Skip to Main Content
Forums

Application Development Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

enabling ACL security on UCM

847752Mar 16 2011 — edited Mar 17 2011
Hi all,

I've been trying to configure UCM with ACL security.
------------------------------------------------------------------------------------------
Server Name:ecm1_ucm
Version:11gR1-11.1.1.3.0-idcprod1-100505T121221 (Build:7.3.0.180)

Product Version 11gR1-11.1.1.3.0-idcprod1-100505T121221
Product Build 7.3.0.180
Product Build Info dev-100505T121221
Native Version 7.2.1.0
OS Name win32
Instance Name ecm1_ucm
Server Menu Label ecm1_ucm
Server Description Instance ecm1_ucm
Server Port 4444
File Encoding UTF8
Page Charset utf-8
Server Hostname Filter Any Host that IP Address Filter Allows
Server IP Filter 127.0.0.1 Or 0:0:0:0:0:0:0:1 Or *.*.*.*
Server Process ID 3732
Http Web Root /cs/

Database Type:Oracle
Database Version:11.1.0.7.0 ---Oracle Database 11g Enterprise Edition Release --- - Production With the Partitioning, OLAP, Data Mining and Real Application Testing options
------------------------------------------------------------------------------------------

In the UCM Administrator's Guide, it says:
To support the enterprise role access control list, the RoleEntityACL component must be enabled in the Oracle Content Server system.

The problem is that when I go to the UCM Advanced Component Manager, there is no such component listed, so there's no way to enable it.
Does anyone know where/how I can get this component and enable it?

Thanks for any info.


AE

Comments

Is this RDBMS bug? Because, the prompted expansion is just a dbms_utility.expand_sql_text call. And it is always ctrl-Z away if unsatisfied with the amended statement.

Jeffrey Kemp

If SQL Developer is merely calling dbms_utility.expand_sql_text that explains the behaviour.

I don't think it's an RDBMS bug, dbms_utility.expand_sql_text seems to do what it says on the tin including the VPD policy, according to the docs (https://docs.oracle.com/database/121/ARPLS/d_util.htm#ARPLS73240 ):

"The resulting query text only contains references to underlying tables and is semantically equivalent with some caveats:
  • If there are invoker rights functions called from any of the views, they may be called as a different user in the resulting query text if the view owner is different from the user who will eventually compile/run the expanded SQL text.
  • The VPD policy expands differently if there is a function supplied to generate the dynamic WHERE clause. This function would return differently, for example, if the userid caused the expansion to be different."

I think it's more likely that SQL Developer is using it inappropriately, or else this feature is not quite as useful as it might appear. When I hovered over the select statement in SQL Developer and it offered to "expand the SQL statement" the developer might expect to get a suggestion that actually makes sense for development purposes

Ideally, the dbms_utility.expand_sql_text function would accept parameters to customise its behaviour (e.g. to suppress the expansion of VPD policies) and this would then become a useful feature of SQL Developer.

Thanks

1 person found this helpful
Glen Conway

Personally, I think it is wonderful that SQL Developer shows you exactly what the database is doing with the SQL statement you send to it.  I imagine that will help avoid confusion in many cases.  

Jeffrey Kemp

Part of the feature is that you can click on the expansion and SQL Developer copies it into your code editor - which is almost always exactly what you don't want to do.

1 person found this helpful
Glen Conway

To each his own.  Thanks for bringing up this interesting topic.  I haven't used the feature (in existence for a long while: https://www.thatjeffsmith.com/archive/2014/12/sql-developer-and-a-12c-magic-trick/ ), except accidentally when mousing over statements in an editor.

My preference would be a more fully developed feature, probably explicitly available in a context menu, with an option to control whether the expansion continues through the VPD layer. But as Vadim notes, that would require changes on the RDBMS side of the house to enhance dbms_utility.expand_sql_text

Mike Kutz 
Jeffrey Kemp wrote:
Part of the feature is that you can click on the expansion and SQL Developer copies it into your code editor - which is almost always exactly what you don't want to do.

It seems like the only time I would want to replace the SQL is if I'm want to expand only the SELECT * section into SELECT <list of columns>

Beyond that, I consider it a potential security risk to allow anyone to see the applied VPD/RAS rules.

Not only should the caller specifically tell EXPAND_SQL_TEXT that he/she wants to see those rule, the DBA/Security person should tell the database "yes, that person is allowed to see those rules".

But, those are my thoughts and opinions.

MK

1 - 6
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Apr 14 2011
Added on Mar 16 2011
#webcenter, #webcenter-content
2 comments
241 views