
The list of parent security classes from which the security class is inherited. This is optional. |
description |
An optional description for the security class. |
The following example creates a security class called HRPRIVS. The security class includes a set of privileges defined in priv_list. The security class uses the DML class as its parent security class.
DECLARE
pr_list XS$PRIVILEGE_LIST;
BEGIN
pr_list :=XS$PRIVILEGE_LIST(
XS$PRIVILEGE(name=>'VIEW_SENSITIVE_INFO'),
XS$PRIVILEGE(name=>'UPDATE_INFO',
implied_priv_list=>XS$NAME_LIST
('"UPDATE"', '"DELETE"', '"INSERT"')));
SYS.XS_SECURITY_CLASS.CREATE_SECURITY_CLASS(
name=>'HRPRIVS',
priv_list=>pr_list,
parent_list=>XS$NAME_LIST('DML'));
END;
The ADD_PARENTS procedure adds one or more parent security classes for the specified security class.
XS_SECURITY_CLASS.ADD_PARENTS ( sec_class IN VARCHAR2, parent IN VARCHAR2); XS_SECURITY_CLASS.ADD_PARENTS ( sec_class IN VARCHAR2, parent_list IN XS$NAME_LIST);
| Parameter | Description |
|---|---|
sec_class |
The name of the security class for which parent classes are to be added.
The name is schema qualified, for example, |
parent |
The name of the parent security class to be added. |
parent_list |
The list of parent classes to be added. |
The following example adds the parent security class GENPRIVS to the HRPRIVS security class.
BEGIN
SYS.XS_SECURITY_CLASS.ADD_PARENTS('HRPRIVS','GENPRIVS');
END;
The REMOVE_PARENTS procedure removes one or more parent classes for the specified security class.
XS_SECURITY_CLASS.REMOVE_PARENTS ( sec_class IN VARCHAR2); XS_SECURITY_CLASS.REMOVE_PARENTS ( sec_class IN VARCHAR2, parent IN VARCHAR2); XS_SECURITY_CLASS.REMOVE_PARENTS ( sec_class IN VARCHAR2, parent_list IN XS$NAME_LIST);
| Parameter | Description |
|---|---|
sec_class |
The name of the security class whose parent classes are to be removed.
The name is schema qualified, for example, |
parent |
The parent security class that is to be removed. |
parent_list |
The list of parent security classes that are to be removed. |
The following example removes the parent security class GENPRIVS from the HRPRIVS security class.
BEGIN
SYS.XS_SECURITY_CLASS.REMOVE_PARENTS('HRPRIVS','GENPRIVS');
END;
The ADD_PRIVILEGES procedure adds one or more privileges to a security class.
XS_SECURITY_CLASS.ADD_PRIVILEGES ( sec_class IN VARCHAR2, priv IN VARCHAR2, implied_priv_list IN XS$NAME_LIST := NULL, description IN VARCHAR2 := NULL); XS_SECURITY_CLASS.ADD_PRIVILEGES ( sec_class IN VARCHAR2, priv_list IN XS$PRIVILEGE_LIST);
| Parameter | Description |
|---|---|
sec_class |
The name of the security class to which the privileges are to be added.
The name is schema qualified, for example, |
priv |
The name of the privilege to be added. |
priv_list |
The list of privileges to be added. |
implied_priv_list |
An optional list of implied privileges to be added. |
description |
An optional description of the privilege being added. |
The following example adds an aggregate privilege called UPDATE_INFO to the HRPRIVS security class. The aggregate privilege contains the implied privileges, UPDATE, DELETE, and INSERT.
BEGIN
SYS.XS_SECURITY_CLASS.ADD_PRIVILEGES(sec_class=>'HRPRIVS',priv=>'UPDATE_INFO',
implied_priv_list=>XS$NAME_LIST('"UPDATE"',
'"DELETE"', '"INSERT"'));
END;
The REMOVE_PRIVILEGES procedure removes one or more privileges from the specified security class. If no privilege name or list is specified, then all privileges are removed from the specified security class.
XS_SECURITY_CLASS.REMOVE_PRIVILEGES ( sec_class IN VARCHAR2, priv IN VARCHAR2); XS_SECURITY_CLASS.REMOVE_PRIVILEGES ( sec_class IN VARCHAR2, priv_list IN XS$NAME_LIST); XS_SECURITY_CLASS.REMOVE_PRIVILEGES ( sec_class IN VARCHAR2);
| Parameter | Description |
|---|---|
sec_class |
The name of the security class for which the privileges are to be removed.
The name is schema qualified, for example, |
priv |
The name of the privilege to be removed. |
priv_list |
The list of privileges to be removed. |
The following example removes the UPDATE_INFO privilege from the HRPRIVS security class.
BEGIN
SYS.XS_SECURITY_CLASS.REMOVE_PRIVILEGES('HRPRIVS','UPDATE_INFO');
END;
The following example removes all privileges from the HRPRIVS security class.
BEGIN
SYS.XS_SECURITY_CLASS.REMOVE_PRIVILEGES('HRPRIVS');
END;
The ADD_IMPLIED_PRIVILEGES procedure adds one or more implied privileges to an aggregate privilege.
XS_SECURITY_CLASS.ADD_IMPLIED_PRIVILEGES ( sec_class IN VARCHAR2, priv IN VARCHAR2, implied_priv IN VARCHAR2); XS_SECURITY_CLASS.ADD_IMPLIED_PRIVILEGES ( sec_class IN VARCHAR2, priv IN VARCHAR2, implied_priv_list IN XS$NAME_LIST);
| Parameter | Description |
|---|---|
sec_class |
The name of the security class to which the privileges are to be added.
The name is schema qualified, for example, |
priv |
Name of the aggregate privilege for which the implied privileges are to be added. |
implied_priv |
The implied privilege to be added. |
implied_priv_list |
A list of implied privileges to be added for the aggregate privilege. |
The following example adds a list of implied privileges for the aggregate privilege UPDATE_INFO to the HRPRIVS security class:
BEGIN
SYS.XS_SECURITY_CLASS.ADD_IMPLIED_PRIVILEGES(sec_class=>'HRPRIVS', priv=>'UPDATE_INFO', implied_priv_list=>XS$NAME_LIST('"UPDATE"', '"DELETE"', '"INSERT"'));
END;
The REMOVE_IMPLIED_PRIVILEGES procedure removes the specified implied privileges from an aggregate privilege. If no implied privileges are specified, then all implied privileges are removed from the aggregate privilege.
XS_SECURITY_CLASS.REMOVE_IMPLIED_PRIVILEGES ( sec_class IN VARCHAR2, priv IN VARCHAR2, implied_priv IN VARCHAR2); XS_SECURITY_CLASS.REMOVE_IMPLIED_PRIVILEGES ( sec_class IN VARCHAR2, priv IN VARCHAR2, implied_priv_list IN XS$NAME_LIST); XS_SECURITY_CLASS.REMOVE_IMPLIED_PRIVILEGES ( sec_class IN VARCHAR2, priv IN VARCHAR2);
| Parameter | Description |
|---|---|
sec_class |
The name of the security class for which the privileges are to be removed.
The name is schema qualified, for example, |
priv |
The name of the aggregate privilege from which the implied privileges are to be removed. |
implied_priv |
The implied privilege to be removed from the aggregate privilege. |
implied_priv_list |
The list of implied privileges to be removed from the aggregate privilege. |
The following example removes the implicit privilege DELETE from the aggregate privilege UPDATE_INFO from the HRPRIVS security class:
BEGIN
SYS.XS_SECURITY_CLASS.REMOVE_IMPLIED_PRIVILEGES('HRPRIVS','UPDATE_INFO','"DELETE"');
END;
The following example removes all implicit privileges from the aggregate privilege UPDATE_INFO from the HRPRIVS security class.
BEGIN
SYS.XS_SECURITY_CLASS.REMOVE_IMPLIED_PRIVILEGES('HRPRIVS','UPDATE_INFO');
END;
The SET_DESCRIPTION procedure sets a description string for the specified security class.
XS_SECURITY_CLASS.SET_DESCRIPTION ( sec_class IN VARCHAR2, description IN VARCHAR2);
| Parameter | Description |
|---|---|
sec_class |
The name of the security class for which the description is to be set.
The name is schema qualified, for example, |
description |
A description string for the specified security class. |
The following example sets a description string for the HRPRIVS security class:
BEGIN
SYS.XS_SECURITY_CLASS.SET_DESCRIPTION(
'HRPRIVS','Contains privileges required to manage HR data');
END;
The DELETE_SECURITY_CLASS procedure deletes the specified security class.
XS_SECURITY_CLASS.DELETE_SECURITY_CLASS ( sec_class IN VARCHAR2, delete_option IN NUMBER:=XS_ADMIN_UTIL.DEFAULT_OPTION);
| Parameter | Description |
|---|---|
sec_class |
The name of the security class to be deleted.
The name is schema qualified, for example, |
delete_option |
The delete option to use. The following options are available:
|
The following example deletes the HRPRIVS security class using the default option:
BEGIN
SYS.XS_SECURITY_CLASS.DELETE_SECURITY_CLASS('HRPRIVS',XS_ADMIN_UTIL.DEFAULT_OPTION);
END;