How to setup ACL on 12c and later (Doc ID 2357072.1)

 In this Document

Goal
Solution


APPLIES TO:

Oracle Database - Enterprise Edition - Version 12.1.0.1 and later
Oracle Database Cloud Schema Service - Version N/A and later
Oracle Database Exadata Cloud Machine - Version N/A and later
Oracle Cloud Infrastructure - Database Service - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Information in this document applies to any platform.

GOAL

In 12c and later, DBMS_NETWORK_ACL_ADMIN.CREATE_ACL and DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL are not recommended.

This document explains how to setup ACL on 12c and later.

SOLUTION

Before 12c, user can setup ACL by following steps.

ex)

SQL> exec DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(acl=> 'ACL_TEST.xml', description=> 'test', principal=> 'TUSER1',is_grant=> true, privilege =>'connect');

PL/SQL procedure successfully completed.

SQL> exec DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(acl=> 'ACL_TEST.xml',principal => 'TUSER1',is_grant=> TRUE,privilege => 'connect');

PL/SQL procedure successfully completed.

--Before assigning ACL, DBA_NETWORK_ACLS does not show created ACL information yet.
SQL> select acl from DBA_NETWORK_ACLS;

ACL
--------------------------------------------------------------------------------
NETWORK_ACL_5C2F97A6F353789CE0537390BC0A9D78

SQL> exec DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(acl => 'ACL_TEST99.xml', host => 'testhost.jp.oracle.com');

PL/SQL procedure successfully completed.

SQL> select acl from DBA_NETWORK_ACLS;

ACL
--------------------------------------------------------------------------------
/sys/acls/ACL_TEST99.xml
NETWORK_ACL_5C2F97A6F353789CE0537390BC0A9D78

 

In 12c and later, user can setup by using DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE instead of aboves.

ex)

SQL> exec DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(host => 'testhost.jp.oracle.com', ace => xs$ace_type(privilege_list => xs$name_list('connect'), principal_name => 'TUSER1',principal_type => xs_acl.ptype_db));

PL/SQL procedure successfully completed.

 

[For 12.1]
https://docs.oracle.com/database/121/DBSEG/fine_grained_access.htm#DBSEG99982
Database Security Guide 12.1
6 Managing Fine-Grained Access in PL/SQL Packages and Types
About Fine-Grained Access Control to External Network Services

https://docs.oracle.com/database/121/ARPLS/d_networkacl_adm.htm#ARPLS148
Database PL/SQL Packages and Types Reference 12.1
101 DBMS_NETWORK_ACL_ADMIN

[For 12.2]
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/dbseg/managing-fine-grained-access-in-pl-sql-packages-and-types.html#GUID-3A9008A8-A38B-4BBA-B520-8724A518EE54
Database Security Guide 12.2
6 Managing Fine-Grained Access in PL/SQL Packages and Types
About Fine-Grained Access Control to External Network Services

https://docs.oracle.com/en/database/oracle/oracle-database/12.2/arpls/DBMS_NETWORK_ACL_ADMIN.html#GUID-254AE700-B355-4EBC-84B2-8EE32011E692
PL/SQL Packages and Types Reference 12.2
107 DBMS_NETWORK_ACL_ADMIN

Comments

Post a Comment

Popular posts from this blog

How To Purge Optimizer Statistics Advisor Old Records From 12.2 Onwards (Doc ID 2660128.1)

  In this Document Goal Solution References APPLIES TO: Oracle Database - Enterprise Edition - Version 12.2.0.1 and later Oracle Cloud Infrastructure - Database Service - Version N/A and later Information in this document applies to any platform. GOAL Goal of this document is to provide the method to purge the old records of Optimizer Statistics Advisor Task namely AUTO_STATS_ADVISOR_TASK that consumes huge SYSAUX space. Huge no.of old records retained in WRI$_ADV_OBJECTS for AUTO_STATS_ADVISOR_TASK or INDIVIDUAL_STATS_ADVISOR_TASK incurs heavy SYSAUX space. AUTO_STATS_ADVISOR_TASK is meant for Automatic Statistics Advisor task while INDIVIDUAL_STATS_ADVISOR_TASK is for Manual Statistics Advisor task.  DBA_ADVISOR_PARAMETERS displays all advisor task parameters and their current values in the database. There is a parameter name called EXECUTION_DAYS_TO_EXPIRE. This parameter is set in no.of days. Executions older than the value(no.of days) set would be purged automaticall...
Read more

Oracle session snapper

-- use dbms_session.sleep instead of dbms_lock on oracle 18c or higher -- last column  is sid  -- scipt_name   stat_to_collect   secods_of_snap  how_many_snap   sessions_to_snap -- @snapper all 100 1 lgdr@* -- @snapper all 100 1 sqlid@* -- @snapper all 190 1 all -- @snapper all 190 1 584 -- @snapper all 30 3 584 -- @snapper all 5 1 869 -- @snapper all 30 1 584 -- @snapper ash 5 1 144 -- @snapper ash=sql_id+event+wait_class+blocking_session+p2+p3 5 1 144 -- @snapper ash 5 1 156 -- @snapper ash 190  1 all -- @snapper ash 5 1 all -- @snapper ash=sid+event+wait_class 5 1 all -- @snapper ash=sid+event+wait_class,ash1=plsql_object_id+plsql_subprogram_id+sql_id 5 1 all -- @snapper ash=sid+event+wait_class,ash1=plsql_object_id+plsql_subprogram_id+sql_id,ash2=program+module+action 5 1 all -- @snapper ash=event+wait_class,stats,gather=ts,tinclude=CPU,sinclude=parse 5 1 all -- @snapper ash=sid+event+wait_class,ash1=sid+sqlid+module,stats,gather...
Read more

Oracle Materialized View In-Depth and Materialized View refresh issues in 19c

   We    had  situation demanding  tuning of  MV  refresh and  options  like  TUNE_MVIEW  and Atomic_Refresh was explored . Hence  Documenting materialized view sample commands  and views in this  blog .     After migration if we are  facing slowness  in  Materialized View refresh , we can explore to re-create  Materialized View   Since  main topic for this blog   was MV issues  in 19c ,  posting that topic   first in line below  We also   have Real-Time Materialized Views  to explore .  To Note :  1) We can  create Mv  on ON PREBUILT TABLE  2) We can create Index on Mv  3) We can  gather stats on mv  just like other table .  4) Mv can be REFRESH_MODE ON COMMIT / REFRESH ON DEMAND. 5) Mv  REFRESH_METHOD can be  Complete / FAST or FORCE . A FORCE attempts a FAST...
Read more