Table of Contents

• List of Examples
• List of Figures
• List of Tables
• Title and Copyright Information
• Preface
  • Audience
  • Documentation Accessibility
  • Related Documents
  • Conventions
• Changes in This Release for Oracle Database Real Application Security Administrator's and Developer's Guide
  • Changes in Oracle Database 12c Release 2 (12.2.0.1)
    • New Features
    • Deprecated Features
• 1 Introducing Oracle Database Real Application Security
  • 1.1 What Is Oracle Database Real Application Security?
    • 1.1.1 Disadvantages of Traditional Security for Managing Application Users
    • 1.1.2 Advantages of Real Application Security
    • 1.1.3 Architecture of Real Application Security
  • 1.2 Data Security Concepts Used in Real Application Security
    • 1.2.1 About Data Security with Oracle Database Real Application Security
    • 1.2.2 Principals: Users and Roles
      • 1.2.2.1 Understanding the Difference Between Database Users and Application Users
      • 1.2.2.2 Understanding the Difference Between Database Roles and Application Roles
      • 1.2.2.3 Granting Database Privileges to Application Users and Application Roles
    • 1.2.3 Application Privileges
    • 1.2.4 Security Classes in Oracle Database Real Application Security
    • 1.2.5 Access Control Entry (ACE)
    • 1.2.6 Access Control List (ACL)
    • 1.2.7 Data Security Policy
  • 1.3 Application Session Concepts Used in Application Security
  • 1.4 Flow of Design and Development
  • 1.5 Scenario: Security Human Resources (HR) Demonstration of Employee Information
    • 1.5.1 Basic Security HR Demo Scenario: Description and Security Requirements
    • 1.5.2 Basic HR Scenario: Implementation Overview
  • 1.6 About Auditing in an Oracle Database Real Application Security Environment
  • 1.7 Support for Pluggable Databases
• 2 Configuring Application Users and Application Roles
  • 2.1 About Configuring Application Users
    • 2.1.1 About Application User Accounts
      • 2.1.1.1 General Procedures for Creating Application User Accounts
    • 2.1.2 Creating a Simple Application User Account
    • 2.1.3 About Creating a Direct Login Application User Account
      • 2.1.3.1 Creating Direct Login Application User Accounts
      • 2.1.3.2 Procedure for Creating the Direct Login Application User Account
      • 2.1.3.3 Setting a Password Verifier for Direct Application User Accounts
      • 2.1.3.4 Oracle Label Security Context Is Established in Direct Logon Session
    • 2.1.4 Resetting the Application User's Password with the SQL*Plus PASSWORD Command
    • 2.1.5 Configuring an Application User Switch
    • 2.1.6 Validating an Application User
  • 2.2 About Configuring Application Roles
    • 2.2.1 About Application Roles
    • 2.2.2 Regular and Dynamic Application Roles
      • 2.2.2.1 Regular Application Roles
      • 2.2.2.2 Dynamic Application Roles
    • 2.2.3 About Configuring an Application Role
      • 2.2.3.1 Creating a Regular Application Role
      • 2.2.3.2 Creating a Dynamic Application Role
      • 2.2.3.3 Validating an Application Role
    • 2.2.4 Predefined Regular Application Roles and Dynamic Application Roles
  • 2.3 Effective Dates for Application Users and Application Roles
  • 2.4 About Granting Application Privileges to Principals
    • 2.4.1 About Granting an Application Role to an Application User
      • 2.4.1.1 Creating a New Application User and Granting This User an Application Role
      • 2.4.1.2 Granting an Application Role to an Existing Application User
    • 2.4.2 Granting an Application Role to Another Application Role
    • 2.4.3 Granting a Database Role to an Application Role
• 3 Configuring Application Sessions
  • 3.1 About Application Sessions
    • 3.1.1 About Application Sessions in Real Application Security
    • 3.1.2 Advantages of Application Sessions
  • 3.2 About Creating and Maintaining Application Sessions
    • 3.2.1 Creating an Application Session
    • 3.2.2 Creating an Anonymous Application Session
    • 3.2.3 Attaching an Application Session to a Traditional Database Session
    • 3.2.4 Setting a Cookie for an Application Session
    • 3.2.5 Assigning an Application User to an Anonymous Application Session
    • 3.2.6 Switching a Current Application User to Another Application User in the Current Application Session
    • 3.2.7 About Creating a Global Callback Event Handler Procedure
    • 3.2.8 Configuring Global Callback Event Handlers for an Application Session
    • 3.2.9 Saving an Application Session
    • 3.2.10 Detaching an Application Session from a Traditional Database Session
    • 3.2.11 Destroying an Application Session
  • 3.3 About Manipulating the Application Session State
    • 3.3.1 About Using Namespace Templates to Create Namespaces
      • 3.3.1.1 Components of a Namespace Template
      • 3.3.1.2 About Namespace Views
      • 3.3.1.3 Creating a Namespace Template for an Application Session
    • 3.3.2 Initializing a Namespace in an Application Session
      • 3.3.2.1 Initializing a Namespace When the Session Is Created
      • 3.3.2.2 Initializing a Namespace When the Session Is Attached
      • 3.3.2.3 Initializing a Namespace When a Named Application User Is Assigned to an Anonymous Application Session
      • 3.3.2.4 Initializing a Namespace When the Application User Is Switched in an Application Session
      • 3.3.2.5 Initializing a Namespace Explicitly
    • 3.3.3 Setting Session Attributes in an Application Session
    • 3.3.4 Getting Session Attributes in an Application Session
    • 3.3.5 Creating Custom Attributes in an Application Session
    • 3.3.6 Deleting a Namespace in an Application Session
    • 3.3.7 Enabling Application Roles for a Session
    • 3.3.8 Disabling Application Roles for a Session
  • 3.4 About Administrative APIs for External Users and Roles
  • 3.5 About Real Application Security Session Privilege Scoping Through ACL
    • 3.5.1 Granting Session Privileges on a Principal Using an ACL
• 4 Configuring Application Privileges and Access Control Lists
  • 4.1 About Application Privileges
    • 4.1.1 Aggregate Privilege
      • 4.1.1.1 ALL Privilege
  • 4.2 About Configuring Security Classes
    • 4.2.1 About Security Classes
    • 4.2.2 Security Class Inheritance
    • 4.2.3 Security Class as Privilege Scope
    • 4.2.4 DML Security Class
    • 4.2.5 About Validating Security Classes
    • 4.2.6 Manipulating Security Classes
  • 4.3 About Configuring Access Control Lists
    • 4.3.1 About ACLs and ACEs
    • 4.3.2 Creating ACLs and ACEs
      • 4.3.2.1 Deny
      • 4.3.2.2 Invert
      • 4.3.2.3 ACE Start-Date and End-Date
    • 4.3.3 About Validating Access Control Lists
    • 4.3.4 Updating Access Control Lists
    • 4.3.5 About Checking ACLs for a Privilege
    • 4.3.6 About Using Multilevel Authentication
    • 4.3.7 Principal Types
    • 4.3.8 Access Resolution Results
    • 4.3.9 ACE Evaluation Order
    • 4.3.10 ACL Inheritance
      • 4.3.10.1 Extending ACL Inheritance
      • 4.3.10.2 Constraining ACL Inheritance
    • 4.3.11 About ACL Catalog Views
    • 4.3.12 About Security Class Catalog Views
  • 4.4 Data Security
    • 4.4.1 Data Realms
    • 4.4.2 Parameterized ACL
  • 4.5 ACL Binding
• 5 Configuring Data Security
  • 5.1 About Data Security
  • 5.2 About Validating the Data Security Policy
  • 5.3 Understanding the Structure of the Data Security Policy
  • 5.4 About Designing Data Realms
    • 5.4.1 About Understanding the Structure of a Data Realm
    • 5.4.2 About Using Static Data Realms
    • 5.4.3 Using Trace Files to Check for Policy Predicate Errors
  • 5.5 Applying Additional Application Privileges to a Column
  • 5.6 About Enabling Data Security Policy for a Database Table or View
    • 5.6.1 Enabling Real Application Security Using the APPLY_OBJECT_POLICY Procedure
      • 5.6.1.1 About Applying Multiple Policies for a Table or View
    • 5.6.2 About How the APPLY_OBJECT_POLICY Procedure Alters a Database Table
    • 5.6.3 About How ACLs on Table Data Are Evaluated
  • 5.7 About Creating Real Application Security Policies on Master-Detail Related Tables
    • 5.7.1 About Real Application Security Policies on Master-Detail Related Tables
    • 5.7.2 About Understanding the Structure of Master Detail Data Realms
    • 5.7.3 Example of Creating a Real Application Security Policy on Master-Detail Related Tables
  • 5.8 About Managing Application Privileges for Data Security Policies
    • 5.8.1 About Bypassing the Security Checks of a Real Application Security Policy
    • 5.8.2 Using the SQL*Plus SET SECUREDCOL Command
  • 5.9 Using BEQUEATH CURRENT_USER Views
    • 5.9.1 Using SQL Functions to Determine the Invoking Application User
  • 5.10 Real Application Security: Putting It All Together
    • 5.10.1 Basic HR Scenario: Implementation Tasks
      • 5.10.1.1 Connecting as User SYS to Create Real Application Security Users and Roles
      • 5.10.1.2 Creating Roles and Application Users
      • 5.10.1.3 Creating the Security Class and ACLS
      • 5.10.1.4 Creating the Data Security Policy
      • 5.10.1.5 Validating the Real Application Security Objects
      • 5.10.1.6 Disabling a Data Security Policy for a Table
    • 5.10.2 Running the Security HR Demo
  • 5.11 About Schema Level Real Application Security Policy Administration
    • 5.11.1 Setting Up and Enabling a Schema Level Data Security Policy
• 6 Using Real Application Security in Java Applications
  • 6.1 About Initializing the Middle Tier
    • 6.1.1 About Mid-Tier Configuration Mode
    • 6.1.2 Using the getSessionManager Method
    • 6.1.3 About Changing the Middle-Tier Cache Setting
      • 6.1.3.1 About Setting the Maximum Cache Idle Time
      • 6.1.3.2 About Setting the Maximum Cache Size
      • 6.1.3.3 About Getting the Maximum Cache Idle Time
      • 6.1.3.4 About Getting the Maximum Cache Size
      • 6.1.3.5 About Removing Entries from the Cache
        • 6.1.3.5.1 About Setting the WaterMark
        • 6.1.3.5.2 About Getting the High WaterMark
        • 6.1.3.5.3 About Getting the Low WaterMark
      • 6.1.3.6 About Clearing the Cache
  • 6.2 About Managing Real Application Security Sessions
    • 6.2.1 Creating a Real Application Security User Session
    • 6.2.2 Attaching an Application Session
    • 6.2.3 Assigning or Switching an Application User
    • 6.2.4 Enabling Real Application Security Application Roles
      • 6.2.4.1 Enabling a Real Application Security Application Role
      • 6.2.4.2 Disabling a Real Application Security Application Role
      • 6.2.4.3 Checking If a Real Application Security Application Role Is Enabled
    • 6.2.5 About Performing Namespace Operations as Session User
      • 6.2.5.1 Creating Namespaces
      • 6.2.5.2 Deleting Namespaces
      • 6.2.5.3 Implicitly Creating Namespaces
      • 6.2.5.4 About Using Namespace Attributes
        • 6.2.5.4.1 Creating a Session Namespace Attribute
        • 6.2.5.4.2 About Setting a Session Namespace Attribute
        • 6.2.5.4.3 Getting a Session Namespace Attribute
        • 6.2.5.4.4 Listing Attributes
        • 6.2.5.4.5 Resetting Attributes
        • 6.2.5.4.6 Deleting Attributes
    • 6.2.6 About Performing Namespace Operations as Session Manager
    • 6.2.7 About Performing Miscellaneous Session-Related Activities
      • 6.2.7.1 About Getting the Oracle Connection Associated with the Session
      • 6.2.7.2 About Getting the Application User ID for the Session
      • 6.2.7.3 Getting the Session ID for the Session
      • 6.2.7.4 About Getting a String Representation of the Session
      • 6.2.7.5 Getting the Session Cookie
      • 6.2.7.6 Setting Session Inactivity Timeout as Session Manager
      • 6.2.7.7 Setting the Session Cookie as Session Manager
    • 6.2.8 Detaching an Application Session
    • 6.2.9 Destroying A Real Application Security Application Session
  • 6.3 Authenticating Application Users Using Java APIs
  • 6.4 About Authorizing Application Users Using ACLs
    • 6.4.1 Constructing an ACL Identifier
    • 6.4.2 Using the checkAcl Method
    • 6.4.3 About Getting Data Privileges Associated with a Specific ACL
  • 6.5 Human Resources Administration Use Case: Implementation in Java
• 7 Oracle Fusion Middleware Integration with Real Application Security
  • 7.1 About External Users and External Roles
  • 7.2 Session APIs for External Users and Roles
    • 7.2.1 Namespace for External Users
    • 7.2.2 Creating a Session
    • 7.2.3 Attaching a Session
    • 7.2.4 Assigning a User to a Session
    • 7.2.5 Saving a Session and Aborting a Session
• 8 Application Session Service in Oracle Fusion Middleware
  • 8.1 About Real Application Security Concepts
  • 8.2 About Application Session Service in Oracle Fusion Middleware
  • 8.3 About the Application Session Filter
    • 8.3.1 About the Application Session Filter Operation
  • 8.4 About Deployment
  • 8.5 About Application Configuration of the Application Session Filter
  • 8.6 Domain Configuration: Setting Up an Application Session Service to Work with OPSS and Oracle Fusion Middleware
    • 8.6.1 Prerequisites
    • 8.6.2 Manual Configuration
    • 8.6.3 About Automatic Configuration
  • 8.7 About Application Session APIs
    • 8.7.1 About Application Session APIs
      • 8.7.1.1 About Attaching to an Application Session
      • 8.7.1.2 Detaching from an Application Session
      • 8.7.1.3 Destroying an Application Session
    • 8.7.2 About the Privilege Elevation API
      • 8.7.2.1 Enabling a Dynamic Role in the Application Session
    • 8.7.3 About Namespace APIs
      • 8.7.3.1 About Creating a Namespace
      • 8.7.3.2 About Deleting a Namespace
      • 8.7.3.3 About Setting the Namespace Attribute
      • 8.7.3.4 About Deleting a Namespace Attribute
      • 8.7.3.5 Getting a Namespace Attribute
    • 8.7.4 About the Check Privilege API
      • 8.7.4.1 Checking a Privilege on the ACLs
  • 8.8 Human Resources Demo Use Case: Implementation in Java
    • 8.8.1 Setting Up the HR Demo Application for External Principals (setup.sql)
    • 8.8.2 About the Application Session Filter Configuration File (web.xml)
    • 8.8.3 About the Sample Servlet Application (MyHR.java)
    • 8.8.4 About the Filter to Set Up the Application Namespace (MyFilter.java)
    • 8.8.5 About the HR Demo Use Case - User Roles
    • 8.8.6 About the HR Demo (1) - Logged in as Employee LPOPP
    • 8.8.7 About the HR Demo (2) - Logged in as HRMGR
    • 8.8.8 About the HR Demo (3) - Logged in as a Team Manager
• 9 Oracle Database Real Application Security Data Dictionary Views
  • 9.1 DBA_XS_OBJECTS
  • 9.2 DBA_XS_PRINCIPALS
  • 9.3 DBA_XS_EXTERNAL_PRINCIPALS
  • 9.4 DBA_XS_USERS
  • 9.5 USER_XS_USERS
  • 9.6 USER_XS_PASSWORD_LIMITS
  • 9.7 DBA_XS_ROLES
  • 9.8 DBA_XS_DYNAMIC_ROLES
  • 9.9 DBA_XS_PROXY_ROLES
  • 9.10 DBA_XS_ROLE_GRANTS
  • 9.11 DBA_XS_PRIVILEGES
  • 9.12 USER_XS_PRIVILEGES
  • 9.13 ALL_XS_PRIVILEGES
  • 9.14 DBA_XS_IMPLIED_PRIVILEGES
  • 9.15 USER_XS_IMPLIED_PRIVILEGES
  • 9.16 ALL_XS_IMPLIED_PRIVILEGES
  • 9.17 DBA_XS_PRIVILEGE_GRANTS
  • 9.18 DBA_XS_SECURITY_CLASSES
  • 9.19 USER_XS_SECURITY_CLASSES
  • 9.20 ALL_XS_SECURITY_CLASSES
  • 9.21 DBA_XS_SECURITY_CLASS_DEP
  • 9.22 USER_XS_SECURITY_CLASS_DEP
  • 9.23 ALL_XS_SECURITY_CLASS_DEP
  • 9.24 DBA_XS_ACLS
  • 9.25 USER_XS_ACLS
  • 9.26 ALL_XS_ACLS
  • 9.27 DBA_XS_ACES
  • 9.28 USER_XS_ACES
  • 9.29 ALL_XS_ACES
  • 9.30 DBA_XS_POLICIES
  • 9.31 USER_XS_POLICIES
  • 9.32 ALL_XS_POLICIES
  • 9.33 DBA_XS_REALM_CONSTRAINTS
  • 9.34 USER_XS_REALM_CONSTRAINTS
  • 9.35 ALL_XS_REALM_CONSTRAINTS
  • 9.36 DBA_XS_INHERITED_REALMS
  • 9.37 USER_XS_INHERITED_REALMS
  • 9.38 ALL_XS_INHERITED_REALMS
  • 9.39 DBA_XS_ACL_PARAMETERS
  • 9.40 USER_XS_ACL_PARAMETERS
  • 9.41 ALL_XS_ACL_PARAMETERS
  • 9.42 DBA_XS_COLUMN_CONSTRAINTS
  • 9.43 USER_XS_COLUMN_CONSTRAINTS
  • 9.44 ALL_XS_COLUMN_CONSTRAINTS
  • 9.45 DBA_XS_APPLIED_POLICIES
  • 9.46 ALL_XS_APPLIED_POLICIES
  • 9.47 DBA_XS_MODIFIED_POLICIES
  • 9.48 DBA_XS_SESSIONS
  • 9.49 DBA_XS_ACTIVE_SESSIONS
  • 9.50 DBA_XS_SESSION_ROLES
  • 9.51 DBA_XS_SESSION_NS_ATTRIBUTES
  • 9.52 DBA_XS_NS_TEMPLATES
  • 9.53 DBA_XS_NS_TEMPLATE_ATTRIBUTES
  • 9.54 ALL_XDS_ACL_REFRESH
  • 9.55 ALL_XDS_ACL_REFSTAT
  • 9.56 ALL_XDS_LATEST_ACL_REFSTAT
  • 9.57 DBA_XDS_ACL_REFRESH
  • 9.58 DBA_XDS_ACL_REFSTAT
  • 9.59 DBA_XDS_LATEST_ACL_REFSTAT
  • 9.60 USER_XDS_ACL_REFRESH
  • 9.61 USER_XDS_ACL_REFSTAT
  • 9.62 USER_XDS_LATEST_ACL_REFSTAT
  • 9.63 V$XS_SESSION_NS_ATTRIBUTES
  • 9.64 V$XS_SESSION_ROLES
• 10 Oracle Database Real Application Security SQL Functions
  • 10.1 COLUMN_AUTH_INDICATOR Function
  • 10.2 XS_SYS_CONTEXT Function
  • 10.3 ORA_CHECK_ACL Function
  • 10.4 ORA_GET_ACLIDS Function
  • 10.5 ORA_CHECK_PRIVILEGE Function
  • 10.6 TO_ACLID Function
• 11 Oracle Database Real Application Security PL/SQL Packages
  • 11.1 DBMS_XS_SESSIONS Package
    • 11.1.1 Security Model
    • 11.1.2 Constants
    • 11.1.3 Object Types, Constructor Functions, Synonyms, and Grants
    • 11.1.4 Summary of DBMS_XS_SESSIONS Subprograms
      • 11.1.4.1 CREATE_SESSION Procedure
      • 11.1.4.2 ATTACH_SESSION Procedure
      • 11.1.4.3 ASSIGN_USER Procedure
      • 11.1.4.4 SWITCH_USER Procedure
      • 11.1.4.5 CREATE_NAMESPACE Procedure
      • 11.1.4.6 CREATE_ATTRIBUTE Procedure
      • 11.1.4.7 SET_ATTRIBUTE Procedure
      • 11.1.4.8 GET_ATTRIBUTE Procedure
      • 11.1.4.9 RESET_ATTRIBUTE Procedure
      • 11.1.4.10 DELETE_ATTRIBUTE Procedure
      • 11.1.4.11 DELETE_NAMESPACE Procedure
      • 11.1.4.12 ENABLE_ROLE Procedure
      • 11.1.4.13 DISABLE_ROLE Procedure
      • 11.1.4.14 SET_SESSION_COOKIE Procedure
      • 11.1.4.15 REAUTH_SESSION Procedure
      • 11.1.4.16 SET_INACTIVITY_TIMEOUT Procedure
      • 11.1.4.17 SAVE_SESSION Procedure
      • 11.1.4.18 DETACH_SESSION Procedure
      • 11.1.4.19 DESTROY_SESSION Procedure
      • 11.1.4.20 ADD_GLOBAL_CALLBACK Procedure
      • 11.1.4.21 ENABLE_GLOBAL_CALLBACK Procedure
      • 11.1.4.22 DELETE_GLOBAL_CALLBACK Procedure
  • 11.2 XS_ACL Package
    • 11.2.1 Security Model for the XS_ACL Package
    • 11.2.2 Constants
    • 11.2.3 Object Types, Constructor Functions, Synonyms, and Grants
    • 11.2.4 Summary of XS_ACL Subprograms
      • 11.2.4.1 CREATE_ACL Procedure
      • 11.2.4.2 APPEND_ACES Procedure
      • 11.2.4.3 REMOVE_ACES Procedure
      • 11.2.4.4 SET_SECURITY_CLASS Procedure
      • 11.2.4.5 SET_PARENT_ACL Procedure
      • 11.2.4.6 ADD_ACL_PARAMETER Procedure
      • 11.2.4.7 REMOVE_ACL_PARAMETERS Procedure
      • 11.2.4.8 SET_DESCRIPTION Procedure
      • 11.2.4.9 DELETE_ACL Procedure
  • 11.3 XS_ADMIN_UTIL Package
    • 11.3.1 Security Model
    • 11.3.2 Constants
    • 11.3.3 Object Types, Constructor Functions, Synonyms, and Grants
    • 11.3.4 Summary of XS_ADMIN_UTIL Subprograms
      • 11.3.4.1 GRANT_SYSTEM_PRIVILEGE Procedure
      • 11.3.4.2 REVOKE_SYSTEM_PRIVILEGE Procedure
  • 11.4 XS_DATA_SECURITY Package
    • 11.4.1 Security Model for the XS_DATA_SECURITY Package
    • 11.4.2 Object Types, Constructor Functions, Synonyms, and Grants
    • 11.4.3 Summary of XS_DATA_SECURITY Subprograms
      • 11.4.3.1 CREATE_POLICY Procedure
      • 11.4.3.2 APPEND_REALM_CONSTRAINTS Procedure
      • 11.4.3.3 REMOVE_REALM_CONSTRAINTS Procedure
      • 11.4.3.4 ADD_COLUMN_CONSTRAINTS Procedure
      • 11.4.3.5 REMOVE_COLUMN_CONSTRAINTS Procedure
      • 11.4.3.6 CREATE_ACL_PARAMETER Procedure
      • 11.4.3.7 DELETE_ACL_PARAMETER Procedure
      • 11.4.3.8 SET_DESCRIPTION Procedure
      • 11.4.3.9 DELETE_POLICY Procedure
      • 11.4.3.10 ENABLE_OBJECT_POLICY Procedure
      • 11.4.3.11 DISABLE_OBJECT_POLICY Procedure
      • 11.4.3.12 REMOVE_OBJECT_POLICY Procedure
      • 11.4.3.13 APPLY_OBJECT_POLICY Procedure
  • 11.5 XS_DATA_SECURITY_UTIL Package
    • 11.5.1 Security Model
    • 11.5.2 Constants
    • 11.5.3 Summary of XS_DATA_SECURITY_UTIL Subprograms
      • 11.5.3.1 SCHEDULE_STATIC_ACL_REFRESH Procedure
      • 11.5.3.2 ALTER_STATIC_ACL_REFRESH Procedure
  • 11.6 XS_DIAG Package
    • 11.6.1 Security Model
    • 11.6.2 Summary of XS_DIAG Subprograms
      • 11.6.2.1 VALIDATE_PRINCIPAL Function
      • 11.6.2.2 VALIDATE_SECURITY_CLASS Function
      • 11.6.2.3 VALIDATE_ACL Function
      • 11.6.2.4 VALIDATE_DATA_SECURITY Function
      • 11.6.2.5 VALIDATE_NAMESPACE_TEMPLATE Function
      • 11.6.2.6 VALIDATE_WORKSPACE Function
  • 11.7 XS_NAMESPACE Package
    • 11.7.1 Security Model
    • 11.7.2 Constants
    • 11.7.3 Object Types, Constructor Functions, Synonyms, and Grants
    • 11.7.4 Summary of XS_NAMESPACE Subprograms
      • 11.7.4.1 CREATE_TEMPLATE Procedure
      • 11.7.4.2 ADD_ATTRIBUTES Procedure
      • 11.7.4.3 REMOVE_ATTRIBUTES Procedure
      • 11.7.4.4 SET_HANDLER Procedure
      • 11.7.4.5 SET_DESCRIPTION Procedure
      • 11.7.4.6 DELETE_TEMPLATE Procedure
  • 11.8 XS_PRINCIPAL Package
    • 11.8.1 Security Model
    • 11.8.2 Constants
    • 11.8.3 Object Types, Constructor Functions, Synonyms, and Grants
    • 11.8.4 Summary of XS_PRINCIPAL Subprograms
      • 11.8.4.1 CREATE_USER Procedure
      • 11.8.4.2 CREATE_ROLE Procedure
      • 11.8.4.3 CREATE_DYNAMIC_ROLE Procedure
      • 11.8.4.4 GRANT_ROLES Procedure
      • 11.8.4.5 REVOKE_ROLES Procedure
      • 11.8.4.6 ADD_PROXY_USER Procedure
      • 11.8.4.7 REMOVE_PROXY_USERS Procedure
      • 11.8.4.8 ADD_PROXY_TO_DBUSER
      • 11.8.4.9 REMOVE_PROXY_FROM_DBUSER Procedure
      • 11.8.4.10 SET_EFFECTIVE_DATES Procedure
      • 11.8.4.11 SET_DYNAMIC_ROLE_DURATION Procedure
      • 11.8.4.12 SET_DYNAMIC_ROLE_SCOPE Procedure
      • 11.8.4.13 ENABLE_BY_DEFAULT Procedure
      • 11.8.4.14 ENABLE_ROLES_BY_DEFAULT Procedure
      • 11.8.4.15 SET_USER_SCHEMA Procedure
      • 11.8.4.16 SET_GUID Procedure
      • 11.8.4.17 SET_ACL Procedure
      • 11.8.4.18 SET_PROFILE Procedure
      • 11.8.4.19 SET_USER_STATUS Procedure
      • 11.8.4.20 SET_PASSWORD Procedure
      • 11.8.4.21 SET_VERIFIER Procedure
      • 11.8.4.22 SET_DESCRIPTION Procedure
      • 11.8.4.23 DELETE_PRINCIPAL Procedure
  • 11.9 XS_SECURITY_CLASS Package
    • 11.9.1 Security Model for the XS_SECURITY_CLASS Package
    • 11.9.2 Summary of XS_SECURITY_CLASS Subprograms
      • 11.9.2.1 CREATE_SECURITY_CLASS Procedure
      • 11.9.2.2 ADD_PARENTS Procedure
      • 11.9.2.3 REMOVE_PARENTS Procedure
      • 11.9.2.4 ADD_PRIVILEGES Procedure
      • 11.9.2.5 REMOVE_PRIVILEGES Procedure
      • 11.9.2.6 ADD_IMPLIED_PRIVILEGES Procedure
      • 11.9.2.7 REMOVE_IMPLIED_PRIVILEGES Procedure
      • 11.9.2.8 SET_DESCRIPTION Procedure
      • 11.9.2.9 DELETE_SECURITY_CLASS Procedure
• 12 Real Application Security HR Demo
  • 12.1 Overview of the Security HR Demo
  • 12.2 What Each Script Does
  • 12.3 Setting Up the Security HR Demo Components
    • 12.3.1 About Creating Roles and Application Users
    • 12.3.2 About Creating the Security Class and ACLs
    • 12.3.3 About Creating the Data Security Policy
    • 12.3.4 About Validating the Real Application Security Objects
    • 12.3.5 About Setting Up the Mid-Tier Related Configuration
  • 12.4 Running the Security HR Demo Using Direct Logon
  • 12.5 Running the Security HR Demo Attached to a Real Application Security Session
  • 12.6 Running the Security HR Demo Cleanup Script
  • 12.7 Running the Security HR Demo in the Java Interface
  • 12.8 About Using RASADM to Run the Security HR Demo
    • 12.8.1 About Running the RASADM Application
    • 12.8.2 Design Phase
    • 12.8.3 Development Flow
    • 12.8.4 About Using RASADM to Create the HR Demo
      • 12.8.4.1 About Creating Application Roles
        • 12.8.4.1.1 Using RASADM to Create Application Roles
      • 12.8.4.2 About Creating Application Users
        • 12.8.4.2.1 Using RASADM to Create Application Users
      • 12.8.4.3 About Creating the Data Security Policy
        • 12.8.4.3.1 Entering Policy Information
        • 12.8.4.3.2 Creating the Column Authorization
        • 12.8.4.3.3 Creating the Data Realm Authorizations
        • 12.8.4.3.4 Applying the Policy
• A Predefined Objects in Real Application Security
  • A.1 Users
  • A.2 Roles
    • A.2.1 Regular Application Roles
    • A.2.2 Dynamic Application Roles
    • A.2.3 Database Roles
  • A.3 Namespaces
  • A.4 Security Classes
  • A.5 ACLs
• B Configuring OCI and JDBC Applications for Column Authorization
  • B.1 About Using OCI to Retrieve Column Authorization Indicators
    • B.1.1 Example of Obtaining the Return Code
    • B.1.2 About Using the Return Code and Indicator with Authorization Indicator
    • B.1.3 About the Warning for Unknown Authorization Indicator
    • B.1.4 Using OCI Describe for Column Security
  • B.2 About Using JDBC to Retrieve Column Authorization Indicators
    • B.2.1 About Checking Security Attributes for a Table Column
    • B.2.2 About Checking User Authorization for a Table Column
    • B.2.3 Example of Checking Security Attributes and User Authorization
• C Real Application Security HR Demo Files
  • C.1 How to Run the Security HR Demo
  • C.2 Scripts for the Security HR Demo
    • C.2.1 hrdemo_setup.sql
    • C.2.2 hrdemo.sql
    • C.2.3 hrdemo_session.sql
    • C.2.4 hrdemo.java
    • C.2.5 hrdemo_clean.sql
  • C.3 Generated Log Files for Each Script
    • C.3.1 hrdemo_setup.log
    • C.3.2 hrdemo.log
    • C.3.3 hrdemo_run_sess.log
    • C.3.4 hrdemo.log
    • C.3.5 hrdemo_clean.log
• D Troubleshooting Oracle Database Real Application Security
  • D.1 About Real Application Security Diagnostics
    • D.1.1 About Using Validation APIs
    • D.1.2 How to Check Which ACLs Are Associated with a Row for the Current User
    • D.1.3 How to Find If a Privilege Is Granted in an ACL to a User
    • D.1.4 About Exception State Dumps
    • D.1.5 About Event-Based Tracing
    • D.1.6 About In-Memory Tracing
    • D.1.7 About Statistics
  • D.2 About Event-Based Tracing of Real Application Security Components
    • D.2.1 About Application Sessions (XSSESSION) Event-Based Tracing
    • D.2.2 About Application Principals (XSPRINCIPAL) Event-Based Tracing
    • D.2.3 About Security Classes (XSSECCLASS) Event-Based Tracing
    • D.2.4 About ACL (XSACL) Event-Based Tracing
    • D.2.5 About Data Security (XSXDS and XSVPD) Event-Based Tracing
  • D.3 About Exception State Dump Information
  • D.4 About Session Statistics
  • D.5 Using Middle-Tier Tracing
• Glossary
• Index