Use the ACCESSIBLE BY clause to create white lists, adding an extra layer of security to your PL/SQL objects.
1234567
CONN sys/password@pdb1 AS SYSDBA
CREATE USER test1 IDENTIFIED BY test1;
GRANT CREATE SESSION, CREATE PROCEDURE, CREATE TABLE TO test1;
CREATE USER test2 IDENTIFIED BY test2;
GRANT CREATE SESSION, CREATE PROCEDURE TO test2;123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960
CONN test1/test1@pdb1
CREATE OR REPLACE PROCEDURE protected_proc
ACCESSIBLE BY (calling_proc)
AS
BEGIN
DBMS_OUTPUT.put_line('TEST1 : protected_proc');
END;
/
Procedure created.
SQL>
CREATE OR REPLACE PROCEDURE calling_proc AS
BEGIN
DBMS_OUTPUT.put_line('TEST1 : calling_proc');
protected_proc;
END;
/
Procedure created.
SQL> SET SERVEROUTPUT ON
SQL> EXEC calling_proc;
TEST1 : calling_proc
TEST1 : protected_proc
PL/SQL procedure successfully completed.
SQL>
SQL> EXEC protected_proc;
BEGIN protected_proc; END;
*
ERROR at line 1:
ORA-06550: line 1, column 7:
PLS-00904: insufficient privilege to access object PROTECTED_PROC
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored
SQL>
CREATE OR REPLACE PROCEDURE another_calling_proc AS
BEGIN
DBMS_OUTPUT.put_line('TEST1 : another_calling_proc');
protected_proc;
END;
/
Warning: Procedure created with compilation errors.
SQL> SHOW ERRORS
Errors for PROCEDURE ANOTHER_CALLING_PROC:
LINE/COL ERROR
-------- -----------------------------------------------------------------
4/3 PL/SQL: Statement ignored
4/3 PLS-00904: insufficient privilege to access object PROTECTED_PROC
SQL>12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364
CONN test1/test1@pdb1
GRANT EXECUTE ON protected_proc TO test2;
Grant succeeded.
SQL>
CONN test2/test2@pdb1
CREATE OR REPLACE PROCEDURE calling_proc AS
BEGIN
DBMS_OUTPUT.put_line('TEST2 : calling_proc');
test1.protected_proc;
END;
/
Warning: Procedure created with compilation errors.
SQL> SHOW ERRORS
Errors for PROCEDURE CALLING_PROC:
LINE/COL ERROR
-------- -----------------------------------------------------------------
4/3 PL/SQL: Statement ignored
4/3 PLS-00904: insufficient privilege to access object PROTECTED_PROC
SQL>
CONN test1/test1@pdb1
CREATE OR REPLACE PROCEDURE protected_proc
ACCESSIBLE BY (calling_proc, test2.calling_proc)
AS
BEGIN
DBMS_OUTPUT.put_line('TEST1 : protected_proc');
END;
/
Procedure created.
SQL>
CONN test2/test2@pdb1
CREATE OR REPLACE PROCEDURE calling_proc AS
BEGIN
DBMS_OUTPUT.put_line('TEST2 : calling_proc');
test1.protected_proc;
END;
/
Procedure created.
SQL>
SQL> SET SERVEROUTPUT ON
SQL> EXEC calling_proc;
TEST2 : calling_proc
TEST1 : protected_proc
PL/SQL procedure successfully completed.
SQL>1234567891011121314151617181920212223242526272829303132333435363738394041424344454647
ACCESSIBLE BY (PACKAGE calling_pkg)
ACCESSIBLE BY (PROCEDURE calling_proc)
ACCESSIBLE BY (FUNCTION calling_func)
ACCESSIBLE BY (TYPE calling_type)
ACCESSIBLE BY (TRIGGER calling_trg)
CONN test1/test1@pdb1
CREATE OR REPLACE FUNCTION protected_func (id IN NUMBER)
RETURN NUMBER
ACCESSIBLE BY (t1_fbi, t1_vw)
AS
BEGIN
RETURN id;
END;
/
CREATE TABLE t1 (
id NUMBER
);
SQL> CREATE INDEX t1_fbi ON t1(protected_func(id));
CREATE INDEX t1_fbi ON t1(protected_func(id))
*
ERROR at line 1:
ORA-06552: PL/SQL: Statement ignored
ORA-06553: PLS-904: insufficient privilege to access object PROTECTED_FUNC
SQL>
-- Views are created normally, but fail when run.
CREATE OR REPLACE VIEW t1_vw AS
SELECT protected_func(id) AS id_vw
FROM t1;
View created.
SQL> SELECT * FROM t1_vw;
SELECT * FROM t1_vw
*
ERROR at line 1:
ORA-06552: PL/SQL: Statement ignored
ORA-06553: PLS-904: insufficient privilege to access object PROTECTED_FUNC
SQL>1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162
CREATE OR REPLACE PACKAGE protected_pkg
ACCESSIBLE BY (PROCEDURE calling_proc)
AS
PROCEDURE protected_proc;
END;
/
Package created.
SQL>
CREATE OR REPLACE PACKAGE protected_pkg
AS
PROCEDURE protected_proc
ACCESSIBLE BY (PROCEDURE calling_proc);
END;
/
Warning: Package created with compilation errors.
SQL> SHOW ERRORS
Errors for PACKAGE PROTECTED_PKG:
LINE/COL ERROR
-------- -----------------------------------------------------------------
0/0 PLS-00157: Only schema-level programs allow ACCESSIBLE BY
SQL>
CREATE OR REPLACE PACKAGE protected_pkg
ACCESSIBLE BY (PROCEDURE calling_proc)
AS
PROCEDURE protected_proc;
END;
/
Package created.
SQL>
CREATE OR REPLACE PACKAGE BODY protected_pkg
ACCESSIBLE BY (PROCEDURE calling_proc)
AS
PROCEDURE protected_proc AS
BEGIN
NULL;
END;
END;
/
Warning: Package Body created with compilation errors.
SQL> SHOW ERRORS
Errors for PACKAGE BODY PROTECTED_PKG:
LINE/COL ERROR
-------- -----------------------------------------------------------------
2/3 PLS-00103: Encountered the symbol "ACCESSIBLE" when expecting one
of the following:
is as compress compiled wrapped
SQL>123456789101112131415161718192021222324252627
CREATE OR REPLACE PACKAGE protected_pkg
AS
PROCEDURE protected_proc
ACCESSIBLE BY (PROCEDURE calling_proc);
FUNCTION protected_func RETURN NUMBER
ACCESSIBLE BY (PROCEDURE calling_func);
END;
/
CREATE OR REPLACE PACKAGE BODY protected_pkg
AS
PROCEDURE protected_proc
ACCESSIBLE BY (PROCEDURE calling_proc)
AS
BEGIN
NULL;
END;
FUNCTION protected_func RETURN NUMBER
ACCESSIBLE BY (PROCEDURE calling_func)
AS
BEGIN
RETURN NULL;
END;
END;
/Please to add comments
No comments yet. Be the first to comment!