Oracle | RAS: Real Application Security

Oracle Real Application Security (RAS) Version 12.1

General Information

Library Note

Morgan's Library Page Header

ACE Director Alum Daniel Morgan, founder of Morgan's Library, is scheduling complimentary technical Workshops on Database Security for the first 30 Oracle Database customers located anywhere in North America, EMEA, LATAM, or APAC that send an email to asra_us@oracle.com. Request a Workshop for your organization today.

Purpose

Dependencies

DBA_ACL_NAME_MAP	DBA_XDS_ACL_REFRESH	DBMS_XS_PRINCIPALS
DBA_HOST_ACLS\|	DBA_XDS_ACL_REFSTAT	DBMS_XS_SESSIONS
DBA_NETWORK_ACLS	DBA_XDS_LATEST_ACL_REFSTAT	XS$ACE_TYPE
DBA_NETWORK_ACL_PRIVILEGES	DBA_XS_ACLS	DBMS_XS_SESSIONS_FFI
DBA_WALLET_ACLS	DBA_XS_ACL_PARAMETERS

RAS Functions

COLUMN_AUTH_INDICATOR	ORA_CHECK_PRIVILEGE	TO_ACLID
ORA_CHECK_ACL	ORA_GET_ACLIDS	XS_SYS_CONTEXT

RAS Packages

DBMS_XS_SESSIONS	XS_DATA_SECURITY	XS_NAMESPACE
XS_ACL	XS_DATA_SECURITY_UTIL	XS_PRINCIPAL
XS_ADMIN_UTIL	XS_DIAG	XS_SECURITY_CLASS

RAS Functions

COLUMN_AUTH_INDICATOR
Checks if the specified table column is authorized on a particular table row COLUMN_AUTH_INDICATOR(col) RETURN BOOLEAN;

TBD

ORA_CHECK_ACL

Checks if an application user has the queried application
privileges according to a list of ACLs ora_check_acl(XS_Operator IN HEX_NUMBER, arg2, arg3) RETURN BOOLEAN ORA_CHECK_ACL( acls IN RAW, (privileges IN VARCHAR(128))+) return NUMBER;

SELECT ora_check_acl(2147483661,  2147483653, NULL) FROM dual;

                           *

      ERROR at line 1:

      ORA-00932: inconsistent datatypes: expected BINARY got NUMBER

ORA_CHECK_PRIVILEGE

Checks if the specified system privileges have been granted to an application user

As can be seen in the demo at right I was unable to find a valid combination that would return a 1 ora_check_privilege( arg1 IN VARCHAR2, arg2 IN VARCHAR2) RETURN NUMBER;

SELECT ora_check_privilege('SYS', 'CREATE TABLE') FROM dual;

      

      SELECT ora_check_privilege('CREATE TABLE', 'SYS') FROM dual;

      

      SQL> SELECT ora_check_privilege('A', 'B', 'C', 'D','E','F','G','H')

        2  FROM dual;

      

      ORA_CHECK_PRIVILEGE('A','B','C','D','E','F','G','H')

      ----------------------------------------------------

                                                         0

ORA_GET_ACLIDS

Returns a list of ACL identifiers associated with an object instance of the
XDS-enabled tables for the current application user ORA_GET_ACLIDS ( table_alias IN VARCHAR2, privileges IN VARCHAR(128))+) RETURN RAW;

The example on page 10-4 of the docs is nonsense

TO_ACLID

Appears able to converts an unknown value, possibly an ACL name to an ACL_ID but, as in the demo at right, I can prove the function exits but not get it working properly to_aclid(<arg> IN VARCHAR2) RETURN VARCHAR2;

SELECT to_aclid(name)

      FROM xs$obj;

      FROM xs$obj

           *

      ERROR at line 2:

      ORA-46114: ACL name XSAUTHENTICATED not found.

      

      TO_ACLID(

      (acls IN VARCHAR(128))+)

      return NUMBER;

XS_SYS_CONTEXT (Introduced 11.1.0.6)

Retrieves the session attributes and the XS$GLOBAL_VAR namespace
attribute for the current application session

Known CONTEXT attributes:
CURRENT_XS_USER
SESSION_ID
SESSION_XS_USER_GUID xs_sys_context( namespace IN VARCHAR2 attribute IN VARCHAR2) RETURN VARCHAR2;

SQL> SELECT xs_sys_context('XS$SESSION','CURRENT_XS_USER')

        2  FROM dba_xs_users;

      

      XS_SYS_CONTEXT('XS$SESSION','CURRENT_XS_USER')

      -----------------------------------------------

      

      

      SQL> SELECT name

        2  FROM dba_xs_users

        3* WHERE name = xs_sys_context('XS$SESSION','CURRENT_XS_USER');

      

      no rows selected

From %$ORACLE_HOME/rdbms/admin SQL> DECLARE 2 sessID RAW(64); 3 BEGIN 4 dbms_xs_sessions.create_session('MORGAN', sessID, is_external=>TRUE); 5 dbms_output.put_line(sessID); 6* END; 7 / 1E72B33ED6E040AEAFB4896F81582932 SELECT xs_sys_context('XS$SESSION', 'SESSION_XS_USER_GUID') FROM dual; SELECT xs_sys_context('XS$SESSION', 'SESSION_ID') FROM dual;

Morgan's Library Page Footer

This site is maintained by Dan Morgan. Last Updated:

DBSecWorx