4.1 DIRECTORY Objects

A BFILE locator is initialized by using the function BFILENAME(DIRECTORY, FILENAME). This section describes how to initialize the DIRECTORY Object.

A DIRECTORY object specifies a logical alias name for a physical directory on the database server file system under which the file to be accessed is located. You can access a file in the server file system only if you have the required access privilege on the DIRECTORY object. You can also use Oracle Enterprise Manager Cloud Control to manage the DIRECTORY objects.

The DIRECTORY object provides the flexibility to manage the locations of the files, instead of forcing you to hard-code the absolute path names of physical files in your applications.

A DIRECTORY object name is used in conjunction with the BFILENAME function, in SQL and PL/SQL, or the OCILobFileSetName() function in OCI, for initializing a BFILE locator.

See Also:

• CREATE DIRECTORY in Oracle Database SQL Language Reference

• See Oracle Database Administrator's Guide for the description of Oracle Enterprise Manager Cloud Control

4.1.1 DIRECTORY Name Specification

You must have CREATE ANY DIRECTORY system privilege to create directories.

The naming convention for DIRECTORY objects is the same as that for tables and indexes. That is, normal identifiers are interpreted in uppercase, but delimited identifiers are interpreted as is. For example, the following statement:

CREATE OR REPLACE DIRECTORY scott_dir AS '/usr/home/scott';

creates or redefines a DIRECTORY object whose name is 'SCOTT_DIR' (in uppercase). But if a delimited identifier is used for the DIRECTORY name, as shown in the following statement

CREATE DIRECTORY "Mary_Dir" AS '/usr/home/mary';

then the DIRECTORYdirectory object name is 'Mary_Dir'. Use 'SCOTT_DIR' and 'Mary_Dir' when calling BFILENAME. For example:

BFILENAME('SCOTT_DIR', 'afile')
BFILENAME('Mary_Dir', 'afile')

WARNING:

The database does not verify that the directory and path name you specify actually exist. You must ensure to specify a valid directory name in your operating system. If your operating system uses case-sensitive path names, then be sure that you specify the directory name in the correct format. There is no requirement to specify a terminating slash (for example, /tmp/ is not necessary, simply use /tmp).

Directory specifications cannot contain ".." anywhere in the path (for example: ../../abc/def or abc/../def or abc/def/hij..

On Windows Platform

On Windows platforms the directory names are case-insensitive. Therefore the following two statements refer to the same directory:

CREATE DIRECTORY "big_cap_dir" AS "g:\data\source";

CREATE DIRECTORY "small_cap_dir" AS "G:\DATA\SOURCE";

4.1.2 Security on Directory Objects

This section describes the security on DIRECTORY objects.

The DIRECTORY object model has two distinct levels of security:

• SQL DDL: CREATE or DROP a DIRECTORY object
• SQL DML: READ system and object privileges on DIRECTORY objects

DBA Privileges: CREATE / DROP DIRECTORY

The DIRECTORY object is a system owned object. Oracle Database supports the following system privileges, which are granted only to DBA:

• CREATE ANY DIRECTORY: For creating or altering the DIRECTORY object creation

• DROP ANY DIRECTORY: For deleting the DIRECTORY object

WARNING:

Because CREATE ANY DIRECTORY and DROP ANY DIRECTORY privileges potentially expose the server file system to all database users, the DBA should be prudent in granting these privileges to normal database users to prevent security breach.

See Also:

Oracle Database SQL Language Reference for information about system owned objects, CREATE DIRECTORY and DROP DIRECTORY

USER Privileges: READ Permission on the Directory

READ permission on the DIRECTORY object enables you to read files located under that directory. The creator of the DIRECTORY object automatically earns the READ privilege.

If you have been granted the READ permission with GRANT option, then you may in turn grant this privilege to other users or roles and then add them to your privilege domains.

Note:

The READ permission is defined only on the DIRECTORY object, not on individual files. Hence there is no way to assign different privileges to files in the same directory.

The physical directory that it represents may or may not have the corresponding operating system privileges (read in this case) for the Oracle Server process.

It is the responsibility of the DBA to ensure the following:

• That the physical directory exists
• Read permission for the Oracle Server process is enabled on the file, the directory, and the path leading to it
• The directory remains available, and read permission remains enabled, for the entire duration of file access by database users

The privilege just implies that as far as the Oracle Server is concerned, you may read from files in the directory. These privileges are checked and enforced by the PL/SQL DBMS_LOB package and OCI APIs at the time of the actual file operations.

See Also:

• Guidelines for DIRECTORY Usage
• Oracle Database SQL Language Reference for information about the GRANT, REVOKE and AUDIT system and object privileges that provide security for BFILEs.

Catalog Views on DIRECTORY Objects

Catalog views are provided for DIRECTORY objects to enable users to view object names and corresponding paths and privileges. Following are the supported views:

• ALL_DIRECTORIES (OWNER, DIRECTORY_NAME, DIRECTORY_PATH)

  This view describes all directories accessible to the user.

• DBA_DIRECTORIES(OWNER, DIRECTORY_NAME, DIRECTORY_PATH)

  This view describes all directories specified for the entire database.