A Predefined Objects in Real Application Security
Roles
Real Application Security provides predefined application roles for regular application roles, dynamic application roles, and database roles.
Regular Application Roles
Real Application Security provides the following predefined regular application roles:
-
XSPUBLIC
- This application role is similar to thePUBLIC
role in the database. It is granted to all Real Application Security application users. -
XSBYPASS
- A role used to bypass the restrictions imposed by a system constraining ACL. -
XSPROVISIONER
- A role used to grantPROVISION
andCALLBACK
privileges. -
XSNAMESPACEADMIN
- A role used for namespace attribute administration. -
XSCACHEADMIN
- A role used for middle tier cache administration. -
XSDISPATCHER
- A role used for session administration, namespace administration, and middle tier cache administration by a dispatcher. -
XSCONNECT
— A role used to control whether a Real Application Security application user with a password can connect to the database or not.
Dynamic Application Roles
Real Application Security provides the following predefined dynamic application roles:
-
DBMS_AUTH
This application role depends on the authentication state of the application user. It is enabled whenever the application user is authenticated in the Real Application Security system as a direct-logon application user using any of the database authentication methods.
-
EXTERNAL_DBMS_AUTH
This application role depends on the authentication state of the external application user. It is enabled whenever the external application user is authenticated in the Real Application Security system as an external direct-logon application user using any of the database authentication methods.
-
DBMS_PASSWD
This application role depends on the authentication state of the application user. It is enabled whenever the application user is authenticated in the Real Application Security system as a direct-logon application user using a password authentication method.
-
MIDTIER_AUTH
This application role depends on the authentication state of the application user. It is enabled whenever the application user is authenticated in the Real Application Security system through the middle tier. The middle tier explicitly passes this application role to the database indicating that the application user has been authenticated by the middle tier.
-
XSAUTHENTICATED
This application role depends on the authentication state of the application user. It is enabled whenever the application user is authenticated in the Real Application Security system (either directly or through the middle tier).
-
XSSWITCH
This application role depends on the session state of the application user. It is enabled whenever the Real Application Security session for an application user is created as a result of a
switch_user
operation, that is, if the proxy user in the original Real Application Security session is switched to an application user.
Database Roles
Real Application Security provides the following database roles.
-
PROVISIONER
- A database role that has thePROVISION
andCALLBACK
privileges. -
XS_SESSION_ADMIN
- A database role that has theADMINISTER_SESSION
privilege. -
XS_NAMESPACE_ADMIN
- A database role that has theADMIN_ANY_NAMESPACE
privilege. -
XS_CACHE_ADMIN
- A database role that can be used for middle tier cache administration.
Namespaces
Real Application Security provides the following predefined namespaces:
-
XS$GLOBAL_VAR
- Contains the following NLS Attributes:NLS_LANGUAGE
,NLS_TERRITORY
,NLS_SORT
,NLS_DATE_LANGUAGE
,NLS_DATE_FORMAT
,NLS_CURRENCY
,NLS_NUMERIC_CHARACTERS
,NLS_ISO_CURRENCY
,NLS_CALENDAR
,NLS_TIME_FORMAT
,NLS_TIMESTAMP_FORMAT
,NLS_TIME_TZ_FORMAT
,NLS_TIMESTAMP_TZ_FORMAT
,NLS_DUAL_CURRENCY
,NLS_COMP
,NLS_LENGTH_SEMANTICS
, andNLS_NCHAR_CONV_EXCP
.The
XS$GLOBAL_VAR
namespace can be loaded in to a Real Application Security session without requiring any privileges. -
XS$SESSION
- Contains the following attributes:CREATED_BY
,CREATE_TIME
,COOKIE
,CURRENT_XS_USER
,CURRENT_XS_USER_GUID
,INACTIVITY_TIMEOUT
,LAST_ACCESS_TIME
,LAST_AUTHENTICATION_TIME
,LAST_UPDATED_BY
,PROXY_GUID
,SESSION_ID
,SESSION_SIZE
,SESSION_XS_USER
,SESSION_XS_USER_GUID
,USERNAME
, andUSER_ID
.
Security Classes
Real Application Security provides the following predefined security classes and application privileges:
-
DML
- DML Privileges security class. If an ACL does not specify its security class,DML
is the default security class for the ACL. See "DML Security Class" for more information. Contains the following common application privileges for object manipulation.-
SELECT
- Privilege to read an object. -
INSERT
- Privilege to insert an object. -
UPDATE
- Privilege to update an object. -
DELETE
- Privilege to delete an object.
-
-
SYSTEM
- System security class. Contains the following application privileges:-
PROVISION
- Privilege for updating principal documents from FIDM. ThePROVISION
privilege is also extended for creating, deleting, and modifying Real Application Security principals (users or roles) beginning in Release 12.2. This Real Application Security system privilege is intended to replace the traditional use of database create user, alter user privileges, and so forth to create and alter Real Application Security application users and roles. -
CALLBACK
- Privilege to register and update global callbacks. -
ADMIN_ANY_SEC_POLICY
- Privilege for any administrative operation. -
ADMIN_SEC_POLICY
- Privilege for administering objects in its own schema. -
ADMIN_NAMESPACE
- Privilege for administering any namespace.
-
-
SESSION_SC
- Session security class. Contains the following application privileges:-
CREATE_SESSION
- Privilege to create a Real Application Security user session. -
TERMINATE_SESSION
- Privilege to terminate a Real Application Security user session. -
ATTACH_SESSION
- Privilege to attach to a Real Application Security user session. -
MODIFY_SESSION
- Privilege to modify contents of a Real Application Security user session. -
ASSIGN_USER
- Privilege to assign user to an anonymous Real Application Security user session. -
ADMINISTER_SESSION
- Privilege for Real Application Security user session administration, aggregate ofCREATE_SESSION
,TERMINATE_SESSION
,ATTACH_SESSION
,MODIFY_SESSION
, andSET_DYNAMIC_ROLES
. -
SET_DYNAMIC_ROLES
- Privilege to protect Real Application Security enablement and disablement of a dynamic role as part of the attach session and assign user operations.
-
-
NSTEMPLATE_SC
- Namespace template security class. Contains the following application privileges:-
MODIFY_NAMESPACE
- Privilege to modify session namespace. -
MODIFY_ATTRIBUTE
- Privilege to modify session namespace attribute. -
ADMIN_NAMESPACE
- Privilege for namespace administration, aggregate ofMODIFY_NAMESPACE
andMODIFY_ATTRIBUTE
.
-
ACLs
Real Application Security provides the following predefined ACLs:
-
SYSTEMACL
- ACL for grantingSYSTEM
security class privileges.Grants
PROVISION
andCALLBACK
privileges toPROVISIONER
database role andXSPROVISIONER
Real Application Security role.Grants
ADMIN_ANY_SEC_POLICY
privilege toDBA
database role.Grants
ADMIN_SEC_POLICY
privilege toRESOURCE
andXS_RESOURCE
database roles.Grants
ADMIN_ANY_NAMESPACE
privilege toDBA
andXS_NAMESPACE_ADMIN
database roles andXSNAMESPACEADMIN
andMIDTIER_AUTH
Real Application Security roles. -
SESSIONACL
- ACL for grantingSESSION_SC
security class privileges.Grants
ADMINISTER_SESSION
privilege toXS_SESSION_ADMIN
database role andXSSESSIONADMIN
Real Application Security role. -
NS_UNRESTRICTED_ACL
- ACL to grantADMIN_NAMESPACE
privilege toPUBLIC
database role andXSPUBLIC
Real Application Security role.