The DBMS_NETWORK_ACL_ADMIN
package provides the interface to administer the network Access Control List (ACL).
See Also:
For more information, see "Managing Fine-grained Access to External Network Services" in Oracle Database Security GuideThe chapter contains the following topics:
Grant the connect and resolve privileges for host www.us.oracle.com to SCOTT.
BEGIN DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(acl => 'www.xml', description => 'WWW ACL', principal => 'SCOTT', is_grant => true, privilege => 'connect'); DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(acl => 'www.xml', principal => 'SCOTT', is_grant => true, privilege => 'resolve'); DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(acl => 'www.xml', host => 'www.us.oracle.com'); END; / COMMIT;
Grant the resolve privilege for www.us.oracle.com to ADAMS. Since an ACL for www.us.oracle.com exists already, just add the privilege for ADAMS.
BEGIN DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(acl => 'www.xml', principal => 'ADAMS', is_grant => true, privilege => 'resolve'); END; / COMMIT;
Assign the ACL www.xml to www-proxy.us.oracle.com so that SCOTT and ADAMS can access www-proxy.us.oracle.com also.
BEGIN DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(acl => 'www.xml', host => 'www-proxy.us.oracle.com'); END; / COMMIT;
Unassign the ACL from www.us.oracle.com so that no access to www.us.oracle.com is allowed.
BEGIN DBMS_NETWORK_ACL_ADMIN.UNASSIGN_ACL(host => 'www.us.oracle.com'); END; / COMMIT;
The DOMAINS Function in the DBMS_NETWORK_ACL_UTLILITY package returns all the domains to which a host belongs. It can be used in conjunction with the CHECK_PRIVILEGE_ACLID Function in this package to determine the privilege assignments affecting a user's permission to access a network host. The function DOMAIN_LEVEL Function in the DBMS_NETWORK_ACL_UTILITY package returns the level of each domain and can be used to order the ACL assignments by their precedence.
For example, for SCOTT's permission to connect to www.us.oracle.com:
SELECT host, lower_port, upper_port, acl, DECODE( DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE_ACLID(aclid, 'SCOTT', 'connect'), 1, 'GRANTED', 0, 'DENIED', NULL) privilege FROM dba_network_acls WHERE host IN (SELECT * FROM TABLE(DBMS_NETWORK_ACL_UTILITY.DOMAINS('www.us.oracle.com'))) ORDER BY DBMS_NETWORK_ACL_UTILITY.DOMAIN_LEVEL(host) desc, lower_port, upper_port; HOST LOWER_PORT UPPER_PORT ACL PRIVILEGE -------------------- ---------- ---------- -------------------- --------- www.us.oracle.com 80 80 /sys/acls/www.xml GRANTED www.us.oracle.com 3000 3999 /sys/acls/www.xml GRANTED www.us.oracle.com /sys/acls/www.xml GRANTED *.oracle.com /sys/acls/all.xml * /sys/acls/all.xml
For example, for SCOTT's permission to do domain name resolution for www.us.oracle.com:
SELECT host, acl, DECODE( DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE_ACLID(aclid, 'SCOTT', 'resolve'), 1, 'GRANTED', 0, 'DENIED', NULL) privilege FROM dba_network_acls WHERE host IN (SELECT * FROM TABLE(DBMS_NETWORK_ACL_UTILITY.DOMAINS('www.us.oracle.com'))) and lower_port IS NULL AND upper_port IS NULL ORDER BY DBMS_NETWORK_ACL_UTILITY.DOMAIN_LEVEL(host) desc; HOST ACL PRIVILEGE -------------------- -------------------- --------- www.us.oracle.com /sys/acls/www.xml GRANTED *.oracle.com /sys/acls/all.xml * /sys/acls/all.xml
Note that the 'resolve
' privilege takes effect only in ACLs assigned without any port range (when lower_port
and upper_port
are NULL
). For this reason, the example does not include lower_port
and upper_port
columns in the query.
Table 94-1 DBMS_NETWORK_ACL_ADMIN Package Subprograms
Subprogram | Description |
---|---|
Adds a privilege to grant or deny the network access to the user in an access control list (ACL) |
|
Assigns an access control list (ACL) to a network host, and optionally specific to a TCP port range |
|
Assigns an access control list (ACL) to a wallet |
|
Checks if a privilege is granted to or denied from the user in an access control list (ACL) |
|
Checks if a privilege is granted to or denied from the user in an ACL by specifying the object ID of the access control list |
|
Creates an access control list (ACL) with an initial privilege setting |
|
Deletes a privilege in an access control list (ACL) |
|
Drops an access control list (ACL) |
|
Unassigns the access control list (ACL) currently assigned to a network host |
|
Unassigns the access control list (ACL) currently assigned to a wallet |
This procedure adds a privilege to grant or deny the network access to the user. The access control entry (ACE) is created if it does not exist.
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE ( acl IN VARCHAR2, principal IN VARCHAR2, is_grant IN BOOLEAN, privilege IN VARCHAR2, position IN PLS_INTEGER DEFAULT NULL, start_date IN TIMESTAMP WITH TIMESTAMP DEFAULT NULL, end_date IN TIMESTAMP WITH TIMESTAMP DEFAULT NULL );
Table 94-2 ADD_PRIVILEGE Function Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to "/sys/acls" |
|
Principal (database user or role) to whom the privilege is granted or denied. Case sensitive. |
|
Privilege is granted or denied. |
|
Network privilege to be granted or denied |
|
Position (1-based) of the ACE. If a non- |
|
Start date of the access control entry (ACE). When specified, the ACE will be valid only on and after the specified date. The |
|
End date of the access control entry (ACE). When specified, the ACE expires after the specified date. The |
To remove the permission, use the DELETE_PRIVILEGE Procedure.
This procedure assigns an access control list (ACL) to a host computer, domain, or IP subnet, and if specified, the TCP port range.
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL ( acl IN VARCHAR2, host IN VARCHAR2, lower_port IN PLS_INTEGER DEFAULT NULL, upper_port IN PLS_INTEGER DEFAULT NULL);
Table 94-3 ASSIGN_ACL Function Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to " |
|
Host to which the ACL is to be assigned. The host can be the name or the IP address of the host. A wildcard can be used to specify a domain or a IP subnet. The host or domain name is case-insensitive. |
|
Lower bound of a TCP port range if not |
|
Upper bound of a TCP port range. If |
Only one ACL can be assigned to any host computer, domain, or IP subnet, and if specified, the TCP port range. When you assign a new access control list to a network target, Oracle Database unassigns the previous access control list that was assigned to the same target. However, Oracle Database does not drop the access control list. You can drop the access control list by using the DROP_ACL Procedure. To remove an access control list assignment, use the UNASSIGN_ACL Procedure.
The ACL assigned to a domain takes a lower precedence than the other ACLs assigned sub-domains, which take a lower precedence than the ACLs assigned to the individual hosts. So for a given host, for example, "www.us.oracle.com", the following domains are listed in decreasing precedences:
- www.us.oracle.com
- *.us.oracle.com
- *.oracle.com
- *.com
- *
In the same way, the ACL assigned to an subnet takes a lower precedence than the other ACLs assigned smaller subnets, which take a lower precedence than the ACLs assigned to the individual IP addresses. So for a given IP address, for example, "192.168.0.100", the following subnets are listed in decreasing precedences:
- 192.168.0.100
- 192.168.0.*
- 192.168.*
- 192.*
- *
The port range is applicable only to the "connect" privilege assignments in the ACL. The "resolve" privilege assignments in an ACL have effects only when the ACL is assigned to a host without a port range.
For the "connect" privilege assignments, an ACL assigned to the host without a port range takes a lower precedence than other ACLs assigned to the same host with a port range.
When specifying a TCP port range, both lower_port
and upper_port
must not be NULL
and upper_port
must be greater than or equal to lower_port
. The port range must not overlap with any other port ranges for the same host assigned already.
To remove the assignment, use UNASSIGN_ACL Procedure.
This procedure assigns an access control list (ACL) to a wallet.
To remove the assignment, use the UNASSIGN_WALLET_ACL Procedure.
BEGIN DBMS_NETWORK_ACL_ADMIN.CREATE_ACL( acl => 'wallet-acl.xml', description => 'Wallet ACL', principal => 'SCOTT', is_grant => TRUE, privilege => 'use-client-certificates'); DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE( acl => 'wallet-acl.xml', principal => 'SCOTT', is_grant => TRUE, privilege => 'use-passwords'); DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL( acl => 'wallet-acl.xml', wallet_path => 'file:/oracle/wallets/test_wallet'); END;
This function checks if a privilege is granted to or denied from the user in an ACL.
DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE ( acl IN VARCHAR2, user IN VARCHAR2, privilege IN VARCHAR2) RETURN NUMBER;
Table 94-5 CHECK_PRIVILEGE Function Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to "/sys/acls". |
|
User to check against. If the user is |
|
Network privilege to check |
Returns 1 when the privilege is granted; 0 when the privilege is denied; NULL
when the privilege is neither granted or denied.
This function checks if a privilege is granted to or denied from the user in an ACL by specifying the object ID of the access control list.
DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE_ACLID ( aclid IN RAW, user IN VARCHAR2 DEFAULT NULL) privilege IN VARCHAR2, RETURN NUMBER;
This procedure creates an access control list (ACL) with an initial privilege setting. An ACL must have at least one privilege setting. The ACL has no access control effect unless it is assigned to the network target.
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL ( acl IN VARCHAR2, description IN VARCHAR2, principal IN VARCHAR2, is_grant IN BOOLEAN, privilege IN VARCHAR2, start_date IN TIMESTAMP WITH TIMEZONE DEFAULT NULL, end_date IN TIMESTAMP WITH TIMEZONE DEFAULT NULL );
Table 94-7 CREATE_ACL Procedure Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to "/sys/acls". |
|
Description attribute in the ACL |
|
Principal (database user or role) to whom the privilege is granted or denied. Case sensitive. |
|
Privilege is granted or not (denied) |
|
Network privilege to be granted or denied - |
|
Start date of the access control entry (ACE). When specified, the ACE is valid only on and after the specified date. |
|
End date of the access control entry (ACE). When specified, the ACE expires after the specified date. The |
To drop the access control list, use the DROP_ACL Procedure.
This procedure deletes a privilege in an access control list.
DBMS_NETWORK_ACL_ADMIN.DELETE_PRIVILEGE ( acl IN VARCHAR2, principal IN VARCHAR2, is_grant IN BOOLEAN DEFAULT NULL, privilege IN VARCHAR2 DEFAULT NULL);
Table 94-8 DELETE_PRIVILEGE Function Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to "/sys/acls". |
|
Principal (database user or role) for whom all the ACE will be deleted |
|
Privilege is granted or not (denied). If a |
|
Network privilege to be deleted. If a |
This procedure unassigns the access control list (ACL) currently assigned to a network host.
DBMS_NETWORK_ACL_ADMIN.UNASSIGN_ACL ( acl IN VARCHAR2 DEFAULT NULL, host IN VARCHAR2 DEFAULT NULL, lower_port IN PLS_INTEGER DEFAULT NULL, upper_port IN PLS_INTEGER DEFAULT NULL);
Table 94-10 UNASSIGN_ACL Function Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to "/sys/acls". If ACL is |
|
Host from which the ACL is to be removed. The host can be the name or the IP address of the host. A wildcard can be used to specify a domain or a IP subnet. The host or domain name is case-insensitive. If host is |
|
Lower bound of a TCP port range if not |
|
Upper bound of a TCP port range. If |
This procedure unassigns the access control list (ACL) currently assigned to a wallet.
UTL_HTTP.UNASSIGN_WALLET_ACL ( acl IN VARCHAR2 DEFAULT NULL, wallet_path IN VARCHAR2 DEFAULT NULL);
Table 94-11 UNASSIGN_WALLET_ACL Procedure Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to |
|
Directory path of the wallet to which the ACL is assigned. The path is case-sensitive and of the format |