1. Database Installation Guide
  2. Setup and Configuration of the Database Server
  3. Fine-Grained Access to Network Services in Oracle Database

1.7 Fine-Grained Access to Network Services in Oracle Database

Oracle allows access to external network services using several PL/SQL APIs (UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP and UTL_INADDR), all of which are implemented using the TCP protocol.

An Access Control Entry can be limited to specific PL/SQL APIs (UTL_TCP, UTL_INADDR, UTL_HTTP, UTL_SMTP, and UTL_MAIL).

In a multitenant environment, Access Control Entries (ACEs) can be created at the CDB or PDB level. For the examples in this article, all the host ACLs and host ACEs will be created at the PDB level. The following code creates two test users in a PDB.

Append an Access Control List (ACE)

Host ACL are never created directly. Instead, they are implicitly created when we append a host Access Control Entry (ACE) using the DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE procedure. If we append a new ACE to a host that has no existing host ACL, a new host ACL is implicitly created. If the host already has an ACL, the new host ACE will be appended to the existing host ACL.

Login to SQL*Plus as the SYS user.

Figure 1-23 Command prompt window 22


Description of Figure 1-23 follows
Description of "Figure 1-23 Command prompt window 22"

Append a second host to the existing ACL

Figure 1-24 Command prompt window 23


Description of Figure 1-24 follows
Description of "Figure 1-24 Command prompt window 23"

Parameter Definitions

The parameters used in the procedures and functions above.

Table 1-10 Parameters and Description

Parameters Description
host Any valid host name or IP address. Wildcards are allowed.
lower_port Specific port number, or lower part of a range of ports.
upper_port Upper part of a range of ports. If NULL, it defaults to the lower_port value.
ace The access control entry, defined using the XS$ACE_TYPE type.

The XS$ACE_TYPE type has the following definition.

Figure 1-25 Command prompt window 24


Description of Figure 1-25 follows
Description of "Figure 1-25 Command prompt window 24"

Table 1-11 Parameters and Description

Parameters Description
privilege_list The list of privileges available to the ACE.
princi­pal_name The database user the ACE applies to.
principal_­type You will always use XS_ACL.PTYPE_DB for these network ACEs as they apply to users and roles.

The privilege_list specifies one or more privileges in a comma separated list. The available privileges are shown below.

Table 1-12 Parameters and Description

Parameters Description
http Access restricted to the UTL_HTTP package and the HttpUriType type.
http_proxy Needed in conjunction with http if HTTP access is via a proxy.
smtp Access restricted to the UTL_SMTP and UTL_MAIL packages.
resolve Access restricted to the UTL_INADDR packages.
connect Opens access to the UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, and DBMS_LDAP packages and the HttpUriType type.
jdwp Enables Java Debug Wire Protocol debugging operations.

Parent topic: Setup and Configuration of the Database Server