121 DBMS_NETWORK_ACL_ADMIN
The DBMS_NETWORK_ACL_ADMIN
package provides the interface to administer the network Access Control List (ACL).
The chapter contains the following topics:
See Also:
For more information, see "Managing Fine-grained Access to External Network Services" in Oracle Database Security Guide
121.1 DBMS_NETWORK_ACL_ADMIN Overview
The DBMS_NETWORK_ACL_ADMIN
package provides the interface to administer the network access control lists (ACL).
ACLs are used to control access by users to external network services and resources from the database through PL/SQL network utility packages including UTL_TCP , UTL_HTTP , UTL_SMTP and UTL_INADDR .
121.2 DBMS_NETWORK_ACL_ADMIN Deprecated Subprograms
Oracle recommends that you do not use deprecated subprograms in new applications. Support for deprecated features is for backward compatibility only
The following subprograms are deprecated with release Oracle Database 12c:
121.3 DBMS_NETWORK_ACL_ADMIN Security Model
The EXECUTE
privilege on the DBMS_NETWORK_ACL_ADMIN
package is granted to the DBA
role and to the EXECUTE_CATALOG_ROLE
by default.
121.4 DBMS_NETWORK_ACL_ADMIN Constants
The DBMS_NETWORK_ACL_ADMIN
package defines constants to use specifying parameter values.
These are shown in the following table.
Table 121-1 DBMS_NETWORK_ACL_ADMIN Constants
Constant | Type | Value | Description |
---|---|---|---|
|
|
|
IP address mask: |
|
|
' |
IP subnet mask: |
|
|
'[ |
Hostname mask: |
|
|
''\*(\.[^\.\:\/\*]+)*' |
Domain mask: |
121.5 DBMS_NETWORK_ACL_ADMIN Exceptions
The following table lists the exceptions raised by the DBMS_NETWORK_ACL_ADMIN
package.
Table 121-2 DBMS_NETWORK_ACL_ADMIN Exceptions
Exception | Error Code | Description |
---|---|---|
|
|
ACE already exists |
|
|
Empty ACL |
|
|
ACL not found |
|
|
ACL already exists |
|
|
Invalid ACL path |
|
|
Invalid host |
|
|
Invalid privilege |
|
|
Invalid wallet path |
|
|
Bad argument |
|
|
Unresolved principal |
|
|
Privilege not granted |
121.6 DBMS_NETWORK_ACL_ADMIN Examples
Grant the connect
and resolve
privileges for host www.us.example.com
to SCOTT
.
Example1
DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE( host => 'www.us.example.com', ace => xs$ace_type(privilege_list => xs$name_list('connect', 'resolve'), principal_name => 'scott', principal_type => xs_acl.ptype_db));
Example 2
Revoke the resolve
privilege for host www.us.example.com
from SCOTT
.
dbms_network_acl_admin.remove_host_ace( host => 'www.us.example.com', ace => xs$ace_type(privilege_list => xs$name_list('resolve'), principal_name => 'scott', principal_type => xs_acl.ptype_db));
Example 3
Grant the use_client_certificates
and use_passwords
privileges for wallet file:/example/wallets/hr_wallet
to SCOTT
.
dbms_network_acl_admin.append_wallet_ace( wallet_path => 'file:/example/wallets/hr_wallet', ace => xs$ace_type(privilege_list => xs$name_list('use_client_certificates', 'use_passwords'), principal_name => 'scott', principal_type => xs_acl.ptype_db));
Example 4
Revoke the use_passwords
privilege for wallet file:/example/wallets/hr_wallet
from SCOTT
.
dbms_network_acl_admin.remove_wallet_ace( wallet_path => 'file:/example/wallets/hr_wallet', ace => xs$ace_type(privilege_list => xs$name_list('use_passwords'), principal_name => 'scott', principal_type => xs_acl.ptype_db));
Example 5
The CONTAINS_HOST
in the DBMS_NETWORK_ACL_UTLILITY
package determines if a host is contained in a domain. It can be used in conjunction with the DBA_HOST_ACE
view to determine the users and their privilege assignments to access a network host.For example, for access to www.us.example.com
:
SELECT HOST, LOWER_PORT, UPPER_PORT, ACE_ORDER, PRINCIPAL, PRINCIPAL_TYPE, GRANT_TYPE, INVERTED_PRINCIPAL, PRIVILEGE, START_DATE, END_DATE FROM (SELECT ACES.*, DBMS_NETWORK_ACL_UTILITY.CONTAINS_HOST('www.us.example.com', HOST) PRECEDENCE FROM DBA_HOST_ACES ACES) WHERE PRECEDENCE IS NOT NULL ORDER BY PRECEDENCE DESC, LOWER_PORT NULLS LAST, UPPER_PORT NULLS LAST, ACE_ORDER; HOST LOWER_PORT UPPER_PORT ACE_ORDER PRINCIPAL PRINCIPAL_TYPE GRANT_TYPE INVERTED_PRINCIPAL PRIVILEGE START_DATE END_DATE ------------------ ---------- ---------- --------- --------- ---------------- ---------- ------------------ ---------- ---------- -------- www.us.example.com 80 80 1 SCOTT DATABASE USER GRANT NO HTTP www.us.example.com 80 80 2 ADAMS DATABASE USER GRANT NO HTTP * 1 HQ_DBA DATABASE USER GRANT NO CONNECT * 1 HQ_DBA DATABASE USER GRANT NO RESOLVE
Example 6
For example, for HQ_DBA
's own permission to access to www.us.example.com
:
SELECT HOST, LOWER_PORT, UPPER_PORT, PRIVILEGE, STATUS FROM (SELECT ACES.*, DBMS_NETWORK_ACL_UTILITY.CONTAINS_HOST('www.us.example.com', HOST) PRECEDENCE FROM USER_HOST_ACES ACES) WHERE PRECEDENCE IS NOT NULL ORDER BY PRECEDENCE DESC, LOWER_PORT NULLS LAST, UPPER_PORT NULLS LAST; HOST LOWER_PORT UPPER_PORT PRIVILEGE STATUS ------------------ ---------- ---------- --------- ------- * CONNECT GRANTED * RESOLVE GRANTED
121.7 Summary of DBMS_NETWORK_ACL_ADMIN Subprograms
This table lists and briefly describes the DBMS_NETWORK_ACL_ADMIN
package subprograms.
Table 121-3 DBMS_NETWORK_ACL_ADMIN Package Subprograms
Subprogram | Description |
---|---|
[DEPRECATED] Adds a privilege to grant or deny the network access to the user in an access control list (ACL) |
|
Appends an access control entry (ACE) to the access control list (ACL) of a network host. |
|
Appends access control entries (ACE) of an access control list (ACL) to the ACL of a network host |
|
Appends an access control entry (ACE) to the access control list (ACL) of a wallet |
|
Appends access control entries (ACE) of an access control list (ACL) to the ACL of a wallet |
|
[DEPRECATED] Assigns an access control list (ACL) to a host computer, domain, or IP subnet, and if specified, the TCP port range. |
|
[DEPRECATED] Assigns an access control list (ACL) to a wallet |
|
[DEPRECATED] Checks if a privilege is granted or denied the user in an access control list (ACL) |
|
[DEPRECATED] Checks if a privilege is granted to or denied from the user in an ACL by specifying the object ID of the access control list |
|
[DEPRECATED] Creates an access control list (ACL) with an initial privilege setting |
|
[DEPRECATED] Deletes a privilege in an access control list (ACL) |
|
[DEPRECATED] Drops an access control list (ACL) |
|
Removes privileges from access control entries (ACE) in the access control list (ACL) of a network host matching the given ACE |
|
Removes privileges from access control entries (ACE) in the access control list (ACL) of a wallet matching the given ACE |
|
Sets the access control list (ACL) of a network host which controls access to the host from the database |
|
Sets the access control list (ACL) of a wallet which controls access to the wallet from the database |
|
[DEPRECATED] Unassigns the access control list (ACL) currently assigned to a network host |
|
[DEPRECATED] Unassigns the access control list (ACL) currently assigned to a wallet |
121.7.1 ADD_PRIVILEGE Procedure
This procedure adds a privilege to grant or deny the network access to the user. The access control entry (ACE) is created if it does not exist.
Note:
This procedure is deprecated in Oracle Database 12c. While the procedure remains available in the package for reasons of backward compatibility, Oracle recommends using the APPEND_HOST_ACE Procedure and the APPEND_WALLET_ACE Procedure.
Syntax
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE ( acl IN VARCHAR2, principal IN VARCHAR2, is_grant IN BOOLEAN, privilege IN VARCHAR2, position IN PLS_INTEGER DEFAULT NULL, start_date IN TIMESTAMP WITH TIMESTAMP DEFAULT NULL, end_date IN TIMESTAMP WITH TIMESTAMP DEFAULT NULL );
Parameters
Table 121-4 ADD_PRIVILEGE Function Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to "/sys/acls" |
|
Principal (database user or role) to whom the privilege is granted or denied. Case sensitive. |
|
Privilege is granted or denied. |
|
Network privilege to be granted or denied |
|
Position (1-based) of the ACE. If a non- |
|
Start date of the access control entry (ACE). When specified, the ACE will be valid only on and after the specified date. The |
|
End date of the access control entry (ACE). When specified, the ACE expires after the specified date. The |
Usage Notes
To remove the permission, use the DELETE_PRIVILEGE Procedure.
Examples
BEGIN DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE( acl => 'us-example-com-permissions.xml', principal => 'ST_USERS', is_grant => TRUE, privilege => 'connect') END;
121.7.2 APPEND_HOST_ACE Procedure
This procedure appends an access control entry (ACE) to the access control list (ACL) of a network host. The ACL controls access to the given host from the database and the ACE specifies the privileges granted to or denied from the specified principal.
Syntax
DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE ( host IN VARCHAR2, lower_port IN PLS_INTEGER DEFAULT NULL, upper_port IN PLS_INTEGER DEFAULT NULL, ace IN XS$ACE_TYPE);
Parameters
Table 121-5 APPEND_HOST_ACE Function Parameters
Parameter | Description |
---|---|
|
The host, which can be the name or the IP address of the host. You can use a wildcard to specify a domain or a IP subnet. The host or domain name is case-insensitive. |
|
Lower bound of an optional TCP port range |
|
Upper bound of an optional TCP port range. If |
|
The ACE |
Usage Notes
-
Duplicate privileges in the matching ACE in the host ACL will be skipped.
-
To remove the ACE, use the REMOVE_HOST_ACE Procedure.
-
A host's ACL takes precedence over its domains' ACLs. For a given host, say
www.us.example.com
, the following domains are listed in decreasing precedence:-
www.us.example.com
-
*.us.example.com
-
*.example.com
-
*.com
-
*
-
-
An IP address' ACL takes precedence over its subnets' ACLs. For a given IP address, say
192.168.0.100
, the following subnets are listed in decreasing precedence:-
192.168.0.100
-
192.168.0.*
-
192.168.*
-
192.*
-
*
-
-
An ACE with a "resolve" privilege can be appended only to a host's ACL without a port range.
-
When ACEs with "connect" privileges are appended to a host's ACLs with and without a port range, the one appended to the host with a port range takes precedence.
-
When specifying a TCP port range of a host, it cannot overlap with other existing port ranges of the host.
-
If the ACL is shared with another host or wallet, a copy of the ACL will be made before the ACL is modified.
See Also:
Oracle Database Real Application Security Administrator's and Developer's Guide for more information about the XS$ACE_TYPE
object type
121.7.3 APPEND_HOST_ACL Procedure
This procedure appends access control entries (ACE) of an access control list (ACL) to the ACL of a network host.
Syntax
DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACL ( host IN VARCHAR2, lower_port IN PLS_INTEGER DEFAULT NULL, upper_port IN PLS_INTEGER DEFAULT NULL, acl IN VARCHAR2);
Parameters
Table 121-6 APPEND_HOST_ACL Function Parameters
Parameter | Description |
---|---|
|
The host, which can be the name or the IP address of the host. You can use a wildcard to specify a domain or a IP subnet. The host or domain name is case-insensitive. |
|
Lower bound of an optional TCP port range |
|
Upper bound of an optional TCP port range. If |
|
The ACL from which to append |
Usage Notes
-
Duplicate privileges in the matching ACE in the host ACL will be skipped.
-
To remove the ACE, use the REMOVE_HOST_ACE Procedure.
-
A host's ACL takes precedence over its domains' ACLs. For a given host, say
www.us.example.com
, the following domains are listed in decreasing precedence:-
www.us.example.com
-
*.us.example.com
-
*.example.com
-
*.com
-
*
-
-
An IP address' ACL takes precedence over its subnets' ACLs. For a given IP address, say
192.168.0.100
, the following subnets are listed in decreasing precedence:-
192.168.0.100
-
192.168.0.*
-
192.168.*
-
192.*
-
*
-
-
An ACE with a "resolve" privilege can be appended only to a host's ACL without a port range.
-
When ACEs with "connect" privileges are appended to a host's ACLs with and without a port range, the one appended to the host with a port range takes precedence.
-
When specifying a TCP port range of a host, it cannot overlap with other existing port ranges of the host.- If the ACL is shared with another host or wallet, a copy of the ACL will be made before the ACL is modified.
121.7.4 APPEND_WALLET_ACE Procedure
This procedure appends an access control entry (ACE) to the access control list (ACL) of a wallet. The ACL controls access to the given wallet from the database and the ACE specifies the privileges granted to or denied from the specified principal.
Syntax
DBMS_NETWORK_ACL_ADMIN.APPEND_WALLET_ACE ( wallet_path IN VARCHAR2, ace IN XS$ACE_TYPE);
Parameters
Table 121-7 APPEND_WALLET_ACE Function Parameters
Parameter | Description |
---|---|
|
Directory path of the wallet. The path is case-sensitive of the format |
|
The ACE |
Usage Notes
-
Duplicate privileges in the matching ACE in the host ACL will be skipped.
-
To remove the ACE, use the REMOVE_WALLET_ACE Procedure.
-
If the ACL is shared with another host or wallet, a copy of the ACL is made before the ACL is modified.
See Also:
Oracle Database Real Application Security Administrator's and Developer's Guide for more information about the XS$ACE_TYPE
object type
121.7.5 APPEND_WALLET_ACL Procedure
This procedure appends access control entries (ACE) of an access control list (ACL) to the ACL of a wallet.
Syntax
DBMS_NETWORK_ACL_ADMIN.APPEND_WALLET_ACL ( wallet_path IN VARCHAR2, acl IN VARCHAR2);
Parameters
Table 121-8 APPEND_WALLET_ACL Function Parameters
Parameter | Description |
---|---|
|
Directory path of the wallet. The path is case-sensitive of the format |
|
The ACL from which to append |
Usage Notes
-
Duplicate privileges in the matching ACE in the host ACL will be skipped.
-
To remove the ACE, use REMOVE_WALLET_ACE.
-
If the ACL is shared with another host or wallet, a copy of the ACL is made before the ACL is modified.
121.7.6 ASSIGN_ACL Procedure
This procedure assigns an access control list (ACL) to a host computer, domain, or IP subnet, and if specified, the TCP port range.
Note:
This procedure is deprecated in Oracle Database 12c. While the procedure remains available in the package for reasons of backward compatibility, Oracle recommends using the APPEND_HOST_ACE Procedure and the APPEND_WALLET_ACE Procedure.
Syntax
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL ( acl IN VARCHAR2, host IN VARCHAR2, lower_port IN PLS_INTEGER DEFAULT NULL, upper_port IN PLS_INTEGER DEFAULT NULL);
Parameters
Table 121-9 ASSIGN_ACL Function Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to " |
|
Host to which the ACL is to be assigned. The host can be the name or the IP address of the host. A wildcard can be used to specify a domain or a IP subnet. The host or domain name is case-insensitive. |
|
Lower bound of a TCP port range if not |
|
Upper bound of a TCP port range. If |
Usage Notes
-
Only one ACL can be assigned to any host computer, domain, or IP subnet, and if specified, the TCP port range. When you assign a new access control list to a network target, Oracle Database unassigns the previous access control list that was assigned to the same target. However, Oracle Database does not drop the access control list. You can drop the access control list by using the DROP_ACL Procedure. To remove an access control list assignment, use the UNASSIGN_ACL Procedure.
-
The ACL assigned to a domain takes a lower precedence than the other ACLs assigned sub-domains, which take a lower precedence than the ACLs assigned to the individual hosts. So for a given host, for example, "www.us.example.com", the following domains are listed in decreasing precedences:
- www.us.example.com
- *.us.example.com
- *.example.com
- *.com
- *
In the same way, the ACL assigned to an subnet takes a lower precedence than the other ACLs assigned smaller subnets, which take a lower precedence than the ACLs assigned to the individual IP addresses. So for a given IP address, for example, "192.168.0.100", the following subnets are listed in decreasing precedences:
- 192.168.0.100
- 192.168.0.*
- 192.168.*
- 192.*
- *
-
The port range is applicable only to the "connect" privilege assignments in the ACL. The "resolve" privilege assignments in an ACL have effects only when the ACL is assigned to a host without a port range.
For the "connect" privilege assignments, an ACL assigned to the host without a port range takes a lower precedence than other ACLs assigned to the same host with a port range.
-
When specifying a TCP port range, both
lower_port
andupper_port
must not beNULL
andupper_port
must be greater than or equal tolower_port
. The port range must not overlap with any other port ranges for the same host assigned already. -
To remove the assignment, use UNASSIGN_ACL Procedure.
Examples
BEGIN DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL( acl => 'us-example-com-permissions.xml', host => '*.us.example.com', lower_port => 80); END;
121.7.7 ASSIGN_WALLET_ACL Procedure
This procedure assigns an access control list (ACL) to a wallet.
Note:
This procedure is deprecated in Oracle Database 12c. While the procedure remains available in the package for reasons of backward compatibility, Oracle recommends using the APPEND_HOST_ACE Procedure and the APPEND_WALLET_ACE Procedure.
Syntax
UTL_HTTP.ASSIGN_WALLET_ACL ( acl IN VARCHAR2, wallet_path IN VARCHAR2);
Parameters
Table 121-10 ASSIGN_WALLET_ACL Procedure Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to |
|
Directory path of the wallet to which the ACL is to be assigned. The path is case-sensitive and of the format |
Usage Notes
To remove the assignment, use the UNASSIGN_WALLET_ACL Procedure.
Examples
BEGIN DBMS_NETWORK_ACL_ADMIN.CREATE_ACL( acl => 'wallet-acl.xml', description => 'Wallet ACL', principal => 'SCOTT', is_grant => TRUE, privilege => 'use-client-certificates'); DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE( acl => 'wallet-acl.xml', principal => 'SCOTT', is_grant => TRUE, privilege => 'use-passwords'); DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL( acl => 'wallet-acl.xml', wallet_path => 'file:/example/wallets/test_wallet'); END;
121.7.8 CHECK_PRIVILEGE Function
This function checks if a privilege is granted or denied the user in an ACL.
Note:
This procedure is deprecated in Oracle Database 12c. The procedure remains available in the package only for reasons of backward compatibility.
Syntax
DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE ( acl IN VARCHAR2, user IN VARCHAR2, privilege IN VARCHAR2) RETURN NUMBER;
Parameters
Table 121-11 CHECK_PRIVILEGE Function Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to "/sys/acls". |
|
User to check against. If the user is |
|
Network privilege to check |
Return Values
Returns 1 when the privilege is granted; 0 when the privilege is denied; NULL
when the privilege is neither granted or denied.
Examples
SELECT DECODE( DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE( 'us-example-com-permissions.xml', 'SCOTT', 'resolve'), 1, 'GRANTED', 0, 'DENIED', NULL) PRIVILEGE FROM DUAL;
121.7.9 CHECK_PRIVILEGE_ACLID Function
This function checks if a privilege is granted to or denied from the user in an ACL by specifying the object ID of the access control list.
Note:
This procedure is deprecated in Oracle Database 12c. The procedure remains available in the package only for reasons of backward compatibility.
Syntax
DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE_ACLID ( aclid IN RAW, user IN VARCHAR2 DEFAULT NULL) privilege IN VARCHAR2, RETURN NUMBER;
Parameters
Table 121-12 CHECK_PRIVILEGE_ACLID Function Parameters
Parameter | Description |
---|---|
|
Object ID of the ACL |
|
User to check against. If the user is |
|
Network privilege to check |
Return Values
Returns 1 when the privilege is granted; 0 when the privilege is denied; NULL
when the privilege is neither granted or denied.
121.7.10 CREATE_ACL Procedure
This deprecated procedure creates an access control list (ACL) with an initial privilege setting. An ACL must have at least one privilege setting. The ACL has no access control effect unless it is assigned to the network target.
Note:
This procedure is deprecated in Oracle Database 12c. While the procedure remains available in the package for reasons of backward compatibility, Oracle recommends using the APPEND_HOST_ACE Procedure and the APPEND_WALLET_ACE Procedure.
Syntax
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL ( acl IN VARCHAR2, description IN VARCHAR2, principal IN VARCHAR2, is_grant IN BOOLEAN, privilege IN VARCHAR2, start_date IN TIMESTAMP WITH TIMEZONE DEFAULT NULL, end_date IN TIMESTAMP WITH TIMEZONE DEFAULT NULL );
Parameters
Table 121-13 CREATE_ACL Procedure Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to "/sys/acls". |
|
Description attribute in the ACL |
|
Principal (database user or role) to whom the privilege is granted or denied. Case sensitive. |
|
Privilege is granted or not (denied) |
|
Network privilege to be granted or denied - |
|
Start date of the access control entry (ACE). When specified, the ACE is valid only on and after the specified date. |
|
End date of the access control entry (ACE). When specified, the ACE expires after the specified date. The |
Usage Notes
To drop the access control list, use the DROP_ACL Procedure.
Examples
BEGIN DBMS_NETWORK_ACL_ADMIN.CREATE_ACL( acl => 'us-example-com-permissions.xml', description => 'Network permissions for *.us.example.com', principal => 'SCOTT', is_grant => TRUE, privilege => 'connect'); END;
121.7.11 DELETE_PRIVILEGE Procedure
This deprecated procedure deletes a privilege in an access control list.
Note:
This procedure is deprecated in Oracle Database 12c. While the procedure remains available in the package for reasons of backward compatibility, Oracle recommends using the REMOVE_HOST_ACE Procedure and the REMOVE_WALLET_ACE Procedure.
Syntax
DBMS_NETWORK_ACL_ADMIN.DELETE_PRIVILEGE ( acl IN VARCHAR2, principal IN VARCHAR2, is_grant IN BOOLEAN DEFAULT NULL, privilege IN VARCHAR2 DEFAULT NULL);
Parameters
Table 121-14 DELETE_PRIVILEGE Function Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to "/sys/acls". |
|
Principal (database user or role) for whom all the ACE will be deleted |
|
Privilege is granted or not (denied). If a |
|
Network privilege to be deleted. If a |
Examples
BEGIN DBMS_NETWORK_ACL_ADMIN.DELETE_PRIVILEGE( acl => 'us-example-com-permissions.xml', principal => 'ST_USERS') END;
121.7.12 DROP_ACL Procedure
This deprecated procedure drops an access control list (ACL).
Note:
This procedure is deprecated in Oracle Database 12c. The procedure remains available in the package only for reasons of backward compatibility.
Syntax
DBMS_NETWORK_ACL_ADMIN.DROP_ACL ( acl IN VARCHAR2);
Parameters
Table 121-15 DROP_ACL Procedure Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to "/sys/acls". |
Examples
BEGIN DBMS_NETWORK_ACL_ADMIN.DROP_ACL( acl => 'us-example-com-permissions.xml'); END;
121.7.13 REMOVE_HOST_ACE Procedure
This procedure removes privileges from access control entries (ACE) in the access control list (ACL) of a network host matching the given ACE.
Syntax
DBMS_NETWORK_ACL_ADMIN.REMOVE_HOST_ACE ( host IN VARCHAR2, lower_port IN PLS_INTEGER DEFAULT NULL, upper_port IN PLS_INTEGER DEFAULT NULL, ace IN XS$ACE_TYPE, remove_empty_acl IN BOOLEAN DEFAULT FALSE);
Parameters
Table 121-16 REMOVE_HOST_ACE Function Parameters
Parameter | Description |
---|---|
|
The host, which can be the name or the IP address of the host. You can use a wildcard to specify a domain or a IP subnet. The host or domain name is case-insensitive. |
|
Lower bound of an optional TCP port range |
|
Upper bound of an optional TCP port range. If |
|
The ACE |
|
Whether to remove the ACL when it becomes empty when the ACE is removed |
Usage Notes
If the ACL is shared with another host or wallet, a copy of the ACL is made before the ACL is modified.
121.7.14 REMOVE_WALLET_ACE Procedure
This procedure removes privileges from access control entries (ACE) in the access control list (ACL) of a wallet matching the given ACE.
Syntax
DBMS_NETWORK_ACL_ADMIN.REMOVE_WALLET_ACE ( wallet_path IN VARCHAR2, ace IN XS$ACE_TYPE, remove_empty_acl IN BOOLEAN DEFAULT FALSE);
Parameters
Table 121-17 REMOVE_WALLET_ACE Function Parameters
Parameter | Description |
---|---|
|
Directory path of the wallet. The path is case-sensitive of the format |
|
The ACE |
|
Whether to remove the ACL when it becomes empty when the ACE is removed |
Usage Notes
If the ACL is shared with another host or wallet, a copy of the ACL is made before the ACL is modified.
121.7.15 SET_HOST_ACL Procedure
This procedure sets the access control list (ACL) of a network host which controls access to the host from the database.
Syntax
DBMS_NETWORK_ACL_ADMIN.SET_HOST_ACL ( host IN VARCHAR2, lower_port IN PLS_INTEGER DEFAULT NULL, upper_port IN PLS_INTEGER DEFAULT NULL, acl IN VARCHAR2);
Parameters
Table 121-18 SET_HOST_ACL Function Parameters
Parameter | Description |
---|---|
|
The host, which can be the name or the IP address of the host. You can use a wildcard to specify a domain or a IP subnet. The host or domain name is case-insensitive. |
|
Lower bound of an optional TCP port range |
|
Upper bound of an optional TCP port range. If |
|
The ACL. |
Usage Notes
A host's ACL is created and set on-demand when an access control entry (ACE) is appended to the host's ACL. Users are discouraged from setting a host's ACL manually.
121.7.16 SET_WALLET_ACL Procedure
This procedure sets the access control list (ACL) of a wallet which controls access to the wallet from the database.
Syntax
DBMS_NETWORK_ACL_ADMIN.SET_WALLET_ACL ( wallet_path IN VARCHAR2, acl IN VARCHAR2);
Parameters
Table 121-19 SET_WALLET_ACL Function Parameters
Parameter | Description |
---|---|
|
Directory path of the wallet. The path is case-sensitive of the format |
|
The ACL. |
Usage Notes
A wallet's ACL is created and set on-demand when an access control entry (ACE) is appended to the wallet's ACL. Users are discouraged from setting a wallet's ACL manually.
121.7.17 UNASSIGN_ACL Procedure
This deprecated procedure unassigns the access control list (ACL) currently assigned to a network host.
Note:
This procedure is deprecated in Oracle Database 12c. While the procedure remains available in the package for reasons of backward compatibility, Oracle recommends using the REMOVE_HOST_ACE Procedure and the REMOVE_WALLET_ACE Procedure.
Syntax
DBMS_NETWORK_ACL_ADMIN.UNASSIGN_ACL ( acl IN VARCHAR2 DEFAULT NULL, host IN VARCHAR2 DEFAULT NULL, lower_port IN PLS_INTEGER DEFAULT NULL, upper_port IN PLS_INTEGER DEFAULT NULL);
Parameters
Table 121-20 UNASSIGN_ACL Function Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to "/sys/acls". If ACL is |
|
Host from which the ACL is to be removed. The host can be the name or the IP address of the host. A wildcard can be used to specify a domain or a IP subnet. The host or domain name is case-insensitive. If host is |
|
Lower bound of a TCP port range if not |
|
Upper bound of a TCP port range. If |
Examples
BEGIN DBMS_NETWORK_ACL_ADMIN.UNASSIGN_ACL( host => '*.us.example.com', lower_port => 80); END;
121.7.18 UNASSIGN_WALLET_ACL Procedure
This deprecated procedure unassigns the access control list (ACL) currently assigned to a wallet.
Note:
This procedure is deprecated in Oracle Database 12c. While the procedure remains available in the package for reasons of backward compatibility, Oracle recommends using the REMOVE_HOST_ACE Procedure and the REMOVE_WALLET_ACE Procedure.
Syntax
UTL_HTTP.UNASSIGN_WALLET_ACL ( acl IN VARCHAR2 DEFAULT NULL, wallet_path IN VARCHAR2 DEFAULT NULL);
Parameters
Table 121-21 UNASSIGN_WALLET_ACL Procedure Parameters
Parameter | Description |
---|---|
|
Name of the ACL. Relative path will be relative to |
|
Directory path of the wallet to which the ACL is assigned. The path is case-sensitive and of the format |
Examples
BEGIN DBMS_NETWORK_ACL_ADMIN.UNASSIGN_WALLET_ACL( acl => 'wallet-acl.xml', wallet_path => 'file:/example/wallets/test_wallet'); END;