4.1 DIRECTORY Objects
A BFILE
locator is initialized by using the function BFILENAME(DIRECTORY, FILENAME)
. This section describes how to initialize the DIRECTORY
Object.
A DIRECTORY
object specifies a logical alias name for a physical directory on the database server file system under which the file to be accessed is located. You can access a file in the server file system only if you have the required access privilege on the DIRECTORY
object. You can also use Oracle Enterprise Manager Cloud Control to manage the DIRECTORY
objects.
The DIRECTORY
object provides the flexibility to manage the locations of
the files, instead of forcing you to hard-code the absolute path names of physical files
in your applications.
A DIRECTORY
object name is used in conjunction with the BFILENAME
function, in SQL and PL/SQL, or the OCILobFileSetName()
function in OCI, for initializing a BFILE
locator.
See Also:
-
CREATE
DIRECTORY
in Oracle Database SQL Language Reference -
See Oracle Database Administrator's Guide for the description of Oracle Enterprise Manager Cloud Control
4.1.1 DIRECTORY Name Specification
You must have CREATE ANY DIRECTORY
system privilege to create directories.
The naming convention for DIRECTORY
objects is the same as that for
tables and indexes. That is, normal identifiers are interpreted in uppercase, but
delimited identifiers are interpreted as is. For example, the following statement:
CREATE OR REPLACE DIRECTORY scott_dir AS '/usr/home/scott';
creates or redefines a DIRECTORY
object whose name is 'SCOTT_DIR
' (in uppercase). But if a delimited identifier is used for the DIRECTORY
name, as shown in the following statement
CREATE DIRECTORY "Mary_Dir" AS '/usr/home/mary';
then the DIRECTORY
directory object name is 'Mary_Dir
'. Use 'SCOTT_DIR
' and 'Mary_Dir
' when calling BFILENAME
. For example:
BFILENAME('SCOTT_DIR', 'afile') BFILENAME('Mary_Dir', 'afile')
WARNING:
The database does not verify that the directory and path name you specify actually exist. You must ensure to specify a valid directory name in your operating system. If your operating system uses case-sensitive path names, then be sure that you specify the directory name in the correct format. There is no requirement to specify a terminating slash (for example, /tmp/
is not necessary, simply use /tmp
).
Directory specifications cannot contain ".." anywhere in the path (for
example: ../../abc/def
or abc/../def
or
abc/def/hij..
On Windows Platform
On Windows platforms the directory names are case-insensitive. Therefore the following two statements refer to the same directory:
CREATE DIRECTORY "big_cap_dir" AS "g:\data\source"; CREATE DIRECTORY "small_cap_dir" AS "G:\DATA\SOURCE";
4.1.2 Security on Directory Objects
This section describes the security on DIRECTORY
objects.
The DIRECTORY
object model has two distinct levels of security:
- SQL DDL:
CREATE
orDROP
aDIRECTORY
object - SQL DML:
READ
system and object privileges onDIRECTORY
objects
DBA Privileges: CREATE /
DROP DIRECTORY
The DIRECTORY
object is a system owned object.
Oracle Database supports the following system privileges, which are granted only to
DBA:
-
CREATE
ANY
DIRECTORY
: For creating or altering theDIRECTORY
object creation -
DROP
ANY
DIRECTORY
: For deleting theDIRECTORY
object
WARNING:
BecauseCREATE
ANY
DIRECTORY
and DROP
ANY
DIRECTORY
privileges potentially expose the server file system to all database users, the DBA should be prudent in granting these privileges to normal database users to prevent security breach.
See Also:
Oracle Database SQL Language Reference for information about system owned objects,CREATE DIRECTORY
and DROP DIRECTORY
USER Privileges: READ Permission on the Directory
READ
permission on the DIRECTORY
object enables you to read files located under that directory. The creator of the
DIRECTORY
object automatically earns the READ
privilege.
If you have been granted the READ
permission with GRANT
option, then you may in turn grant this privilege to other users or roles and then add them to your privilege domains.
Note:
TheREAD
permission is defined only on the DIRECTORY
object, not on individual files. Hence there is no way to assign different privileges to files in the same directory.
The physical directory that it represents may or may not have the corresponding operating system privileges (read in this case) for the Oracle Server process.
It is the responsibility of the DBA to ensure the following:
- That the physical directory exists
- Read permission for the Oracle Server process is enabled on the file, the directory, and the path leading to it
- The directory remains available, and read permission remains enabled, for the entire duration of file access by database users
The privilege just implies that as far as the Oracle Server is concerned,
you may read from files in the directory. These privileges are checked and enforced
by the PL/SQL DBMS_LOB
package and OCI APIs at the time of the
actual file operations.
See Also:
- Guidelines for DIRECTORY Usage
- Oracle Database SQL Language Reference for information about the
GRANT, REVOKE
andAUDIT
system and object privileges that provide security forBFILE
s.
Catalog Views on DIRECTORY Objects
Catalog views are provided for DIRECTORY
objects to enable users to view object names and corresponding paths and privileges. Following are the supported views:
ALL_DIRECTORIES
(OWNER
,DIRECTORY_NAME
,DIRECTORY_PATH
)This view describes all directories accessible to the user.
DBA_DIRECTORIES
(OWNER
,DIRECTORY_NAME
,DIRECTORY_PATH
)This view describes all directories specified for the entire database.