19.1 Setting Up a SecureFiles Store

This section shows how to set up a SecureFiles Store.

• About Managing Permissions
  You must be a non-SYS database user for all operational access to the Content API and stores.
• Creating or Setting Permissions
  You must grant the DBFS_ROLE role to any user that needs to use the DBFS content API.
• Accessing SecureFiles Store
  You should never directly access tables that hold data for a SecureFiles Store file systems.
• Reinitializing SecureFiles Store File Systems
  You can truncate and re-initialize tables associated with an SecureFiles Store.
• Comparison of SecureFiles LOBs to BasicFiles LOBs
  SecureFiles LOBs are only available in Oracle Database 11g Release 1 and higher. They are not available in earlier releases.

19.1.1 About Managing Permissions

You must be a non-SYS database user for all operational access to the Content API and stores.

Do not use SYS or SYSTEM users or SYSDBA or SYSOPER system privileges. For better security and separation of duty, only allow specific trusted users to access DBFS Content API.

You must grant each user the DBFS_ROLE role. Otherwise, the user is not authorized to use the DBFS Content API. A user with suitable administrative privileges (or SYSDBA) can grant the role to additional users as needed.

The CREATEFILESYSTEM procedure auto-commits before and after its execution (like a DDL). The method CREATESTORE is a wrapper around CREATEFILESYSTEM.

See Also:

Oracle Database PL/SQL Packages and Types Reference for DBMS_DBFS_SFS syntax details

19.1.2 Creating or Setting Permissions

You must grant the DBFS_ROLE role to any user that needs to use the DBFS content API.

1. Create or determine DBFS Content API target users.

   This example uses this user and password: sfs_demo/password

   At minimum, this database user must have the CREATE SESSION, CREATE RESOURCE, and CREATE VIEW privileges.

2. Grant the DBFS_ROLE role to the user.

   CONNECT / as sysdba
   GRANT dbfs_role TO sfs_demo;
   

This sets up the DBFS Content API for any database user who has the DBFS_ROLE role.

19.1.3 Accessing SecureFiles Store

You should never directly access tables that hold data for a SecureFiles Store file systems.

This is the correct way to access the file systems.

• For procedural operations: Use the DBFS Content API (DBMS_DBFS_CONTENT methods).

• For SQL operations: Use the resource and property views (DBFS_CONTENT and DBFS_CONTENT_PROPERTIES).

19.1.4 Reinitializing SecureFiles Store File Systems

You can truncate and re-initialize tables associated with an SecureFiles Store.

• Use the procedure INITFS().

  The procedure executes like a DDL, auto-committing before and after its execution.

The following example uses file system FS1 and table SFS_DEMO.T1, which is associated with the SecureFiles Store store_name.

CONNECT sfs_demo;
Enter password: password
EXEC DBMS_DBFS_SFS.INITFS(store_name => 'FS1');

19.1.5 Comparison of SecureFiles LOBs to BasicFiles LOBs

SecureFiles LOBs are only available in Oracle Database 11g Release 1 and higher. They are not available in earlier releases.

You must use BasicFiles LOB storage for LOB storage in tablespaces that are not managed with Automatic Segment Space Management (ASSM).

Compatibility must be at least 11.1.0.0 to use SecureFiles LOBs.

Additionally, you need to specify the following in DBMS_DBFS_SFS.CREATEFILESYSTEM:

• To use SecureFiles LOBs (the default), specify use_bf => false.

• To use BasicFiles LOBs, specify use_bf => true.