5.1 DIRECTORY Objects
A BFILE locator is initialized by using the function BFILENAME(DIRECTORY, FILENAME). This section describes how to initialize the DIRECTORY Object.
A DIRECTORY object specifies a logical alias name for a physical directory on the database server file system under which the file to be accessed is located. You can access a file in the server file system only if you have the required access privilege on the DIRECTORY object. You can also use Oracle Enterprise Manager Cloud Control to manage the DIRECTORY objects.
The DIRECTORY object provides the flexibility to manage the locations of
the files, instead of forcing you to hard-code the absolute path names of physical files
in your applications.
A DIRECTORY object name is used in conjunction with the BFILENAME function, in SQL and PL/SQL, or the OCILobFileSetName() function in OCI, for initializing a BFILE locator.
- DIRECTORY Name Specification
You must haveCREATE ANY DIRECTORYsystem privilege to create directories. - Security on Directory Objects
This section describes the security onDIRECTORYobjects.
See Also:
-
CREATEDIRECTORYin Oracle AI Database SQL Language Reference -
See Oracle AI Database Administrator's Guide for the description of Oracle Enterprise Manager Cloud Control
Parent topic: BFILEs
5.1.1 DIRECTORY Name Specification
You must have CREATE ANY DIRECTORY system privilege to create directories.
The naming convention for DIRECTORY objects is the same as that for
tables and indexes. That is, normal identifiers are interpreted in uppercase, but
delimited identifiers are interpreted as is. For example, the following statement:
CREATE OR REPLACE DIRECTORY scott_dir AS '/usr/home/scott';
creates or redefines a DIRECTORY object whose name is 'SCOTT_DIR' (in uppercase). But if a delimited identifier is used for the DIRECTORY name, as shown in the following statement
CREATE DIRECTORY "Mary_Dir" AS '/usr/home/mary';
then the DIRECTORYdirectory object name is 'Mary_Dir'. Use 'SCOTT_DIR' and 'Mary_Dir' when calling BFILENAME. For example:
BFILENAME('SCOTT_DIR', 'afile')
BFILENAME('Mary_Dir', 'afile')
WARNING:
The database does not verify that the directory and path name you specify actually exist. You must ensure to specify a valid directory name in your operating system. If your operating system uses case-sensitive path names, then be sure that you specify the directory name in the correct format. There is no requirement to specify a terminating slash (for example, /tmp/ is not necessary, simply use /tmp).
Directory specifications cannot contain ".." anywhere in the path (for
example: ../../abc/def or abc/../def or
abc/def/hij..
On Windows Platform
On Windows platforms the directory names are case-insensitive. Therefore the following two statements refer to the same directory:
CREATE DIRECTORY "big_cap_dir" AS "g:\data\source"; CREATE DIRECTORY "small_cap_dir" AS "G:\DATA\SOURCE";
Parent topic: DIRECTORY Objects
5.1.2 Security on Directory Objects
This section describes the security on DIRECTORY objects.
The DIRECTORY object model has two distinct levels of security:
- SQL DDL:
CREATEorDROPaDIRECTORYobject - SQL DML:
READsystem and object privileges onDIRECTORYobjects
DBA Privileges: CREATE /
DROP DIRECTORY
The DIRECTORY object is a system owned object.
Oracle AI Database supports the following system
privileges, which are granted only to DBA:
-
CREATEANYDIRECTORY: For creating or altering theDIRECTORYobject creation -
DROPANYDIRECTORY: For deleting theDIRECTORYobject
WARNING:
BecauseCREATE ANY DIRECTORY and DROP ANY DIRECTORY privileges potentially expose the server file system to all database users, the DBA should be prudent in granting these privileges to normal database users to prevent security breach.
See Also:
Oracle AI Database SQL Language Reference for information about system owned objects,CREATE DIRECTORY and
DROP DIRECTORY
USER Privileges: READ Permission on the Directory
READ permission on the DIRECTORY
object enables you to read files located under that directory. The creator of the
DIRECTORY object automatically earns the READ
privilege.
If you have been granted the READ permission with GRANT option, then you may in turn grant this privilege to other users or roles and then add them to your privilege domains.
Note:
TheREAD permission is defined only on the DIRECTORY object, not on individual files. Hence there is no way to assign different privileges to files in the same directory.
The physical directory that it represents may or may not have the corresponding operating system privileges (read in this case) for the Oracle Server process.
It is the responsibility of the DBA to ensure the following:
- That the physical directory exists
- Read permission for the Oracle Server process is enabled on the file, the directory, and the path leading to it
- The directory remains available, and read permission remains enabled, for the entire duration of file access by database users
The privilege just implies that as far as the Oracle Server is concerned,
you may read from files in the directory. These privileges are checked and enforced
by the PL/SQL DBMS_LOB package and OCI APIs at the time of the
actual file operations.
See Also:
- Guidelines for DIRECTORY Usage
- Oracle AI Database SQL
Language Reference for information about the
GRANT, REVOKEandAUDITsystem and object privileges that provide security forBFILEs.
Catalog Views on DIRECTORY Objects
Catalog views are provided for DIRECTORY objects to enable users to view object names and corresponding paths and privileges. Following are the supported views:
ALL_DIRECTORIES(OWNER,DIRECTORY_NAME,DIRECTORY_PATH)This view describes all directories accessible to the user.
DBA_DIRECTORIES(OWNER,DIRECTORY_NAME,DIRECTORY_PATH)This view describes all directories specified for the entire database.
Parent topic: DIRECTORY Objects