Skip Headers

Oracle9i XML Database Developer's Guide - Oracle XML DB
Release 2 (9.2)

Part Number A96620-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Feedback

Go to previous page Go to next page
View PDF

18
Oracle XML DB Resource Security

This chapter describes Access Control Lists (ACL) based security mechanism for Oracle XML DB resources. It describes how to create ACLs, set and change ACls on resources, and how ACL security interacts with other database security mechanisms.

This chapter contains the following sections:

Introducing Oracle XML DB Resource Security and ACLs

Oracle XML DB maintains object-level security for any resource in Oracle XML DB Repository hierarchy.


Note:

XML objects not stored in Oracle XML DB Repository do not have object-level access control.


Oracle XML DB uses an access control list (ACL) mechanism to restrict access to any Oracle XML DB resource or database object mapped to Oracle XML DB Repository.

The Oracle XML DB ACL security mechanism supports the WebDAV ACL specification. ACLs are a standard security mechanism used in Java, Windows NT, and other systems.

Oracle XML DB ACL security mechanism is designed to handle large volumes of XML data stored in Oracle9i database. Privileges can be granted or denied to the principal dav:owner, that represents the owner of the document, regardless of who the owner is.

See Also:

How the ACL-Based Security Mechanism Works

Before a user performs an operation or method on a resource, a check of privileges for the user on the resource takes place. The set of privileges checked depends on the operation or method performed. For example, to increase employee Scott's salary by 10 percent, READ and WRITE privileges are needed for the scott/salary.xml resource.

Access Control List Terminology

A few access control list (ACL) terms are described here:

Oracle XML DB ACL Features

Oracle XML DB supports the following ACL features:

ACL Interaction with Oracle XML DB Table/View Security

Users must have the appropriate privilege on the underlying table/view where the XML object is stored, as well as permissions through the ACL for that individual instance.


Note:

Some, but not all, objects in a particular table may be mapped to Oracle XML DB resources. In that case, only those objects mapped into the Oracle XML DB Repository hierarchy have ACL checking done, although they will all have table-level security.


LDAP Integration and User IDs

LDAP is integrated with Oracle XML DB to allow external users access to Oracle XML DB. External users can perform the same operations that a local database user can.

Oracle XML DB Resource API for ACLs (PL/SQL)

The PL/SQL API for ACL security allows the PL/SQL developer access to the security mechanisms, to check privileges given a particular ACL, and to list the set of privileges the current user has for a particular ACL and object.

See Also:

Oracle9i XML API Reference - XDK and Oracle XML DB

How Concurrency Issues Are Resolved with Oracle XML DB ACLs

Oracle XML DB ACLs are cached for very fast evaluation. When a transaction modifying an ACL is committed, the modified ACL is picked up after the time-out specified in the Oracle XML DB configuration file is up. The XPath for this configuration parameter is /xdbconfig/sysconfig/acl-max-age.

Access Control: User and Group Access

The principal can be either an individual user or a group. A group is also referred to as a collection. A user is granted access as a group principal if the user has been granted a database role.

Access privileges for each principal are stored in access control entries (ACEs) in the ACL.

Example 18-1 ACE Entries in an ACL for Controlling User and Group Access

The following example shows entries in an ACL:

<acl description="myacl"
      xmlns="http://xmlns.oracle.com/xdb/acl.xsd"
      xmlns:dav="DAV:"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://xmlns.oracle.com/xdb/acl.xsd
                          http://xmlns.oracle.com/xdb/acl.xsd">
  <ace>
    <principal>OWNER</principal>
    <grant>true</grant>
    <privilege>
      <all/>
    </privilege>
  </ace>
</acl>

ACE Elements Specify Access Privileges for Principals

The preceding ACL grants all privileges to the owner of the document. Access to an Oracle XML DB resource is granted for each principal. Table 18-1 lists the access control entry (ACE) elements. Each ACE element specifies access privileges for a given principal using values set for the following elements.

Table 18-1 Access Control Entry (ACE) Elements  
Element Description

<principal>

Specifies the principal (user or group).

<grant>

A boolean value that specifies whether the principal has been granted access to the resource. A value of true specifies that the access is granted. A value of false specifies that access is denied.

<privilege>

Specifies the privileges granted to the principal.

Oracle XML DB Supported Privileges

Oracle XML DB provides a set of privileges to control access to Oracle XML DB resources. Access privileges in an ACE are stored in the privilege element. Privileges can be:

When an ACL is stored in Oracle XML DB, the aggregate privileges retain their identity, that is, they are not decomposed into the corresponding leaf privileges. In WebDAV terms, these are non-abstract aggregate privileges, so they can be used in ACEs.

Atomic Privileges:

> read-properties

> read-contents

> update

> link (applies only to containers)

> unlink (applies only to containers)

> read-acl

> write-acl-ref

> update-acl

> link-to

> unlink-from

> resolve

> dav:lock

> dav:unlock

>

> Aggregate Privileges:

> dav:read (read-properties, read-contents, resolve)

> dav:write (update, link, unlink, unlink-from)

> dav:read-acl (read-acl)

> dav:write-acl (write-acl-ref, update-acl)

> dav:all (dav:read, dav:write, dav:read-acl, dav:write-acl, dav:lock, dav:unlock)

Atomic Privileges

Table 18-2 lists the atomic privileges supported by Oracle XML DB.

Table 18-2 Atomic Privileges  
Privilege Name Description Database Counterpart

read-properties

Read the properties of a resource

SELECT

read-contents

Read the contents of a resource

SELECT

update

Update the properties and contents of a resource

UPDATE

link

For containers only. Allows resources to be bound to the container.

INSERT

unlink

For containers only. Allows resources to be unbound from the container.

DELETE

link-to

Allows resources to be linked

N/A

unlink-from

Allows resources to be unlinked

N/A

read-acl

Read the resource's ACL

SELECT

write-acl-ref

Changes the resource's ID

UPDATE

update-acl

Change the contents of the resource's ACL

UPDATE

resolve

For containers only: Allows the container to be traversed

SELECT

dav:lock

Lock a resource using WebDAV locks

UPDATE

dav:unlock

Unlock a resource locked using a WebDAV lock

UPDATE


Note:

Privilege names are XML element names. Privileges with a dav: prefix are part of the WebDAV namespace. Others privileges are part of Oracle XML DB ACL namespace: http://xmlns.oracle.com/xdb/acl.xsd


Since you can directly access the XMLType storage for ACLs, the XML structure is part of the client interface. Hence ACLs can be manipulated using XMLType APIs.

Aggregate Privileges

Table 18-3 lists the aggregate privileges defined by Oracle XML DB, along with the atomic privileges of which they are composed.

Table 18-3 Aggregate Privileges   
Aggregate Privilege Names Atomic Privileges

all

All atomic privileges: dav:read, dav:write, dav:read-acl, dav:write-acl, dav:lock, dav:unlock

dav:all

All atomic privileges except linkto

dav:read

read-properties, read-contents, resolve

dav:write

update, link, unlink, unlink-from

dav:read-acl

read-acl

dav:write-acl

write-acl-ref, update-acl

Table 18-4 shows the privileges required for some common operations on resources in Oracle XML DB Repository. The Privileges Required column assumes that you already have resolve privilege on container C and all its parent containers, up to the root of the hierarchy.

Table 18-4 Privileges Needed for Operations on Oracle XML DB Resources  
Operation Description Privileges Required

CREATE

Create a new resource in container C

update and link on C

DELETE

Delete resource R from container C

update and unlinkfrom on R, update and unlink on C

UPDATE

Update the contents/properties of resources R

update on R

GET

An FTP/HTTP GET of resource R

read-properties, read-contents on R

SET_ACL

Set the ACL of a resource R

dav:write-acl on R

LIST

List the resources in container C

read-properties on C, read-properties on resources in C. Only those resources on which the user has read-properties privilege are listed.

ACL Evaluation Rules

To evaluate an ACL, the database collects the list of ACEs applying to the user logged into the current database session. The list of currently active roles for the given user is maintained as a part of the session and is used to match ACEs with the current users. To resolve conflicts between ACEs, the following rule is used: if a privilege is denied by any ACE, the privilege is denied for the entire ACL.

Entries in an ACL must observe the following rule:

Using Oracle XML DB ACLs

Every resource in the Oracle XML DB Repository hierarchy has an associated ACL. The ACL mechanism specifies a privilege-based access control for resources to principals. Whenever a resource is accessed, a security check is performed. The ACL determines which principals have which set of privileges to access the resource. An Oracle XML DB principal can be either of the following:

Each ACL has a list of ACEs. An ACE has the following elements:

Named ACLs also have a name attribute and an optional type restrictor, for example, http://xmlns.oracle.com/xdb/XDBDemo.xsd#PurchaseOrder, that specifies that the ACL may only be applied to instances of that XML element (and elements in a substitution group with that element). Note that a privilege that is neither granted nor denied to a user is assumed to be denied.

To evaluate an ACL, the database collects the list of ACEs applying to the user logged into the current database session. The list of currently active roles for the given user is maintained as a part of the session and is used to match ACEs along with the current user.

To check if a user has a certain privilege, you need to know the ID of the ACL and the owner of the object being secured. The Oracle XML DB hierarchy automatically associates an ACL ID and owner with an object that is mapped into its file system (they are stored in a table in the Oracle XML DB schema).

Updating the Default ACL on a Folder

Example 18-2 Updating the Default ACL on a Folder and the Owner of the Folder

This example creates two users, Oracle XML DB administrator, xdbadmin, and Oracle XML DB user, xdbuser. The administrator creates the user's folder under '/'. The default ACL on this folder, inherited from the parent container, allows:

The owner of the folder is changed to the user, by updating the resource_view. You can also make the user's folder completely private by changing the ACL to another system ACL, such as, all_owner_acl.xml

connect system/manager

Rem Create an Oracle XML DB administrator user (has XDBADMIN role)
grant connect, resource, xdbadmin to xdbadmn identified by xdbadmn;

Rem Create Oracle XML DB user
grant connect, resource to xdbuser identified by xdbuser;

conn xdbadmn/xdbadmn

Rem create the user's folder
declare
retval boolean;
begin
retval := dbms_xdb.createfolder('/xdbuser');
end;
 /

Rem update the OWNER of the user folder
update resource_view
set res = updatexml(res, '/Resource/Owner/text()', 'XDBUSER')
where any_path = '/xdbuser';

commit;

connect xdbuser/xdbuser

Rem XDBUSER has full permissions to operate on her folder
declare
retval boolean;
begin
retval := dbms_xdb.createfolder('/xdbuser/workdir');
end;
 /

Rem All users can read /xdbuser folder at this time.
Rem change ACL to make folder completely private
call dbms_xdb.setacl('/xdbuser', '/sys/acls/all_owner_acl.xml');

ACL and Resource Management

The following subsections describe ACL and resource management in Oracle XML DB Repository.

See Also:

Chapter 21, "Managing Oracle XML DB Using Oracle Enterprise Manager"

How to Set Resource Property ACLs

Any Oracle XML DB resource has an ACL as a resource property. To set the ACL resource property, use any of the following methods:

Default Assignment of ACLs

When a resource is inserted into the Oracle XML DB hierarchy, and the resource does not specify an ACL, it shares the ACL of its parent container.

Retrieving ACLs for a Resource

The following DBMS_XDB API can be used to get the ACL for a given resource:

DBMS_XDB.getAclDocument(res_path IN VARCHAR2)

It returns an XMLType instance of <acl> element representing the ACL for the resource at res_path.

Changing Privileges on a Given Resource

The following DBMS_XDB API can be used to add an ACE to a resource's ACL:

DBMS_XDB.changePrivileges(res_path IN VARCHAR2, ace IN XMLType)

Restrictions for Operations on ACLs

All named ACLs are XML schema-based resources in the Oracle XML DB Repository hierarchy. Every method used for other resources in Oracle XML DB Repository hierarchy can also be used for ACLs. For example, FTP commands, PL/SQL DOM, and XMLType methods can operate on ACLs. However, because ACLs are part of the access control security scheme and Oracle XML DB Repository hierarchy, the following restrictions are enforced:

Using DBMS_XDB to Check Privileges

You can enforce Oracle XML DB access control using the following DBMS_XDB functions:

Row-Level Security for Access Control Security

ACL security in Oracle XML DB acts in conjunction with database security for XML objects. The user must have the appropriate rights on the underlying table/view where the XML object is stored as well as permissions in the ACL for that individual instance. When an object from a particular table is first stored in the Oracle XML DB hierarchy (and mapped to a resource), a row-level security (RLS) policy is added to that table that checks ACL-based permission only for those rows in the table that are mapped to a resource. RLS is enforced for XMLType tables or views that are part of the Oracle XML DB hierarchy.