Introduction:
An ACL, as the name infers, is basically a list of who can access what and with which privileges.
-
- Who denote for Principal of an ACL/User/Role or Public.
- What denote for Host/Port ranges.
- Which denote for Connect or Resolve or both Connect and Resolve.
So, connect allows to connect to a host and send/receive data , where as resolve allows to look up hostnames / ip addresses with UTL_INADDR package.
New Network ACL’s are expansion of the acl facilities of the XDB subsystem. 11g introduced a new security measure called Access Control Lists (ACL) and all network access is blocked by default.
ACL’s in Oracle databases:
Database Versions |
11g |
12c |
18c |
19c |
Definition | ACL’s are first introduced in 11g , To have Fine-Grained access control for the packages UTL_SMTP, UTL_TCP, UTL_MAIL, UTL_HTTP and UTL_INADDR to access external network resources by the users. |
Network ACL’s are known as Real Application Security ACLs in 12c and existing ACLs are migrated from XML DB ACLs and renamed during upgrade. | Real Application Security encompasses access control lists (ACLs) and supports grants, denials, and various conflict resolution methods. |
Real Application Security encompasses access control lists (ACLs) and supports grants, denials, and various conflict resolution methods. |
Deprecated subprograms | There are no deprecated features for this release |
Deprecated sub-programs ADD_PRIVILEGE Procedure |
There are no deprecated features for this release | There are no deprecated features for this release |
Syntax for operations on ACL:
Create ACL |
Assign ACL |
Unassign ACL |
BEGIN DBMS_NETWORK_ACL_ADMIN.create_acl ( acl => ‘test.xml’, description => ‘test’, principal => ‘APPS’, is_grant => TRUE, privilege => ‘connect’, start_date => SYSTIMESTAMP, end_date => NULL); commit; end; / |
BEGIN DBMS_NETWORK_ACL_ADMIN.assign_acl ( acl => ‘test.xml’, host => ‘test.myblog.com’, lower_port => 80, upper_port => 80); end; / |
begin dbms_network_acl_admin.unassign_acl( acl => ‘test.xml’, host => ‘test.myblog.com’, lower_port => 80, upper_port => 80 ); end; / |
Add privilege |
Drop ACL |
Delete privilege |
||||
BEGIN DBMS_NETWORK_ACL_ADMIN.add_privilege ( acl => ‘test.xml’, principal => ‘APPS’, is_grant => FALSE, privilege => ‘resolve’, position => NULL, start_date => NULL, end_date => NULL); COMMIT; END; / |
begin DBMS_NETWORK_ACL_ADMIN.drop_acl (acl => ‘test.xml’); COMMIT; END; / |
begin dbms_network_acl_admin.delete_privilege(‘test.xml’, ‘APPS’, NULL, ‘connect’); end; / |
||||
|
||||||
How to migrate ACL’s | 1.Check for existing Network ACLs before the upgrade. 2.Preserve existing network ACLs and privileges (DBA_NETWORK_ACLS and DBA_NETWORK_ACL_PRIVILEGES) in an intermediate staging table. 3.Preserving the existing privileges in a table enables you to restore them if the automatic migration fails, or if you want to roll back an upgrade. |
|||||
Note:
From 11.1.0.7 , We can regenerate the ACL Creation Script Based on the Contents Of DBA_NETWORK_ACLS (Doc ID 1634275.1)