Oracle Database 11 g - Online Public Access Catalog

254 CHAPTER 5 ■ DATABASE SECURITY■Note So far, all of the examples have been using a database user. You can assign the principal to a databaserole. In this particular example, we will assign connect privileges to the DBA role:1 BEGIN2 DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE (3 acl => 'dba.xml',4 principal => 'DBA',5 is_grant => TRUE,6 privilege => 'connect',7 start_date => null,8 end_date => null);9* END;SQL> /In the same manner, if you want to delete the ACL, Oracle provides the DROP_ACL procedure.In the following example, Oracle will delete the /sys/acls/dba.xml file from the XML DBrepository:1 begin2 dbms_network_acl_admin.drop_acl3 (ACL=>'dba.xml');4* end;SQL> /PL/SQL procedure successfully completed.Query Your Access Control ListThere are two new data dictionary views to query the access rights for users and authorizedhosts: DBA_ACL_NETWORKS and DBA_NETWORK_ACL_PRIVILEGE. You can query the DBA_NETWORK_ACL_PRIVILEGE view to query network privileges granted or denied for the accesscontrol list. Since start_date and end_dates are permissible for network privileges, you canquery this view to see when certain users have access.First, look at the assigned network privileges listed for the dba.xml file:SQL> select host, lower_port, upper_port, acl2 from dba_network_acls3* where acl='/sys/acls/dba.xml'SQL> /HOST LOWER_PORT UPPER_PORT ACL-------------------- ----------- ----------- --------------------dbaexpert.com 80 443 /sys/acls/dba.xmlYou can see the lower and upper bounds for the open ports and that access to thedbaexpert.com has been punched for security access. The next step would be to find out who