An explanation of the Oracle ACL (Access Control List)

In oracle11g, Oracle has a lot of security improvements, and in terms of network permissions control, there is a new concept called ACL (Access control List), which is a fine-grained permission control. Before the ACL, we have some packages, such as Utl_mail, UTL_SMTP and so on, you can use these packages to connect to external hosts, and by default, these packages are all assigned to the public role, so the malicious tools that exploit these PL/SQL packages may result , so Oracle proposes a new concept to solve this problem, which is the ACL.

Before you begin to expand ACLs, you first define some concepts. ACL is not the concept of Oracle first, in many places the use of Rights management ACL, and even on the operating system also used ACLs. In general, when we do authority management, we are involved in a problem, is who to what to do on what object ? This corresponds to the concept in our ACL. Principal 'll has what privileges on the what object. Who is Principal, and what objects are our What we do is our privilege. So if we have this fine-grained permission control, we can define which of our users have what permissions for the remote host. With this concept, we can see how to use ACLs. Our main use is dbms_network_acl_admin this comes with the package to complete.

First we need to create an ACL first.

BEGINDbms_network_acl_admin. Create_acl (ACL= 'Test.xml', Description= 'Just a test for ACL', principal= 'Coolma', Is_grant=true, Privilege= 'Connect');END;/

We have created an ACL and added the access to connect and gave it to the Coolma user. Then proceed to the following steps,

BEGINDbms_network_acl_admin. Add_privilege (ACL= 'Test.xml', principal= 'Coolma', Is_grant=true, Privilege= 'Resolve');END;/

The above is given to our existing ACL to add the Resolve permission to the Coolma user.

BEGIN Dbms_network_acl_admin. Assign_acl (ACL  ='test.xml',                                    '='  www.baidu.com'); END ; /

Then we give the host www.baidu.com to our ACL.

Now our user Coolma can connect, and resolve our host www.baidu.com. You can see it through the DBA_NETWORK_ACLS data dictionary.

 column   host FORMAT A30  column   ACL FORMAT A30  set  Linesize 2000  select   *  from   -- ---------------------------- ---------- ---------- ------------------------------ --------------------------------  www.baidu.com / sys/acls/ Test.xml fe6427f3aee81311e0436d01a8c07a8b 

If we want to add another user to do, and join Coolma the same way.

Our above-mentioned ACLs relate only to Utl_tcp, UTL_SMTP, Utl_mail, Utl_http, and Utl_inaddr, the Dbms_ldap, and Httpuritype types. I hope this article will help you.

-eof