| Security Advisory |
This package serves as a policy administrative interface for Real Application Security (RAS) that schedules automatic refreshment for static ACL to a user table and changes the ACL refreshment mode to on-commit or on-demand refresh.
Oracle has very responsibly granted no permissions to EXECUTE for this package so there are no obvious default weaknesses. That said the fact that this package is part of RAS indicates that care must be taken with respect to documenting and auditing access and usage. |
| |
| Recommended Security Rules |
NEVER
- Grant access to this package to any user for any reason
WITH GREAT CARE
- Review audit logs for package use or attempts to use this package
CAUTIONS
|
| |
| How Oracle Works |
|
Oracle has released an option named Real Application Security (RAS) that contains a lot of moving pieces of which this is one of them.
We are currently working on a single comprehensive monograph to explain RAS from the standpoint of what it offers, the pieces required to make it work, and risks associated either with its use or how Oracle has implemented it, if found. |
| |
| XS_DATA_SECURITY_UTIL Package Information |
| AUTHID |
CURRENT_USER |
| Data Types |
TYPE objnametype IS TABLE OF VARCHAR2(130)
INDEX BY BINARY_INTEGER;
TYPE objnumtype IS TABLE OF NUMBER
INDEX BY BINARY_INTEGER; |
| Dependencies |
| ACLMV$ |
DBMS_SCHEDULER |
OBJ$ |
| ACLMV$_REFLOG |
DBMS_SNAP_INTERNAL |
PLITBLM |
| ACLMVREFSTAT$ |
DBMS_SQL |
SNAP$ |
| ALL_MVIEWS |
DBMS_SYSTEM |
USER$ |
| DBMS_ASSERT |
DBMS_SYS_SQL |
XS_ADMIN_UTIL |
| DBMS_MVIEW |
DBMS_XDS_LIB |
XS_DATA_SECURITY_UTIL_INT |
| DBMS_OUTPUT |
|
|
|
| Documented |
Partially: Check the online TYPES AND PACKAGES and the REAL APPLICATION SECURITY ADMINISTRATOR'S and DEVELOPER'S GUIDEs to determine which objects in this package are supported.
As of this writing only 2 of the 5 are documented. |
| Exceptions |
| Error Code |
Reason |
| 46025 |
No static rule specified in applied policy |
|
| First Available |
12cR1 |
| Security Model |
Owned by SYS with no privileges granted |
| Source |
{ORACLE_HOME}/rdbms/admin/xsds.sql |
| Subprograms |
|
| |
| ALTER_STATIC_ACL_REFRESH |
| Alters the refresh mode for a ACLMV for a table by removing any refresh schedule for this ACLMV (see schedule_static_acl_refresh) |
xs_data_security_util.alter_static_acl_refresh(
schema_name IN VARCHAR2 := NULL,
table_name IN VARCHAR2,
refresh_mode IN VARCHAR2); -- refresh mode for internal ACLMV. 'ON DEMAND' or 'ON COMMIT' are the only legal values
PRAGMA SUPPLEMENTAL_LOG_DATA(alter_static_acl_refresh, AUTO_WITH_COMMIT); |
exec xs_data_security_util.alter_static_acl_refresh('UWCLASS', 'SERVERS', xs_data_security_util.aclmv_on_commit); |
| |
| PURGE_ACL_REFRESH_HISTORY |
| Purges contents for the table's ACL MV |
xs_data_security_util.purge_acl_refresh_history(
object_schema IN VARCHAR2 := NULL,
object_name IN VARCHAR2,
purge_date IN DATE := NULL);
PRAGMA SUPPLEMENTAL_LOG_DATA(purge_acl_refresh_history, AUTO_WITH_COMMIT); |
exec xs_data_security_util.purge_acl_refresh_history('UWCLASS', 'SERVERS', SYSDATE);
SELECT *
FROM sys.aclmvrefstat$; |
| |
| SCHEDULE_STATIC_ACL_REFRESH |
| Schedules automatic refresh of an ACL MV changing the refresh mode to "ON DEMAND" |
xs_data_security_util.schedule_static_acl_refresh(
schema_name IN VARCHAR2 := NULL,
table_name IN VARCHAR2,
start_date IN TIMESTAMP WITH TIME ZONE := NULL,
repeat_interval IN VARCHAR2 := NULL,
comments IN VARCHAR2 := NULL);
-- Bug 22545933: Enable log based replication for the procedure
PRAGMA SUPPLEMENTAL_LOG_DATA(schedule_static_acl_refresh, AUTO_WITH_COMMIT); |
exec xs_data_security_util.schedule_static_acl_refresh('UWCLASS', 'SERVERS', SYSTIMESTAMP+1, 'freq=hourly; interval=4', 'Refresh On Demand'); |
| |
| SET_TRACE_LEVEL |
| Sets the debugging trace level |
xs_data_security_util.set_trace_level(
schema_name IN VARCHAR2,
table_name IN VARCHAR2,
level IN NUMBER); |
exec xs_data_security_util.set_trace_level('UWCLASS', 'SERVERS', 8);
SELECT *
FROM sys.aclmv$_reflog; |
| |
| XS$REFRESH_STATIC_ACL |
| Scheduler callback procedure to refresh an acl-mv |
xs_data_security_util.xs$refresh_static_acl(
schema_name IN VARCHAR2,
table_name IN VARCHAR2,
mview_name IN VARCHAR2,
job_name IN VARCHAR2); |
exec xs_data_security_util.xs$refresh_static_acl('SEC_MGR', 'SECTAB', 'SEC_TAB_MV', 'SECJOB'); |
| |
| Related Queries |
| Status of the most recent ACL refresh
jobs |
desc dba_xds_latest_acl_refstat |
| History of ACL refresh job status |
desc dba_xds_refstat |