25/25

Index

A  C  D  E  F  G  I  J  M  N  O  P  R  S  T  U  V  W  X 

---

A

access control entry (ACE)

about, 1.2.5

definition, 4.3.1

access control lists (ACL)

about, 1.2.6

directories

trace files, using to resolve predicate errors, 5.4.3

dynamic data realm constraints

about, 5.4.2

ACL evaluation order, 5.6.3

evaluation order, 5.6.3

static data realm constraints

ACL evaluation order, 5.6.3

static data realms

about, 5.4.2

user-managed

example, 5.6.2

ACE

definition, 4.3.1

evaluation order, 4.3.9

acl

troubleshooting, D.2.4

ACL

adding ACE, 4.3.4

binding, 4.5

changing security class, 4.3.4

constraining inheritance, 4.3.10.2

create, 4.3.2

extending inheritance, 4.3.10.1

identifiers

master-detail tables, retrieving ACL identifiers for, 10.4

inheritance, 4.3.10

constraining, 4.3.10.2, 4.3.10.2

extending, 4.3.10.1, 4.3.10.1

inheritance|ACL

changing parent ACL, 4.3.4

multilevel authentication, 4.3.6

removing ACL, 4.3.4

scope

definition, 4.2.3

ACLS

See access control lists

ACLs and ACEs

about, 4.3.1

creating, 4.3.2

aggregate privilege

about, 1.2.3

benefits, 1.2.3

definition, 4.1.1

ALL grant, 4.1.1.1

ALL privilege, 4.1.1.1

ALL_XDS_ACL_REFRESH view, 9.41

ALL_XDS_ACL_REFSTAT view, 9.42

ALL_XDS_LATEST_ACL_REFSTAT view, 9.43

anonymous user, 7.1

application integration

support for external users and roles, 7.1

application privileges

about, 1.2.3

granting to principles, 2.4

application roles

about, 1.2.2, 1.2.2, 1.2.2, 2.2.1

creating dynamic role, 2.2.2.2, 2.2.3.2

creating regular role, 2.2.2.1, 2.2.3.1

granting database role to an application role, 2.4.3

granting to another application role, 2.4.2

granting to existing application user, 2.4.1.2

granting to new application user, 2.4.1.1

using effective dates, 2.3

validating, 2.2.3.3

application sessions

about, 3.1

advantages, 3.1.2

attaching, 3.2.3

cookies, setting for, 3.2.4

creating, 3.1.1, 3.2.1, 11.1.4.1

creating anonymous application session, 3.2.2

database session

attaching to, 11.1.4.2

detaching from, 11.1.4.18

destroying, 11.1.4.19

event handling, 3.2.7

global callback events, using, 3.2.7

namespace

creating, 11.1.4.5

deleting, 11.1.4.11

namespaces

attribute values, getting, 11.1.4.8

attribute values, setting, 11.1.4.7

attributes, getting, 3.3.4

attributes, setting, 3.3.3

deleting, 3.3.6

roles

disabling for specified session, 11.1.4.13

enabling for specified session, 11.1.4.12

roles, disabling from session, 3.3.8

roles, enabling for session, 3.3.7

saving, 11.1.4.17

security context, setting, 11.1.4.4

session state, manipulating, 3.3

switch user, 11.1.4.4

troubleshooting, D.2.1

users, assigning to, 3.2.5

users, creating namespace templates, 3.3.1.3

users, custom attributes, 3.3.5

users, destroying, 3.2.10

users, detaching from, 3.2.9

users, initializing namespaces, 3.3.2.1, 3.3.2.2, 3.3.2.3, 3.3.2.4

users, initializing namespaces explicitly, 3.3.2.5

users, switching to, 3.2.6

application sessions in the database

architecture figure, 3.1.1

application user roles

application sessions, disabling from, 3.3.8

application sessions, enabling for, 3.3.7

disabling for specified session, 11.1.4.13

enabling for specified session, 11.1.4.12

application users

about, 1.2.2, 2.1.1

application sessions, assigning to, 3.2.5

application sessions, creating namespace templates, 3.3.1.3

application sessions, custom attributes, 3.3.5

application sessions, destroying, 3.2.10

application sessions, detaching from, 3.2.9

application sessions, initializing namespaces, 3.3.2.1, 3.3.2.2, 3.3.2.3, 3.3.2.4

application sessions, initializing namespaces explicitly, 3.3.2.5

application sessions, switching to, 3.2.6

compared with database user, 1.2.2.1

creating, 2.1.1.1

direct login users, 2.1.3.2

creating direct login user, 2.1.3.1

definition, 1.2.2

general procedure, 2.1.1.1

modifying, 2.1.1.1

validating, 2.1.6

application users and roles

troubleshooting, D.2.2

applying

additional application privileges

to a column, 5.5

assigning

an application user to an anonymous application session, 3.2.5

attaching

an application session, 3.2.3

auditing

DBA_XS_AUDIT_POLICY_OPTIONS view, 1.6

DBA_XS_AUDIT_TRAIL view, 1.6

DBA_XS_ENB_AUDIT_POLICIES view, 1.6

in an Oracle Database Real Application Security environment, 1.6

unified auditing, 1.6, 9, 9, 9

authentication

multilevel, 4.3.6, 4.3.6

strong, 4.3.6

weak, 4.3.6

---

C

CHECK_PRIVILEGE operator, 4.4.1

checking

ACLs for a privilege, 4.3.5, 4.3.5

checking security attribute

using getSecurityAttribute method

SecurityAttribute returns value ENABLED, B.2.1

SecurityAttribute returns value NONE, B.2.1

SecurityAttribute returns value UNKNOWN, B.2.1

checking user authorization indicator

using getAuthorizationIndicator method

AuthorizationIndicator returns value NONE, B.2.2

AuthorizationIndicator returns value UNAUTHORIZED, B.2.2

AuthorizationIndicator returns value UNKNOWN, B.2.2

column authorization

JDBCI interface, B.2

OCI interface, B.1

COLUMN_AUTH_INDICATOR function, 10.1

column-level security, 5.5

configuring

an application role, 2.2.3

application roles, 2.2

application user switch

proxying an application user, 2.1.5

application users, 2.1

global callback event handlers

for an application session, 3.2.7

constraining ACL inheritance

definition, 4.3.10.2

cookies

application sessions, setting for, 3.2.4

create views

using BEQUEATH clause, 5.9

creating

ACLs and ACEs, 4.3.2

anonymous application session, 3.2.2

application sessions, 3.2.1

application user accounts, 2.1.1.1

application users, 2.1.1.1

custom attributes

in application session, 3.3.5

direct login user, 2.1.3.1

dynamic application role, 2.2.2.2, 2.2.3.2

namespace templates, 3.3.1.3

namespaces

using namespace templates, 3.3.1

regular application role, 2.2.2.1, 2.2.3.1

security class, 4.2.2

simple application user account, 2.1.2

---

D

data realm constraints

affect on database tables, 5.6.2

membership methods, 5.4.1

membership rule (WHERE predicate)

about, 5.4.1

membership rules

session variables, guideline for, 5.4.1

parameterized

about, 5.4.1

types defined by WHERE predicates, 5.4.1

data realms

about, 5.1

definition, 4.4.1

structure, 5.4.1

See also dynamic data realms, static data realms

data security

about, 5.1

ACLs, 4.4

automatic refreshment for static ACL, 11.5.3.1

troubleshooting, D.2.5

with Oracle Database Real Application Security, 1.2.1

data security documents

example, 5.3

privileges

security checks, how handled, 5.8.1

privileges, column-level security, 5.5

data security policy

tables

enabling, 11.4.3.13

removing from, 11.4.3.12

data security privileges

alter refreshment for static ACL, 11.3.4.2, 11.5.3.2

automatic refreshment for static ACL, 11.3.4.1

database role

about, 1.2.2

database user

about, 1.2.2

compared with application user, 1.2.2.1

DataSecurity module, 4.4.1

DBA_XDS_ACL_REFRESH view, 9.44

DBA_XDS_ACL_REFSTAT view, 9.45

DBA_XDS_LATEST_ACL_REFSTAT view, 9.46

DBA_XS_ACES view, 4.3.1, 4.3.11, 9.21

DBA_XS_ACL_PARAMETERS view, 9.29

DBA_XS_ACLS view, 4.3.11, 9.19

DBA_XS_ACTIVE_SESSIONS view, 9.36

DBA_XS_APPLIED_POLICIES view, 9.33

DBA_XS_AUDIT_POLICY_OPTIONS view, 1.6, 9

DBA_XS_AUDIT_TRAIL view, 1.6, 9

DBA_XS_COLUMN_CONSTRAINTS view, 9.31

DBA_XS_DYNAMIC_ROLES view, 9.8

DBA_XS_ENB_AUDIT_POLICIES view, 1.6, 9

DBA_XS_EXTERNAL_PRINICIPALS view, 9.3

DBA_XS_IMPLIED_PRIVILEGES view, 9.13

DBA_XS_INHERITED_REALMS view, 9.27

DBA_XS_MODIFIED_POLICIES view, 9.34

DBA_XS_NS_TEMPLATE_ATTRIBUTES view, 9.40

DBA_XS_NS_TEMPLATES view, 9.39

DBA_XS_OBJECTS view, 9.1

DBA_XS_POLICIES view, 9.23

DBA_XS_PRINICIPALS view, 9.2

DBA_XS_PRIVILEGES view, 4.3.12, 9.11

DBA_XS_PROXY_ROLES view, 9.9

DBA_XS_REALM_CONSTRAINTS view, 9.25

DBA_XS_ROLE_GRANTS view, 9.10

DBA_XS_ROLES view, 9.7

DBA_XS_SECURITY_CLASS_DEP view, 4.3.12, 9.17

DBA_XS_SECURITY_CLASSES view, 4.3.12, 9.15

DBA_XS_SESSION_NS_ATTRIBUTES view, 9.38

DBA_XS_SESSION_ROLES view, 9.37

DBA_XS_SESSIONS view, 9.35

DBA_XS_USERS view, 9.4

DBMS_XS_SESSIONS PL/SQL package

about, 11.1, 11.1

ADD_GLOBAL_CALLBACK, 3.2.7, 11.1.4.20

ASSIGN_USER, 3.3.2.3, 11.1.4.3

ATTACH_SESSION, 3.3.2.2, 11.1.4.2

constants, 11.1.2

CREATE_ATTRIBUTE, 3.3.5, 11.1.4.6

CREATE_NAMESPACE, 3.3.2.5, 11.1.4.5

CREATE_SESSION, 3.3.2.1, 11.1.4.1

DELETE_ATTRIBUTE, 11.1.4.10

DELETE_GLOBAL_CALLBACK, 3.2.7, 11.1.4.22

DELETE_NAMESPACE, 3.3.6, 11.1.4.11

DESTROY_SESSION, 3.2.10, 11.1.4.19

DETACH_SESSION, 3.2.9, 11.1.4.18

DISABLE_ROLE, 3.3.8, 11.1.4.13

ENABLE_GLOBAL_CALLBACK, 3.2.7, 11.1.4.21

ENABLE_ROLE, 3.3.7, 11.1.4.12

GET_ATTRIBUTE, 3.3.4, 11.1.4.8

object types, constructor functions, 11.1.3

REAUTH_SESSION, 11.1.4.15

RESET_ATTRIBUTE, 11.1.4.9

SAVE_SESSION, 3.2.8, 11.1.4.17

security model, 11.1.1

SET_ATTRIBUTE, 3.3.3, 11.1.4.7

SET_INACTIVITY_TIMEOUT, 11.1.4.16

SET_SESSION_COOKIE, 11.1.4.14

SWITCH_USER, 2.1.5, 3.3.2.4, 11.1.4.4

default security class

definition, 4.2.3

defining a basic data security policy

implementation tasks, 5.10.1

disable a data security policy for a table, 5.10.1.6

use case, 5.10

deleting

namespaces

in application session, 3.3.6

destroying

application session, 3.2.10

detaching

application session

from a traditional database session, 3.2.9

determining

invoker’s rights use for nested program units

using BEQUEATH clause when creating views, 5.9

the invoking application user

using SQL functions, 5.9.1

direct application user accounts

setting password verifiers, 2.1.3.3

disabling

application roles

for an application session, 3.3.8

displaying secure column values

using SQL*Plus SET SECUREDCOL command, 5.8.2

dynamic application role, 2.2.2.2

dynamic application roles

predefined, 2.2.4

dynamic data realm constraints

about, 5.4.2

ACL evaluation order, 5.6.3

---

E

enabling

application roles

for application session, 3.3.7

event handlers

See also global callback events

event-based tracing

about, D.1.5

components, D.2

examples

JDBC

security attributes, checking, B.2.3

user authorization, checking, B.2.3

OCI return codes, B.1.1

Real Application Security policy on master-detail related tables, 5.7.3

exception dumps, D.3

exception state dumps, D.1.4

extending ACL inheritance

definition, 4.3.10.1

external roles, 7.1

external users, 7.1

namespaces for, 7.2.1

session modes, 7.1

secure mode, 7.1

trusted mode, 7.1

external users and external roles

abortSession method, 7.2.5

assignUser method, 7.2.4

attachSession method, 7.2.3

createSession method, 7.2.2

for application integration, 7.1

saveSession method, 7.2.5

session APIs for, 7.2

---

F

firewall, 4.3.6

authentication, 4.3.10.2

foreign_key

specifies foreign key of detail table, 5.7.2

---

G

getting

session attributes

in application session, 3.3.4

global callback events

about, 3.2.7

adding, 11.1.4.20

deleting, 11.1.4.22

enable or disable, 11.1.4.21

granting

application privileges to principles, 2.4

application role

to existing application user, 2.4.1.2

to new application role, 2.4.2

to new application user, 2.4.1.1

database role

to an application role, 2.4.3

---

I

inheritance

master-detail related tables, 5.7.1

inheritedFrom element, components, 5.7.2

initializing

namaspace

when session is attached, 3.3.2.2

namespace, 3.3.2.3

application user is switched in application session, 3.3.2.4

when session is created, 3.3.2.1

namespaces

explicitly, 3.3.2.5, 3.3.2.5

in-memory tracing, D.1.6

---

J

Java environment

aborting a session, 7.2.5

assigning a user to a session, 7.2.4

assigning or switching an application user, 6.2.3

attaching an application session, 7.2.3

external role behavior, 7.2.3

attachng an application session, 6.2.2

authenticating users using Java APIs, 6.3

authorizing application users using ACLs, 6.4

changing the middle-tier cache size, 6.1.3

clearing the cache, 6.1.3.6

getting the maximum cache idle time, 6.1.3.3

getting the maximum cache size, 6.1.3.4

removing entries from the cache, 6.1.3.5

removing entries from the cache, getting the high watermark for cache, 6.1.3.5.2

removing entries from the cache, getting the low watermark for cache, 6.1.3.5.3

removing entries from the cache, setting the watermark, 6.1.3.5.1

setting the maximum cache size, 6.1.3.2

setting the middle-tier cache idle time, 6.1.3.1

checking if application role is enabled, 6.2.4.3

constructing an ACL identifier, 6.4.1

creating a session namespace attribute, 6.2.5.4.1

creating a user session, 6.2.1

creating an application session, 7.2.2

creating namespaces, 6.2.5.1

deleting namespaces, 6.2.5.2

deleting session namespace attributes, 6.2.5.4.6

destroying an application session, 6.2.9

detaching an application session, 6.2.8

disabling application roles, 6.2.4.2

enabling and disabling application roles, 6.2.4

enabling application roles, 6.2.4.1

getting a session namespace attribute, 6.2.5.4.3

getting data privileges associated with a specific ACL, 6.4.3

getting the application user ID for the session, 6.2.7.2

getting the Oracle connection associated with the session, 6.2.7.1

getting the session cookie, 6.2.7.5

getting the session ID for the session, 6.2.7.3

getting the string representation of the session, 6.2.7.4

implicitly creating namespaces, 6.2.5.3

initializing the middle tier, 6.1

mid-tier configuration mode, 6.1.1

privileges for the session manager, 6.1.2

roles for the session manager, 6.1.2

using getSessionManager method, 6.1.2

listing session namespace attributes, 6.2.5.4.4

performing namespace operations as session manager, 6.2.6

performing namespace operations as session user, 6.2.5

resetting session namespace attributes, 6.2.5.4.5

saving a session, 7.2.5

setting a session namespace attribute, 6.2.5.4.2

setting session cookie as session manager, 6.2.7.7

setting session inactivity timeout as session manager, 6.2.7.6

using namespace attributes, 6.2.5.4

using the checkAcl method, 6.4.2

JDBC

column authorization, interface for, B.2

---

M

master detail data realm

foreign_key

specifies foreign key of detail table, 5.7.2

parentObjectName element

specifies name of master table, 5.7.2

parentSchemaName element

specifies name of schema containing master table, 5.7.2

primary_key

specifies primary key from master table, 5.7.2

when element

specifies a predicate for detail table, 5.7.2

master-detail tables

ACL

identifiers, retrieving, 10.4

inheritedFrom element, components, 5.7.2

Real Application Security policies

about, 5.7.1

creating for, 5.7.3

Materialized View, 5.4.2

membership rules in data realm constraints

session variables, guideline for, 5.4.1

membership rules (WHERE predicate) in data realm constraints

about, 5.4.1

modifying

application users, 2.1.1.1

multilevel authentication, 4.3.6

definition, 4.3.6

using, 4.3.6

---

N

namespaces

application sessions

attributes, getting, 3.3.4

attributes, setting, 3.3.3

creating, 11.1.4.5

deleting, 3.3.6, 11.1.4.11

attribute values

getting, 11.1.4.8

setting, 11.1.4.7

attributes

deleting, 11.1.4.10

---

O

OCI parameter handle attribute

OCI_ATTR_XDS_POLICY_STATUS, B.1.4

OCI_XDS_POLICY_ENABLED value, B.1.4

OCI_XDS_POLICY_NONE value, B.1.4

OCI_XDS_POLICY_UNKNOWN value, B.1.4

OCI return codes

ORA-24530

column value is unauthorized to the user, B.1.1

ORA-24531

column value authorization is unknown, B.1.1

ORA-24536

column authorization unknown, B.1.1

ORA_CHECK_ACL function, 10.3, D.1.3

ORA_CHECK_PRIVILEGE function, 10.5

ORA_GET_ACLIDS function, 10.4, D.1.2

See ORA_GET_ACLIDS function

ORA_INVOKING_USER function

returns name of current database user, 5.9.1

ORA_INVOKING_USERID function

returns ID of current database user, 5.9.1

ORA_INVOKING_XS_USER function

returns name of current Real Application Security application user, 5.9.1

ORA_INVOKING_XS_USER_GUID function

returns ID of current Real Application Security application user, 5.9.1

ORA-24530

column value is unauthorized to the user

OCI return code, B.1.1

ORA-24531

column value authorization is unknown

OCI return code, B.1.1

ORA-24536

column authorization unknown

OCI return code, B.1.1

ORA-28113: policy predicate has error message, 5.4.3

Oracle Call Interface (OCI)

column authorization, interface for, B.1

Oracle Database Real Application Security

about data security, 1.2.1

access control entry (ACE), 1.2.5

access control list (ACL), 1.2.6

advantages of, 1.1.2

aggregate privilege, 1.2.3

application privileges, 1.2.3

application session concepts, 1.3

architecture, 1.1.3

data security concepts, 1.2

data security policy, 1.2.7

flow of design and development, 1.4

principals

users and roles, 1.2.2

security classes, 1.2.4

security components of, 1.1.3

use case scenario example policy, 1.5

component requirements, 1.5.2

description and security requirements, 1.5.1

implementation overview, 1.5.2

what is, 1.1

Oracle Virtual Private Database (VPD)

extended for Real Application Security, 5.1

oracle.jdbc.OracleResultSetMetaData interface

getAuthorizationIndicator method

about, B.2.2

example, B.2.3

getSecurityAttribute method

about, B.2.1

example, B.2.3

---

P

parameterized ACL, 4.4.2

parameterized data realm constraints

about, 5.4.1

parentObjectName element

specifies name of master table, 5.7.2

parentSchemaName element

specifies name of schema containing master table, 5.7.2

password verifiers

direct application user accounts, 2.1.3.3

PL/SQL functions

COLUMN_AUTH_INDICATOR, 10.1

XS_SYS_CONTEXT, 10.2

PL/SQL packages

DBMS_XS_SESSIONS, 11.1

XS_DATA_SECURITY_UTIL, 11.5

predefined objects

ACLs

NS_UNRESTRICTED_ACL, A.5

SESSIONACL, A.5

SYSTEMACL, A.5

database roles

PROVISIONER, A.2.3

XS_CACHE_ADMIN, A.2.3

XS_NAMESPACE_ADMIN, A.2.3

XS_RESOURCE, A.2.3

XS_SESSION_ADMIN, A.2.3

dynamic application roles, 2.2.4

DBMS_AUTH, A.2.2

DBMS_PASSWD, A.2.2

EXTERNAL_DBMS_AUTH, A.2.2

MIDTIER_AUTH, A.2.2

XSAUTHENTICATED, A.2.2

XSSWITCH, A.2.2

namespaces

XS$GLOBAL_VAR, A.3

XS$SESSION, A.3

regular application roles

XSBYPASS, A.2.1

XSCACHEADMIN, A.2.1

XSDISPATCHER, A.2.1

XSNAMESPACEADMIN, A.2.1

XSPROVISIONER, A.2.1

XSPUBLIC, A.2.1

XSSESSIONADMIN, A.2.1

security classes

DML, A.4

NSTEMPLATE_SC, A.4

SESSION, A.4

SYSTEM, A.4

users

XSGUEST, A.1

primary_key

specifies primary key from master table, 5.7.2

principals

about, 1.2.2

privileges

about application, 1.2.3

check, 4.3.5, 4.3.5

constrain, 4.3.10.2

data security documents

columns, applying additional to, 5.5

security checks, how handled, 5.8.1

---

R

regular application role, 2.2.2.1

roles

dynamic

assigning to user, 11.1.4.3

removing from user, 11.1.4.3

See also application roles

---

S

scope, ACL

definition, 4.2.3

security class

about, 1.2.4

adding parent|security class

inheritance, 4.2.6

configuration, 4.2

create, 4.2.2

definition, 4.2.1

inheritance, 4.2.2

inheritance|security class

adding privileges, 4.2.6

deleting, 4.2.6

description string, 4.2.6

removing implied privileges, 4.2.6, 4.2.6

removing parent, 4.2.6

removing privileges, 4.2.6, 4.2.6, 4.2.6

manipulating, 4.2.6

troubleshooting, D.2.3

session

application, 3

IDs

authentication time, updating, 11.1.4.15

time-out values, setting, 11.1.4.16

statistics, D.4

See also application sessions

Session

createNamespace, 6.2.5.1

deleteNamespace, 6.2.5.2

disableRole, 6.2.4.2

enableRole, 6.2.4.1

getConnection, 6.2.7.1

getId, 6.2.7.3

getNamespace, 6.2.5.3

getPrivileges, 6.4.3

getSessionCookie, 6.2.7.5

getUserId, 6.2.7.2

isAnonymous, 6.2.7.2

isRoleEnabled, 6.2.4.3

setCookie, 6.2.7.7

setInactivityTimeout, 6.2.7.6

switchUser, 6.2.3

toString, 6.2.7.4

session service

application configuration of the session filter, 8.5

authorization (checkACL), 8.2

check privilege API, 8.7.4

deployment, 8.4

domain configuration, 8.6

automatic, 8.6.3

manual, 8.6.2

prerequisites, 8.6.1

namespace APIs, 8.7.3

namespace operations, 8.2

Oracle Platform Security Service (OPSS), 8

privilege elevation, 8.2

privilege elevation API, 8.7.2

Real Application Security servlet filter, 8.2

session APIs, 8.2, 8.7.1

session filter, 8.3

session filter operation, 8.3.1

supports JavaEE web application

using OPSS as application security provider, 8

SessionNamespace

createAttribute, 6.2.5.4.1

deleteAttribute, 6.2.5.4.6

getAttribute, 6.2.5.4.3

listAttributes, 6.2.5.4.4

resetAttribute, 6.2.5.4.5

setAttribute, 6.2.5.4.2

toString, 6.2.5.3

SET SECUREDCOL command

SQL*Plus

displaying secure column values, 5.8.2

setting

a cookie for an application session, 3.2.4

password verifiers, 2.1.3.3

session attributes

in application session, 3.3.3

SQL functions

ORA_CHECK_ACL, 10.3, D.1.3

ORA_CHECK_PRIVILEGE, 10.5

ORA_GET_ACLIDS, 10.4, D.1.2

ORA_INVOKING_USER

returns name of current datanase user, 5.9.1

ORA_INVOKING_USERID

returns ID of current database user, 5.9.1

ORA_INVOKING_XS_USER

returns name of current Real Application Security application user, 5.9.1

ORA_INVOKING_XS_USER_GUID

returns ID of current Real Application Security application user, 5.9.1

TO_ACLID, 10.6

SQL operators

CHECK_PRIVILEGE, 4.4.1

ORA_CHECK_ACL

checking ACLs for a privilege, 4.3.5

static data realms

about, 5.4.2

constraints

ACL evaluation order, 5.6.3

statistics in troubleshooting, D.1.7

switching

application users

in current application session, 3.2.6

SYS_ACLOID hidden column, 5.6.2

SYS_GET_ACLIDS function

See ORA_GET_ACLIDS function

system-constraining ACL

about, 4.3.6

definition, 4.3.6

---

T

tables

data security policy

enabling, 11.4.3.13

removing from, 11.4.3.12

master-detail tables, Real Application Security policies

about, 5.7.1

creating for, 5.7.3

time-out values

session

IDs, setting for, 11.1.4.16

TO_ACLID function, 10.6

trace files

acl, D.2.4

application roles, D.2.2

application sessions, D.2.1

application users, D.2.2

data security, D.2.5

policy predicate errors, 5.4.3

Real Application Security components, D.2

security classes, D.2.3

tracing

event and in-memory, D.1.6

traditional security model

manging application users

disadvantages of, 1.1.1

troubleshooting

acl, D.2.4

application principals, D.2.2

application sessions, D.2.1

data security, D.2.5

event-based tracing

about, D.1.5

components, D.2

exception dumps, D.3

exception state dumps, D.1.4

in-memory tracing, D.1.6

Real Application Security diagnostics, D.1

security classes, D.2.3

session statistics, D.4

statistics, D.1.7

using the ORA_CHECK_ACL function, D.1.3

using the ORA_GET_ACLIDS function, D.1.2

using validation APIs, D.1.1

---

U

use case scenario example policy

human resources administration of employee information, 1.5

component requirements, 1.5.2

description and security requirements, 1.5.1

implementation overview, 1.5.2

Java implementation, 6.5

authorizing with middle-tier API, 6.5

main method, 6.5

performing cleanup operations, 6.5

running a query on the database, 6.5

setting up connection, 6.5

setting up session, 6.5

user sessions

See also application sessions

USER_XDS_ACL_REFRESH view, 9.47

USER_XDS_ACL_REFSTAT view, 9.48

USER_XDS_LATEST_ACL_REFSTAT view, 9.49

USER_XS_ACES view, 9.22

USER_XS_ACL_PARAMETERS view, 9.30

USER_XS_ACLS view, 9.20

USER_XS_COLUMN_CONSTRAINTS view, 9.32

USER_XS_IMPLIED_PRIVILEGES view, 9.14

USER_XS_INHERITED_REALMS view, 9.28

USER_XS_PASSWORD_LIMITS view, 9.6

USER_XS_POLICIES view, 9.24

USER_XS_PRIVILEGES view, 9.12

USER_XS_REALM_CONSTRAINTS view, 9.26

USER_XS_SECURITY_CLASS_DEP view, 9.18

USER_XS_SECURITY_CLASSES view, 9.16

USER_XS_USERS view, 9.5

users

See also application users

using

constraining application privilege, 4.3.10.2

effective dates with application roles, 2.3

multilevel authentication, 4.3.6

ORA_CHECK_ACL SQL operator, 4.3.5

SQL functions

to determine the invoking application user, 5.9.1

XS_DIAG.VALIDATE_PRINCIPAL function, 2.1.6, 2.2.3.3

---

V

V$XS_SESSION_NS_ATTRIBUTES view, 9.50

V$XS_SESSION_ROLES view, 9.51

validating

ACLs, 4.3.3, 11.6.2.3

application roles, 2.2.3.3, 2.2.3.3

application users, 2.1.6, 2.1.6

data security policy, 5.2, 11.6.2.4

namespaces, 11.6.2.5

principals, 11.6.2.1

security classes, 4.2.5, 11.6.2.2

workspace objects, 11.6.2.6

views, 9

ALL_XDS_ACL_REFRESH, 9.41

ALL_XDS_ACL_REFSTAT, 9.42

ALL_XDS_LATEST_ACL_REFSTAT, 9.43

DBA_XDS_ACL_REFRESH, 9.44

DBA_XDS_ACL_REFSTAT, 9.45

DBA_XDS_LATEST_ACL_REFSTAT, 9.46

DBA_XS_ACES, 9.21

DBA_XS_ACL_PARAMETERS, 9.29

DBA_XS_ACLS, 9.19

DBA_XS_ACTIVE_SESSIONS, 9.36

DBA_XS_APPLIED_POLICIES, 9.33

DBA_XS_COLUMN_CONSTRAINTS, 9.31

DBA_XS_DYNAMIC_ROLES, 9.8

DBA_XS_EXTERNAL_PRINCIPALS, 9.3

DBA_XS_IMPLIED_PRIVILEGES, 9.13

DBA_XS_INHERITED_REALMS, 9.27

DBA_XS_MODIFIED_POLICIES, 9.34

DBA_XS_NS_TEMPLATE_ATTRIBUTES, 9.40

DBA_XS_NS_TEMPLATES, 9.39

DBA_XS_OBJECTS, 9.1

DBA_XS_POLICIES, 9.23

DBA_XS_PRINCIPALS, 9.2

DBA_XS_PRIVILEGES, 9.11

DBA_XS_PROXY_ROLES, 9.9

DBA_XS_REALM_CONSTRAINTS, 9.25

DBA_XS_ROLE_GRANTS, 9.10

DBA_XS_ROLES, 9.7

DBA_XS_SECURITY_CLASS_DEP, 9.17

DBA_XS_SECURITY_CLASSES, 9.15

DBA_XS_SESSION_NS_ATTRIBUTES, 9.38

DBA_XS_SESSION_ROLES, 9.37

DBA_XS_SESSIONS, 9.35

DBA_XS_USERS, 9.4

privileges in data security documents, 5.8.1

USER_XDS_ACL_REFRESH, 9.47

USER_XDS_ACL_REFSTAT, 9.48

USER_XDS_LATEST_ACL_REFSTAT, 9.49

USER_XS_ACES, 9.22

USER_XS_ACL_PARAMETERS, 9.30

USER_XS_ACLS, 9.20

USER_XS_COLUMN_CONSTRAINTS, 9.32

USER_XS_IMPLIED_PRIVILEGES, 9.14

USER_XS_INHERITED_REALMS, 9.28

USER_XS_PASSWORD_LIMITS, 9.6

USER_XS_POLICIES, 9.24

USER_XS_PRIVILEGES, 9.12

USER_XS_REALM_CONSTRAINTS, 9.26

USER_XS_SECURITY_CLASS_DEP, 9.18

USER_XS_SECURITY_CLASSES, 9.16

USER_XS_USERS, 9.5

V$XS_SESSION_NS_ATTRIBUTES, 9.50

V$XS_SESSION_ROLES, 9.51

---

W

when element

specifies a predicate for detail table, 5.7.2

---

X

XS_ACL PL/SQL package

about, 11.2

ADD_ACL_PARAMETER, 11.2.4.6

APPEND_ACES, 4.3.4, 11.2.4.2

constants, 11.2.3

CREATE_ACL, 11.2.4.1

DELETE_ACL, 11.2.4.9

object types, constructor functions, 11.2.2

REMOVE_ACES, 4.3.4, 11.2.4.3

REMOVE_ACL_PARAMETERS, 11.2.4.7

security model, 11.2.1

SET_DESCRIPTION, 11.2.4.8

SET_PARENT_ACL, 4.3.4, 4.3.10.1, 4.3.10.2, 11.2.4.5

SET_SECURITY_CLASS, 4.3.4, 11.2.4.4

XS_ADMIN_UTIL PL/SQL package

about, 11.3

constants, 11.3.3

GRANT_SYSTEM_PRIVILEGE, 11.3.4.1

object types, 11.3.2

REVOKE_SYSTEM_PRIVILEGE, 11.3.4.2

security model, 11.3.1

XS_DATA_SECURITY PL/SQL package

about, 11.4

ADD_COLUMN_CONSTRAINTS, 11.4.3.4

APPEND_REALM_CONSTRAINTS, 11.4.3.2

APPLY_OBJECT_POLICY, 5.6.2, 11.4.3.13

CREATE_ACL_PARAMETER, 11.4.3.6

CREATE_POLICY, 11.4.3.1

DELETE_ACL_PARAMETER, 11.4.3.7

DELETE_POLICY, 11.4.3.9

DISABLE_OBJECT_POLICY, 11.4.3.11

ENABLE_OBJECT_POLICY, 11.4.3.10

affect on database tables, 5.6.2

object types, constructor functions, 11.4.1

REMOVE_COLUMN_CONSTRAINTS, 11.4.3.5

REMOVE_OBJECT_POLICY, 11.4.3.12

REMOVE_REALM_CONSTRAINTS, 11.4.3.3

security model, 11.4.2

SET_DESCRIPTION, 11.4.3.8

XS_DATA_SECURITY_UTIL PL/SQL package

about, 11.5, 11.5

ALTER_STATIC_ACL_REFRESH, 11.5.3.2

constants, 11.5.2

SCHEDULE_STATIC_ACL_REFRESH, 11.5.3.1

security model, 11.5.1

XS_DIAG PL/SQL package

about, 11.6

security model, 11.6.1

VALIDATE_ACL, 4.3.3, 11.6.2.3

VALIDATE_DATA_SECURITY, 5.2, 11.6.2.4

VALIDATE_NAMESPACE_TEMPLATE, 11.6.2.5

VALIDATE_PRINCIPAL, 2.1.6, 2.2.3.3, 11.6.2.1

VALIDATE_SECURITY_CLASS, 4.2.5, 11.6.2.2

VALIDATE_WORKSPACE, 11.6.2.6

XS_NAMESPACE PL/SQL package

about, 11.7

ADD_ATTRIBUTES, 11.7.4.2

constants, 11.7.3

CREATE_TEMPLATE, 3.3.1.3, 11.7.4.1

DELETE_TEMPLATE, 11.7.4.6

object types, constructor functions, 11.7.2

REMOVE_ATTRIBUTES, 11.7.4.3

security model, 11.7.1

SET_DESCRIPTION, 11.7.4.5

SET_HANDLER, 11.7.4.4

XS_PRINCIPAL PL/SQL package

about, 11.8

ADD_PROXY_TO_DBUSER, 11.8.4.8

ADD_PROXY_USER, 2.1.5, 11.8.4.6

constants, 11.8.3

CREATE_DYNAMIC_ROLE, 2.2.3.2, 11.8.4.3

CREATE_ROLE, 2.2.3.1, 11.8.4.2

CREATE_USER, 2.1.3.2, 2.3, 11.8.4.1

DELETE_PRINCIPAL, 11.8.4.22

ENABLE_BY_DEFAULT, 11.8.4.13

ENABLE_ROLES_BY_DEFAULT, 11.8.4.14

GRANT_ROLES, 2.4.1.2, 2.4.2, 11.8.4.4

object types, constructor functions, 11.8.2

REMOVE_PROXY_FROM_DBUSER, 11.8.4.9

REMOVE_PROXY_USER, 11.8.4.7

REVOKE_ROLES, 11.8.4.5

security model, 11.8.1

SET_DESCRIPTION, 11.8.4.21

SET_DYNAMIC_ROLE_DURATION, 11.8.4.11

SET_DYNAMIC_ROLE_SCOPE, 11.8.4.12

SET_EFFECTIVE_DATES, 11.8.4.10

SET_GUID, 11.8.4.16

SET_PASSWORD, 2.1.3.2, 11.8.4.19

SET_PROFILE, 2.1.3.2, 11.8.4.17

SET_USER_SCHEMA, 11.8.4.15

SET_USER_STATUS, 11.8.4.18

SET_VERIFIER, 2.1.3.3, 11.8.4.20

XS_SECURITY_CLASS PL/SQL package

about, 11.9

ADD_IMPLIED_PRIVILEGES, 4.1.1, 4.2.6, 11.9.2.6

ADD_PARENTS, 4.2.6, 11.9.2.2

ADD_PRIVILEGES, 4.1.1, 4.2.6, 11.9.2.4

CREATE_SECURITY_CLASS, 11.9.2.1

DELETE_SECURITY_CLASS, 4.2.6, 11.9.2.9

REMOVE_IMPLIED_PRIVILEGES, 4.2.6, 4.2.6, 11.9.2.7

REMOVE_PARENTS, 4.2.6, 11.9.2.3

REMOVE_PRIVILEGES, 4.2.6, 4.2.6, 11.9.2.5

security model, 11.9.1

SET_DESCRIPTION, 4.2.6, 11.9.2.8

XS_SYS_CONTEXT function, 10.2

XSAccessController

checkAcl, 6.4.2

XSAuthenticationModule

authenticate, 6.3

XSSessionManager

assignUser, 6.2.3

attachSession, 6.2.2

class, 6.1

clearCache, 6.1.3.6

createAnonymousSession, 6.2.1

createSession, 6.2.1

destroySession, 6.2.9

detachSession, 6.2.8

getCacheMaxIdleSize, 6.1.3.4

getCacheMaxIdleTime, 6.1.3.3

getHighWaterMark, 6.1.3.5.2

getLowWaterMark, 6.1.3.5.3

getSessionManager, 6.1.2

setCacheMaxIdleTime, 6.1.3.1

setCacheMaxSize, 6.1.3.2

setWaterMark, 6.1.3.5.1