Oracle DBMS_SFW_ACL_ADMIN
Version 19.3

General Information
Library Note Morgan's Library Page Header
Which has the higher priority in your organization: Deploying a new database or securing the ones you already have? Looking for a website, and resources, dedicated solely to securing Oracle databases? Check out DBSecWorx.
Purpose This package provides the APIs to administer service Access Control List (ACL) that are used to control access to DB services by external Virtual Machines (VMs) or host networks.

There are two types of ACL: Exadirect and IP. Exadirect ACL is used to grant access to VMs; where as, IP ACL is used to grant access to host networks.
  • Exadirect APIs are prefixed by 'ed_'.
  • IP APIs are prefixed by 'ip_'.
  • APIs w/o prefix are generic.
AUTHID DEFINER
Constants
Name Data Type Value
DOMAIN_MASK -- Hostname mask: *.???.???...???
VARCHAR2(80)
 '\*(\.[^\.\:\/\*]+)*'
HOSTNAME_MASK -- Hostname mask: ???.???.???...???
VARCHAR2(80)
'[^\.\:\/\*]+(\.[^\.\:\/\*]+)*'
IP_ADDR_MASK -- IP address mask: xxx.xxx.xxx.xxx
VARCHAR2(80)
'([[:digit:]]+\.){3}[[:digit:]]+'
IP_SUBNET_MASK -- IP submet mask: xxx.xxx...*
VARCHAR2(80)
'([[:digit:]]+\.){0,3}\*'
Data Types -- Used in batch operation.
TYPE table_type IS TABLE OF VARCHAR(300) INDEX BY BINARY_INTEGER;
Dependencies
ACL$_OBJ DUAL XS$ACE_LIST
CDB_SERVICE$ EXADIRECT_ACL XS$ACE_TYPE
DBA_XS_ACES IP_ACL XS$NAME_LIST
DBA_XS_ACLS PLITBLM XS_ACL
DBA_XS_OBJECTS V_$DATABASE XS_ADMIN_UTIL
DBMS_ASSERT V_$PARAMETER XS_SECURITY_CLASS
DBMS_STANDARD V_$PDBS  
Documented Yes
Exceptions
Error Code Reason
ORA-20001 exadirect_sgid_in_used
ORA-20002 exadirect_dup_svc_and_uuid
ORA-20003 exadirect_null_service
ORA-20004 exadirect_null_uuid
ORA-20005 exadirect_unknown
ORA-20006 exadirect_bad_sgid
ORA-20007 exadirect_ids_mismatch
ORA-20008 exadirect_insufficient_priv
ORA-20009 ip_host_exists
ORA-20010 ip_invalid_host
ORA-20011 ip_no_host
ORA-20012 container_not_root
ORA-20013 not_exadata
First Available 12.2.0.1
Security Model Owned by DBSFWUSER with no privileges granted
Source {ORACLE_HOME}/rdbms/admin/dbms acl srv.sql
Subprograms
 
COMMIT_ACL
Commit changes to the DB ACL table and propagate them to all access control points in the DB cluster. Exadirect ACL updates are only propagated if DB ACL control is enabled. dbms_sfw_acl_admin.commit_acl;
exec dbsfwuser.dbms_sfw_acl_admin.commit_acl;
 
ED_ADD_ACE
Add a new Exadirect ACL entry dbms_sfw_acl_admin.ed_add_ace(
p_service_name IN VARCHAR2,
p_vm_uuid      IN VARCHAR2,
p_vm_sgid      IN VARCHAR2);
TBD
 
ED_ADD_PDB_ACE
Add a new Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_add_pdb_ace(
p_pdb_name IN VARCHAR2,
p_vm_uuid  IN VARCHAR2,
p_vm_sgid  IN VARCHAR2);
TBD
 
ED_BREMOVE_COMMIT_BY_UUIDS
Batch remove and commit. This is normally called when stopping a VM. dbms_sfw_acl_admin.ed_bremove_commit_by_uuids(p_vm_uuids IN table_type);
TBD
 
ED_BUPDATE_COMMIT
Batch update and commit. This is normally called when starting the VM dbms_sfw_acl_admin.ed_bupdate_commit(
p_vm_uuids    IN table_type,
p_vm_sgids    IN table_type,
p_vm_services IN table_type);
TBD
 
ED_ENABLE_ACL
Enable DB ACL control, load and propagate the initial ACLs to all access control points in the DB cluster. By default, DB ACL control is disabled and all access to secure network interfaces are denied. dbms_sfw_acl_admin.ed_enable_acl;
exec dbsfwuser.dbms_sfw_acl_admin.ed_enable_acl;
BEGIN dbsfwuser.dbms_sfw_acl_admin.ed_enable_acl; END;
*
ERROR at line 1:
ORA-20013: Must be running on EXADATA
ORA-06512: at "DBSFWUSER.DBMS_SFW_ACL_ADMIN", line 342
ORA-06512: at line 1
 
ED_GET_ACES_BY_SGID
Get all service Exadirect ACL entries for the specified VM SGID dbms_sfw_acl_admin.ed_get_aces_by_sgid(
p_vm_sgid  IN VARCHAR2,
p_services OUT SYS_REFCURSOR);
TBD
 
ED_GET_ACES_BY_SVC
Get all VM UUIDs for the specified service. This call will be used by mgmt Stack to cleanup stalled service after the service has been removed by DBA. This call will be used in conjunction with remove_acl_svc_by_uuid. dbms_sfw_acl_admin.ed_get_aces_by_svc(
p_service_name IN  VARCHAR2,
p_vm_uuids     OUT SYS_REFCURSOR);
TBD
 
ED_GET_ACES_BY_UUID
Get all service Exadirect ACL entries for the specified VM UUID dbms_sfw_acl_admin.ed_get_aces_by_uuid(
p_vm_uuid  IN  VARCHAR2,
p_services OUT SYS_REFCURSOR);
TBD
 
ED_GET_ACES_BY_UUID_SGID
Get all service Exadirect ACL entries for the specified VM SGID and UUID dbms_sfw_acl_admin.ed_get_aces_by_uuid_sgid(
p_vm_uuid  IN  VARCHAR2,
p_vm_sgid  IN  VARCHAR2,
p_services OUT SYS_REFCURSOR);
TBD
 
ED_IS_ACL_ENABLED
 Return the state of ACL control on the database dbms_sfw_acl_admin.ed_is_acl_enabled RETURN BOOLEAN;
BEGIN
  IF dbsfwuser.dbms_sfw_acl_admin.ed_is_acl_enabled THEN
    dbms_output.put_line('ACL is enabled');
  ELSE
    dbms_output.put_line('ACL is not enabled');
  END IF;
END;
/
 
ED_REMOVE_ACES_BY_SGID
Remove all service Exadirect ACL entries for the specified VM SGID dbms_sfw_acl_admin.ed_remove_aces_by_sgid(p_vm_sgid IN VARCHAR2);
TBD
 
ED_REMOVE_ACES_BY_UUID
Remove all service Exadirect ACL entries for the specified VM UUID dbms_sfw_acl_admin.ed_remove_aces_by_uuid(p_vm_uuid IN VARCHAR2);
TBD
 
ED_REMOVE_ACE_BY_SGID
Remove all service Exadirect ACL entries for the specified VM SGID dbms_sfw_acl_admin.ed_remove_ace_by_sgid(
p_service_name IN VARCHAR2,
p_vm_sgid      IN VARCHAR2);
TBD
 
ED_REMOVE_ACE_BY_UUID
Remove an Exadirect ACL entry for the specified service name and VM UUID dbms_sfw_acl_admin.ed_remove_ace_by_uuid(
p_service_name IN VARCHAR2,
p_vm_uuid      IN VARCHAR2);
TBD
 
ED_REMOVE_ACL
Remove Exadirect ACL for the specified service name dbms_sfw_acl_admin.ed_remove_acl(p_service_name IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ed_remove_acl('pdbprod');
 
ED_REMOVE_PDB_ACE_BY_SGID
Remove an Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_remove_pdb_ace_by_sgid(
p_pdb_name IN VARCHAR2,
p_vm_sgid  IN VARCHAR2);
TBD
 
ED_REMOVE_PDB_ACE_BY_UUID
Remove an Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_remove_pdb_ace_by_uuid(
p_pdb_name IN VARCHAR2,
p_vm_uuid  IN VARCHAR2);
TBD
 
ED_REMOVE_PDB_ACL
Remove the Exadirect ACL for each of the service in the specified PDB dbms_sfw_acl_admin.ed_remove_pdb_acl(p_pdb_name IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ed_remove_pdb_acl('pdbprod');
 
ED_UPDATE_ACE
Update an Exadirect ACL entry dbms_sfw_acl_admin.ed_update_ace(
p_service_name IN VARCHAR2,
p_vm_uuid      IN VARCHAR2,
p_vm_sgid      IN VARCHAR2);
TBD
 
ED_UPDATE_PDB_ACE
Update an Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_update_pdb_ace(
p_pdb_name IN VARCHAR2,
p_vm_uuid  IN VARCHAR2,
p_vm_sgid  IN VARCHAR2);
TBD
 
GET_CDB_SVCS
Return all services for the CDB, excluding GLOBAL and INTERNAL services dbms_sfw_acl_admin.get_cdb_svcs(p_services OUT SYS_REFCURSOR);
DECLARE
 rc SYS_REFCURSOR;
BEGIN
  dbsfwuser.dbms_sfw_acl_admin.get_cdb_svcs(rc);
END;
/
 
IP_ADD_ACE
Add a new IP ACL entry dbms_sfw_acl_admin.ip_add_ace(
p_service_name IN VARCHAR2,
p_host         IN VARCHAR2); -- can be a hostname, dotted-decimal IPv4 or hexadecimal IPv6 address.
                             -- wildcard "*" for IPv4 and CIDR format allowed.
exec dbsfwuser.dbms_sfw_acl_admin.ip_add_ace('pdbprod', '192.168.42.15');
 
IP_ADD_PDB_ACE
Add a new IP ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ip_add_pdb_ace(
p_pdb_name IN VARCHAR2,
p_host     IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ip_add_pdb_ace('ORCL', '127.0.0.1');
 
IP_GET_ACL
Get all IP ACL entries for the specified service name dbms_sfw_acl_admin.ip_get_acl(
p_service_name IN  VARCHAR2,
p_hosts        OUT SYS_REFCURSOR);
DECLARE
 rc SYS_REFCURSOR;
BEGIN
  dbsfwuser.dbms_sfw_acl_admin.ip_get_acl('PDBDEV' rc)
END;
/
 
IP_GET_ACL_SVCS_BY_HOST
Get all service names for a specified host dbms_sfw_acl_admin.ip_get_acl_svcs_by_host(
p_host      IN  VARCHAR2,
p_services  OUT SYS_REFCURSOR);
DECLARE
 rc SYS_REFCURSOR;
BEGIN
  dbsfwuser.dbms_sfw_acl_admin.ip_get_acl_svcs_by_host('127.0.0.1', rc);
END;
/
 
IP_REMOVE_ACE
Remove an IP ACL entry for the specified service name and host dbms_sfw_acl_admin.ip_remove_ace(
p_service_name IN VARCHAR2,
p_host         IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_ace('PDBDEV', '127.0.0.1');
 
IP_REMOVE_ACL
Remove all IP ACL entries for the specified service name dbms_sfw_acl_admin.ip_remove_acl(p_service_name IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_acl('PDBDEV');
 
IP_REMOVE_PDB_ACE
Remove an IP ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ip_remove_pdb_ace(
p_pdb_name IN VARCHAR2,
p_host     IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_pdb_ace('PDBDEV', '127.0.0.1');
 
IP_REMOVE_PDB_ACL
Remove the IP ACL for each of the service in the specified PDB dbms_sfw_acl_admin.ip_remove_pdb_acl(p_pdb_name IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_pdb_acl('PDBDEV');

Related Topics
Built-in Functions
Built-in Packages
DBMS_NETWORK_ACL_ADMIN
DBMS_NETWORK_ACL_UTIL
Ref Cursors
Security
What's New In 18c
What's New In 19c

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2019 Daniel A. Morgan All Rights Reserved
  DBSecWorx