18
Oracle XML DB Resource Security

This chapter describes Access Control Lists (ACL) based security mechanism for Oracle XML DB resources. It describes how to create ACLs, set and change ACls on resources, and how ACL security interacts with other database security mechanisms.

This chapter contains the following sections:

• Introducing Oracle XML DB Resource Security and ACLs
• Access Control List Terminology
• Oracle XML DB ACL Features
• Access Control: User and Group Access
• Oracle XML DB Supported Privileges
• ACL Evaluation Rules
• Using Oracle XML DB ACLs
• ACL and Resource Management
• Using DBMS_XDB to Check Privileges

Introducing Oracle XML DB Resource Security and ACLs

Oracle XML DB maintains object-level security for any resource in Oracle XML DB Repository hierarchy.

Oracle XML DB uses an access control list (ACL) mechanism to restrict access to any Oracle XML DB resource or database object mapped to Oracle XML DB Repository.

The Oracle XML DB ACL security mechanism supports the WebDAV ACL specification. ACLs are a standard security mechanism used in Java, Windows NT, and other systems.

Oracle XML DB ACL security mechanism is designed to handle large volumes of XML data stored in Oracle9i database. Privileges can be granted or denied to the principal dav:owner, that represents the owner of the document, regardless of who the owner is.

How the ACL-Based Security Mechanism Works

Before a user performs an operation or method on a resource, a check of privileges for the user on the resource takes place. The set of privileges checked depends on the operation or method performed. For example, to increase employee Scott's salary by 10 percent, READ and WRITE privileges are needed for the scott/salary.xml resource.

Access Control List Terminology

A few access control list (ACL) terms are described here:

• Principal. An entity that may be granted access control privileges to an Oracle XML DB resource. Oracle XML DB supports as principals:
  • Database users.
  • Database roles. A database role can be understood as a group, for example, the DBA role represents the DBA group of all the users granted the DBA role.

    Note: Users and roles imported from an LDAP server are also supported as a part of the database's general authentication model.

  There is a special principal named dav:owner that corresponds to a separate property on the object being secured. Use of the dav:owner principal allows greater ACL sharing between users, since the owner of the document often has special rights. See Also "Access Control: User and Group Access".

• Privilege: This is a particular right that can be granted to a principal. Oracle XML DB has a set of system-defined rights (such as READ, INSERT, or UPDATE) that can be referenced in any ACL. Privileges can be one of the following:
  • Aggregate (containing other privileges)
  • Atomic (which cannot be subdivided)

  Aggregate privileges are a naming convenience to simplify usability when the number of privileges becomes large, as well as to promote interoperability between ACL clients. A set of privileges controls the ability to perform a given operation or method on an Oracle XML DB resource. For example, if the principal Scott wants to perform the read operation on a given resource, the read privileges must be granted to Scott prior to the read operation. Therefore, privileges control how users can operate on given resources.

• ACE (access control entry): Part of an ACL that grants or denies access to a particular principal. An ACL consists of a list of ACEs where ordering is irrelevant. There can be only one grant ACE and one deny ACE for a particular principal in a single ACL.

  Note: Many grant ACEs (or deny ACEs) may apply to a particular user since a user may be granted many roles.

  An Oracle XML DB ACE element has the following attributes:

  • Operation: Either grant or deny
  • Principal: Either a User or a group/collection
  • Privileges Set: Particular set of privileges that are to be either granted or denied for a particular principal
• Access control list (ACL): A list of access control entry elements, with the element name ace, that defines access control to a resource. An ACE either grants or denies privileges for a principal.

  Note: ACLs are stored as Oracle XML DB resources, so they also need to be protected by Oracle XML DB ACLs. There is only one ACL, the bootstrap ACL, that is self-protected; that is, it is protected by its own contents.

• Named ACLs: An ACL that is a resource itself, that is, it has its own path name. Named ACLs can be shared by multiple resources, improving manageability, ease of use, and performance. Named ACLs have a unique name and also have an optional type restrictor, such as: http://xmlns.oracle.com/xdb/XDBDemo.xsd#PurchaseOrder

  that specifies that the ACL can only be applied to instances of that XML element and elements in a substitution group with that element.

• Default ACL: When a resource is inserted into the Oracle XML DB Repository, there are two ways to specify an ACL for this resource:
  • Using the default ACL (the ACL of the parent folder)
  • Specifying a particular ACL
• Bootstrap ACL: Every ACL is protected by the contents of another ACL except the bootstrap ACL. The bootstrap ACL, stored in:

  /sys/acls/bootstrap_acl.xml, is the only ACL protected by its own contents. All of the default ACLs are protected by the bootstrap ACL, which grants the xdb:readContents privilege to all users. The bootstrap ACL grants FULL ACCESS to Oracle XML DB ADMIN and DBA groups. The XDBADMIN role is particularly useful for users that must register global XML schemas.

• Other ACLs supplied with Oracle XML DB:
  • all_all_acl.xml Grants all privileges to all users.
  • all_owner_acl.xml Grants all privileges to owner user.
  • ro_all_acl.xml Grants read privileges to all users.
• ACL file-naming conventions: Supplied ACLs use the following file-naming conventions: privilege_users_acl.xml

  where privilege represents the privilege granted and user represents the users that are granted access to the resource.

Oracle XML DB ACL Features

Oracle XML DB supports the following ACL features:

ACL Interaction with Oracle XML DB Table/View Security

Users must have the appropriate privilege on the underlying table/view where the XML object is stored, as well as permissions through the ACL for that individual instance.

LDAP Integration and User IDs

LDAP is integrated with Oracle XML DB to allow external users access to Oracle XML DB. External users can perform the same operations that a local database user can.

Oracle XML DB Resource API for ACLs (PL/SQL)

The PL/SQL API for ACL security allows the PL/SQL developer access to the security mechanisms, to check privileges given a particular ACL, and to list the set of privileges the current user has for a particular ACL and object.

How Concurrency Issues Are Resolved with Oracle XML DB ACLs

Oracle XML DB ACLs are cached for very fast evaluation. When a transaction modifying an ACL is committed, the modified ACL is picked up after the time-out specified in the Oracle XML DB configuration file is up. The XPath for this configuration parameter is /xdbconfig/sysconfig/acl-max-age.

Access Control: User and Group Access

The principal can be either an individual user or a group. A group is also referred to as a collection. A user is granted access as a group principal if the user has been granted a database role.

Access privileges for each principal are stored in access control entries (ACEs) in the ACL.

Example 18-1 ACE Entries in an ACL for Controlling User and Group Access

The following example shows entries in an ACL:

<acl description="myacl"
      xmlns="http://xmlns.oracle.com/xdb/acl.xsd"
      xmlns:dav="DAV:"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://xmlns.oracle.com/xdb/acl.xsd
                          http://xmlns.oracle.com/xdb/acl.xsd">
  <ace>
    <principal>OWNER</principal>
    <grant>true</grant>
    <privilege>
      <all/>
    </privilege>
  </ace>
</acl>

ACE Elements Specify Access Privileges for Principals

The preceding ACL grants all privileges to the owner of the document. Access to an Oracle XML DB resource is granted for each principal. Table 18-1 lists the access control entry (ACE) elements. Each ACE element specifies access privileges for a given principal using values set for the following elements.

Table 18-1 Access Control Entry (ACE) Elements  

Element	Description
<principal>	Specifies the principal (user or group).
<grant>	A boolean value that specifies whether the principal has been granted access to the resource. A value of true specifies that the access is granted. A value of false specifies that access is denied.
<privilege>	Specifies the privileges granted to the principal.

Oracle XML DB Supported Privileges

Oracle XML DB provides a set of privileges to control access to Oracle XML DB resources. Access privileges in an ACE are stored in the privilege element. Privileges can be:

• Aggregate, composed of other privileges
• Atomic, cannot be subdivided

When an ACL is stored in Oracle XML DB, the aggregate privileges retain their identity, that is, they are not decomposed into the corresponding leaf privileges. In WebDAV terms, these are non-abstract aggregate privileges, so they can be used in ACEs.

Atomic Privileges:

> read-properties

> read-contents

> update

> link (applies only to containers)

> unlink (applies only to containers)

> read-acl

> write-acl-ref

> update-acl

> link-to

> unlink-from

> resolve

> dav:lock

> dav:unlock

>

> Aggregate Privileges:

> dav:read (read-properties, read-contents, resolve)

> dav:write (update, link, unlink, unlink-from)

> dav:read-acl (read-acl)

> dav:write-acl (write-acl-ref, update-acl)

> dav:all (dav:read, dav:write, dav:read-acl, dav:write-acl, dav:lock, dav:unlock)

Atomic Privileges

Table 18-2 lists the atomic privileges supported by Oracle XML DB.

Table 18-2 Atomic Privileges  

Privilege Name	Description	Database Counterpart
read-properties	Read the properties of a resource	SELECT
read-contents	Read the contents of a resource	SELECT
update	Update the properties and contents of a resource	UPDATE
link	For containers only. Allows resources to be bound to the container.	INSERT
unlink	For containers only. Allows resources to be unbound from the container.	DELETE
link-to	Allows resources to be linked	N/A
unlink-from	Allows resources to be unlinked	N/A
read-acl	Read the resource's ACL	SELECT
write-acl-ref	Changes the resource's ID	UPDATE
update-acl	Change the contents of the resource's ACL	UPDATE
resolve	For containers only: Allows the container to be traversed	SELECT
dav:lock	Lock a resource using WebDAV locks	UPDATE
dav:unlock	Unlock a resource locked using a WebDAV lock	UPDATE

Since you can directly access the XMLType storage for ACLs, the XML structure is part of the client interface. Hence ACLs can be manipulated using XMLType APIs.

Aggregate Privileges

Table 18-3 lists the aggregate privileges defined by Oracle XML DB, along with the atomic privileges of which they are composed.

Table 18-3 Aggregate Privileges   

Aggregate Privilege Names	Atomic Privileges
all	All atomic privileges: dav:read, dav:write, dav:read-acl, dav:write-acl, dav:lock, dav:unlock
dav:all	All atomic privileges except linkto
dav:read	read-properties, read-contents, resolve
dav:write	update, link, unlink, unlink-from
dav:read-acl	read-acl
dav:write-acl	write-acl-ref, update-acl

Table 18-4 shows the privileges required for some common operations on resources in Oracle XML DB Repository. The Privileges Required column assumes that you already have resolve privilege on container C and all its parent containers, up to the root of the hierarchy.

Table 18-4 Privileges Needed for Operations on Oracle XML DB Resources  

Operation	Description	Privileges Required
CREATE	Create a new resource in container C	update and link on C
DELETE	Delete resource R from container C	update and unlinkfrom on R, update and unlink on C
UPDATE	Update the contents/properties of resources R	update on R
GET	An FTP/HTTP GET of resource R	read-properties, read-contents on R
SET_ACL	Set the ACL of a resource R	dav:write-acl on R
LIST	List the resources in container C	read-properties on C, read-properties on resources in C. Only those resources on which the user has read-properties privilege are listed.

ACL Evaluation Rules

To evaluate an ACL, the database collects the list of ACEs applying to the user logged into the current database session. The list of currently active roles for the given user is maintained as a part of the session and is used to match ACEs with the current users. To resolve conflicts between ACEs, the following rule is used: if a privilege is denied by any ACE, the privilege is denied for the entire ACL.

Entries in an ACL must observe the following rule:

• Each principal will have two individual ACEs at most, one for granting privileges and one for denying privileges.
• Multiple grant ACEs are not allowed for any principal.
• Multiple deny ACEs are not allowed for any principal.

Using Oracle XML DB ACLs

Every resource in the Oracle XML DB Repository hierarchy has an associated ACL. The ACL mechanism specifies a privilege-based access control for resources to principals. Whenever a resource is accessed, a security check is performed. The ACL determines which principals have which set of privileges to access the resource. An Oracle XML DB principal can be either of the following:

• An individual principal, such as a database user
• A group principal, such as a group of database users that are granted a common role

Each ACL has a list of ACEs. An ACE has the following elements:

• A boolean value indicating whether or not this ACE is granting or denying privileges
• A principal (either a user or a role) indicating to whom the ACL applies
• A list of privileges that are being granted or denied

Named ACLs also have a name attribute and an optional type restrictor, for example, http://xmlns.oracle.com/xdb/XDBDemo.xsd#PurchaseOrder, that specifies that the ACL may only be applied to instances of that XML element (and elements in a substitution group with that element). Note that a privilege that is neither granted nor denied to a user is assumed to be denied.

To evaluate an ACL, the database collects the list of ACEs applying to the user logged into the current database session. The list of currently active roles for the given user is maintained as a part of the session and is used to match ACEs along with the current user.

To check if a user has a certain privilege, you need to know the ID of the ACL and the owner of the object being secured. The Oracle XML DB hierarchy automatically associates an ACL ID and owner with an object that is mapped into its file system (they are stored in a table in the Oracle XML DB schema).

Updating the Default ACL on a Folder

Example 18-2 Updating the Default ACL on a Folder and the Owner of the Folder

This example creates two users, Oracle XML DB administrator, xdbadmin, and Oracle XML DB user, xdbuser. The administrator creates the user's folder under '/'. The default ACL on this folder, inherited from the parent container, allows:

• All permissions to the owner
• Only read permission to public

The owner of the folder is changed to the user, by updating the resource_view. You can also make the user's folder completely private by changing the ACL to another system ACL, such as, all_owner_acl.xml

connect system/manager

Rem Create an Oracle XML DB administrator user (has XDBADMIN role)
grant connect, resource, xdbadmin to xdbadmn identified by xdbadmn;

Rem Create Oracle XML DB user
grant connect, resource to xdbuser identified by xdbuser;

conn xdbadmn/xdbadmn

Rem create the user's folder
declare
retval boolean;
begin
retval := dbms_xdb.createfolder('/xdbuser');
end;
 /

Rem update the OWNER of the user folder
update resource_view
set res = updatexml(res, '/Resource/Owner/text()', 'XDBUSER')
where any_path = '/xdbuser';

commit;

connect xdbuser/xdbuser

Rem XDBUSER has full permissions to operate on her folder
declare
retval boolean;
begin
retval := dbms_xdb.createfolder('/xdbuser/workdir');
end;
 /

Rem All users can read /xdbuser folder at this time.
Rem change ACL to make folder completely private
call dbms_xdb.setacl('/xdbuser', '/sys/acls/all_owner_acl.xml');

ACL and Resource Management

The following subsections describe ACL and resource management in Oracle XML DB Repository.

How to Set Resource Property ACLs

Any Oracle XML DB resource has an ACL as a resource property. To set the ACL resource property, use any of the following methods:

• Perform a RESOURCE_VIEW update
• PL/SQL API: Use DBMS_XDB.setacl(res_path VARCHAR2,acl_path VARCHAR2) to set the ACL property of the resource represented by res_path to the ACL represented by acl_path.
• Quote command in FTP: Use "quote sacl <res_path> <acl_path>" to set the ACL resource property of res_path to the ACLOID for acl_path

Default Assignment of ACLs

When a resource is inserted into the Oracle XML DB hierarchy, and the resource does not specify an ACL, it shares the ACL of its parent container.

Retrieving ACLs for a Resource

The following DBMS_XDB API can be used to get the ACL for a given resource:

DBMS_XDB.getAclDocument(res_path IN VARCHAR2)

It returns an XMLType instance of <acl> element representing the ACL for the resource at res_path.

Changing Privileges on a Given Resource

The following DBMS_XDB API can be used to add an ACE to a resource's ACL:

DBMS_XDB.changePrivileges(res_path IN VARCHAR2, ace IN XMLType)

Restrictions for Operations on ACLs

All named ACLs are XML schema-based resources in the Oracle XML DB Repository hierarchy. Every method used for other resources in Oracle XML DB Repository hierarchy can also be used for ACLs. For example, FTP commands, PL/SQL DOM, and XMLType methods can operate on ACLs. However, because ACLs are part of the access control security scheme and Oracle XML DB Repository hierarchy, the following restrictions are enforced:

• ACL insertion: Can be at most one grant ACE and one deny ACE for a particular principal in an ACL
• ACL deletion: If a resource is currently using the ACL, the ACL cannot be deleted.
• ACL update (modify): If an ACL resource is updated with non-ACL content, the same rules as for ACL deletion will apply.

Using DBMS_XDB to Check Privileges

You can enforce Oracle XML DB access control using the following DBMS_XDB functions:

• CheckPrivileges, getAclDocument, and getPrivileges for Oracle XML DB resources.
• AclCheckPrivileges for database objects. This function loads the ACL from the cache, and performs the access request evaluation as described in the next section.

Row-Level Security for Access Control Security

ACL security in Oracle XML DB acts in conjunction with database security for XML objects. The user must have the appropriate rights on the underlying table/view where the XML object is stored as well as permissions in the ACL for that individual instance. When an object from a particular table is first stored in the Oracle XML DB hierarchy (and mapped to a resource), a row-level security (RLS) policy is added to that table that checks ACL-based permission only for those rows in the table that are mapped to a resource. RLS is enforced for XMLType tables or views that are part of the Oracle XML DB hierarchy.