11.6 XS_DIAG Package
The XS_DIAG
package includes subprograms to diagnose potential problems in data security for principals, security classes, acls, data security policies, namespaces, and all objects in the work space. All subprograms return TRUE
if the object is valid; otherwise, each returns FALSE
. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE
validation table until the maximum number of inconsistencies you specify with the error_limit
parameter is reached. Users can query this validation table to determine the identified inconsistencies for information that includes the message code, the description about the error, the path leading to the invalid object, and any other helpful information that might assist you in identifying the nature of the inconsistency.
11.6.1 Security Model
The XS_DIAG
package is created in the SYS
schema. The caller has invoker's rights on this package and needs to have ADMIN_ANY_SEC_POLICY
system privilege to run the XS_DIAG
package. EXECUTE
permission on the XS_DIAG
package is granted to PUBLIC
. SELECT
permission on the XS$VALIDATION_TABLE
validation table is granted to PUBLIC
.
11.6.2 Summary of XS_DIAG Subprograms
Table 11-8 Summary of XS_DIAG Subprograms
Subprogram | Description |
---|---|
Validates the principal. |
|
Validates the security class. |
|
Validates the ACL. |
|
Validates the data security policy or validates the data security policy against a specific table. |
|
Validates the namespace template. |
|
Validates an entire workspace. |
This section describes the following XS_DIAG subprograms:
11.6.2.1 VALIDATE_PRINCIPAL Function
The VALIDATE_PRINCIPAL
function validates the principal. This function returns TRUE
if the object is valid; otherwise, it returns FALSE
. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE
validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
Syntax
validate_principal(name IN VARCHAR2, error_limit IN PLS_INTEGER := 1) RETURN BOOLEAN;
Parameters
Parameter | Description |
---|---|
|
The name of the object to be validated. |
|
The maximum number of inconsistencies that may be stored in the validation table. |
Examples
Validate the principal, user user1
, then query the validation table in case there are inconsistencies.
begin if sys.xs_diag.validate_principal('user1', 100) then dbms_output.put_line('The user is valid.'); else dbms_output.put_line('The user is invalid.'); end if; end; / select * from xs$validation_table;
Validate the principal, role role1
, then query the validation table in case there are inconsistencies.
begin if sys.xs_diag.validate_principal('role1', 100) then dbms_output.put_line('The role is valid.'); else dbms_output.put_line('The role is invalid.'); end if; end; / select * from xs$validation_table;
11.6.2.2 VALIDATE_SECURITY_CLASS Function
The VALIDATE_SECURITY_CLASS
function validates the security class. This function returns TRUE
if the object is valid; otherwise, it returns FALSE
. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE
validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
Syntax
validate_security_class(name IN VARCHAR2, error_limit IN PLS_INTEGER := 1) RETURN BOOLEAN;
Parameters
Parameter | Description |
---|---|
|
The name of the object to be validated. |
|
The maximum number of inconsistencies that may be stored in the validation table. |
Examples
Validate the security class, sec1
, then query the validation table in case there are inconsistencies.
begin if sys.xs_diag.validate_security_class('sec1', 100) then dbms_output.put_line('The security class is valid.'); else dbms_output.put_line('The security class is invalid.'); end if; end; / select * from xs$validation_table;
11.6.2.3 VALIDATE_ACL Function
The VALIDATE_ACL
function validates the ACL. This function returns TRUE
if the object is valid; otherwise, it returns FALSE
. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE
validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
Syntax
validate_acl(name IN VARCHAR2, error_limit IN PLS_INTEGER := 1) RETURN BOOLEAN;
Parameters
Parameter | Description |
---|---|
|
The name of the object to be validated. |
|
The maximum number of inconsistencies that may be stored in the validation table. |
Examples
Validate the ACL, acl1
, then query the validation table in case there are inconsistencies.
begin if sys.xs_diag.validate_acl('acl1', 100) then dbms_output.put_line('The ACL is valid.'); else dbms_output.put_line('The ACL is invalid.'); end if; end; / select * from xs$validation_table;
11.6.2.4 VALIDATE_DATA_SECURITY Function
The VALIDATE_DATA_SECURITY
function validates the data security. This function returns TRUE
if the object is valid; otherwise, it returns FALSE
. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE
validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
This function has three styles of policy validation.
-
When
policy
is not NULL andtable_name
isNULL
, the function validates the policy against all the tables to which the policy is applied. Note that whentable_name
is NULL,table_owner
is ignored even if it is not NULL. -
When both
policy
andtable_name
are not NULL, the function validates the policy against the specific table. Iftable_owner
is not provided, the current schema is used. -
When policy is NULL and table_name is not NULL, the function validates all policies applied to the table against the table. If
table_owner
is not provided, the current schema is used.
Syntax
validate_data_security(policy IN VARCHAR2 :=NULL, table_owner IN VARCHAR2 :=NULL, table_name IN VARCHAR2 :=NULL, error_limit IN PLS_INTEGER := 1) RETURN BOOLEAN;
Parameters
Parameter | Description |
---|---|
|
The name of the object to be validated. |
|
The name of the schema of the table or view. |
|
The name of the table or view. |
|
The maximum number of inconsistencies that may be stored in the validation table. |
Examples
Validate a policy, policy1
on all the applied tables, then query the validation table in case there are inconsistencies.
begin if sys.xs_diag.validate_data_security(policy => 'policy1', error_limit => 100) then dbms_output.put_line('The policy is valid on all the applied tables.'); else dbms_output.put_line('The policy is invalid on some of the applied tables.'); end if; end; / select * from xs$validation_table;
Validate a policy, policy1
on a given table, then query the validation table in case there are inconsistencies.
begin if sys.xs_diag.validate_data_security(policy => 'policy1', table_owner => 'HR', table_name => 'EMPLOYEES', error_limit => 100) then dbms_output.put_line('The policy is valid on the table.'); else dbms_output.put_line('The policy is invalid on the table.'); end if; end; / select * from xs$validation_table;
Validate all the policies applied to a given table, then query the validation table in case there are inconsistencies.
begin if sys.xs_diag.validate_data_security(table_owner => 'HR', table_name => 'EMPLOYEES', error_limit => 100) then dbms_output.put_line('All the applied policies on the table are valid.'); else dbms_output.put_line('Some applied policies on the table are invalid'); end if; end; / select * from xs$validation_table;
11.6.2.5 VALIDATE_NAMESPACE_TEMPLATE Function
The VALIDATE_NAMESPACE_TEMPLATE
function validates the namespace. This function returns TRUE
if the object is valid; otherwise, it returns FALSE
. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE
validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
Syntax
validate_namespace_template(name IN VARCHAR2, error_limit IN PLS_INTEGER := 1) RETURN BOOLEAN;
Parameters
Parameter | Description |
---|---|
|
The name of the object to be validated. |
|
The maximum number of inconsistencies that may be stored in the validation table. |
Examples
Validate the namespace, ns1
, then query the validation table in case there are inconsistencies.
begin if sys.xs_diag.validate_namespace_template('ns1', 100) then dbms_output.put_line('The namespace template is valid.'); else dbms_output.put_line('The namespace template is invalid.'); end if; end; / select * from xs$validation_table;
11.6.2.6 VALIDATE_WORKSPACE Function
The VALIDATE_WORKSPACE
function validates all the artifacts, in other words, it validates all objects that exist in the work space by using this one function. This function returns TRUE
if all the objects are valid; otherwise, it returns FALSE
. For each identified inconsistency, a row is inserted into the XS$VALIDATION_TABLE
validation table until the maximum number of inconsistencies that can be stored is reached. Users must query this validation table to find out what caused the validation failure.
Syntax
validate_workspace(error_limit IN PLS_INTEGER := 1) RETURN BOOLEAN;
Parameters
Parameter | Description |
---|---|
|
The maximum number of inconsistencies that may be stored in the validation table. |
Examples
Validate all the objects in the workspace, then query the validation table in case there are inconsistencies.
begin if sys.xs_diag.validate_workspace(100) then dbms_output.put_line('The objects are valid.'); else dbms_output.put_line('The objects are invalid.'); end if; end; / select * from xs$validation_table;