DB version : 19c on RHEL 7.9
I am familiar with ACLs at OS (Linux) layer.
But, I have never worked with ACLs/ACEs in Oracle database layer.
So, I googled about ACL, ACEs, DBMS_NETWORK_ACL_ADMIN. I have 3 questions.
Question1. Are my below assumptions correct ?
An access control list (ACL) is a list of access control entries (ACEs).
An access control entry (ACE) is an XML element (ace) that is an entry in an access control list (ACL).
Well, definition-wise, ACLs enforce extra security by providing a fine-grained security mechanism which defines
- which users or roles
can perform
- which operations
- on which data.
Question2. Is an access control list (ACL) a list of access control entries to restrict the hosts that are allowed to connect to the Oracle database ?
Or
are ACLs used to control access by DB users to an external network services ?
Question3. On APPEND_HOST_ACE Procedure
19C documentation says the following about APPEND_HOST_ACE Procedure
"This procedure appends an access control entry (ACE) to the access control list (ACL) of a network host. The ACL controls access to the given host from the database and the ACE specifies the privileges granted to or denied from the specified principal."
https://docs.oracle.com/en/database/oracle/oracle-database/21/arpls/DBMS_NETWORK_ACL_ADMIN.html#GUID-2512526D-0B2A-44BF-890D-03B5BBCB8442
I came across the following command in a key script in my shop.
Does the below command add Access Control Entry (ACE) for WMSUSER01 user for some HTTP service running in bvmsprd214.domain.net server ?
Any idea why lower_port and upper_port arguments are NULL ?
BEGIN
DBMS_NETWORK_ACL_ADMIN.append_host_ace
( host => 'bvmsprd214.domain.net',
lower_port => NULL,
upper_port => NULL,
ace => xs$ace_type
(
privilege_list => xs$name_list('HTTP'),
principal_name => 'WMSUSER01',
principal_type => xs_acl.ptype_db
)
);
END;
/