1 PACKAGE dbms_xdbz AUTHID CURRENT_USER IS
2
3 ------------
4 -- CONSTANTS
5 --
6 ------------
7 NAME_FORMAT_SHORT CONSTANT pls_integer := 1;
8 NAME_FORMAT_DISTINGUISHED CONSTANT pls_integer := 2;
9 NAME_FORMAT_APPLICATION CONSTANT pls_integer := 5;
10
11 ENABLE_CONTENTS CONSTANT pls_integer := 1;
12 ENABLE_RESMETADATA CONSTANT pls_integer := 2;
13 ENABLE_VERSION CONSTANT pls_integer := 4;
14 ENABLE_LINKS CONSTANT pls_integer := 8;
15
16 IS_ENABLED_CONTENTS CONSTANT pls_integer := 1;
17 IS_ENABLED_RESMETADATA CONSTANT pls_integer := 2;
18 IS_ENABLED_VERSION CONSTANT pls_integer := 4;
19
20 DISABLE_VERSION CONSTANT pls_integer := 1;
21 DISABLE_ALL CONSTANT pls_integer := 2;
22 SKIP_SYSCONSACL_FLG CONSTANT pls_integer := 0;
23
24 APPLICATION_USER CONSTANT pls_integer := 0;
25 APPLICATION_ROLE CONSTANT pls_integer := 1;
26
27 DELETE_APP_NOFORCE CONSTANT pls_integer := 0;
28 DELETE_APP_FORCE CONSTANT pls_integer := 1;
29
30 MODE_MEMBERSHIP_ADD CONSTANT pls_integer := 0;
31 MODE_MEMBERSHIP_DELETE CONSTANT pls_integer := 1;
32
33 ----------------------------------------------------------------------------
34 -- PROCEDURE - enable_hierarchy
35 -- Enables XDB Hierarchy for a particular xmltype table/view
36 -- PARAMETERS -
37 -- object_schema
38 -- Schema name of the xmltype table/view
39 -- object_name
40 -- Object name of the xmltype table/view
41 -- hierarchy_type
42 -- How to enable the hierarchy. Must be one or a combination of the
43 -- following:
44 -- ENABLE_CONTENTS : enable hierarchy for contents i.e. this table will
45 -- store contents of resources in the repository. This flag cannot be
46 --- combined with ENABLE_RESMETADATA.
47 -- ENABLE_RESMETADATA : enable hierarchy for resource metadata i.e. this
48 -- table will store schema based custom metadata for resources. This flag
49 -- cannot be combined with ENABLE_CONTENTS.
50 -- ENABLE_VERSION : version-enable the xmltype table/view. This flag
51 -- must be combined with either ENABLE_CONTENTS or ENABLE_RESMETADATA.
52 -- NOTE ON HIERARCHY TYPE: If a table is hierachy-enabled for contents or
53 -- resource metadata, then it can be additionally version-enabled by
54 -- calling this procedure. For example, a table that is hierarchy-enabled for
55 -- contents alone (ENABLE_CONTENTS) can be additionally version-enabled by
56 -- calling this procedure with hierarchy_type ENABLE_CONTENTS+ENABLE_VERSION.
57 -- A table that is hierarchy-enabled for contents, irrespective of whether it
58 -- is version-enabled or not, cannot be hierarchy-enabled for resource
59 -- metadata. Similarly, a table that is hierarchy-enabled for resource
60 -- metadata, irrespective of whether it is version-enabled or not, cannot be
61 -- hierarchy-enabled for contents. A table that is hierarchy-enabled and
62 -- version-enabled, irrespective of whether it is hierarchy-enabled for
63 -- contents or resource metadata, cannot be version-disabled by calling
64 -- this procedure.
65 -- NOTE ON VERSION-ENABLED TABLES: A resource that has REFs to schema-based
66 -- content or metadata tables/views can be version-controlled only if all its
67 -- REFs point to version-enabled tables/views. Thus, if its content REF is not
68 -- null, then the REF must point to an xmltype table/view that is version-
69 -- enabled and hierarchy enabled for contents. Similarly, if it has a
70 -- non-null schema-based metadata REF, then the REF must point to an xmltype
71 -- table/view that is version-enabled and hierarchy-enabled for resource
72 -- metadata.
73 -- schemareg
74 -- True iff called during schema registration (qmts.c).
75 ----------------------------------------------------------------------------
76 PROCEDURE enable_hierarchy
77 (
78 object_schema IN VARCHAR2,
79 object_name VARCHAR2,
80 hierarchy_type IN pls_integer := ENABLE_CONTENTS,
81 schemareg IN BOOLEAN := FALSE
82 );
83 PRAGMA SUPPLEMENTAL_LOG_DATA(enable_hierarchy, AUTO_WITH_COMMIT);
84
85 ----------------------------------------------------------------------------
86 -- PROCEDURE - disable_hierarchy
87 -- Disables XDB Hierarchy for a particular xmltype table/view
88 -- PARAMETERS -
89 -- object_schema
90 -- Schema name of the xmltype table/view
91 -- object_name
92 -- Object name of teh xmltype table/view
93 -- hierarchy_type
94 -- How should the hierarchy be disabled? The various options are
95 -- (1) DISABLE_VERSION : disable versioning on the table/view. If the table
96 -- or view is not version-enabled, do nothing. Otherwise, version-disable
97 -- the table. If the table or view has more than one version per version
98 -- history, throw error unless delete_old_versions is set to TRUE.
99 -- (2) DISABLE_ALL : disable hierarchy and disable versioning on the
100 -- table/view. If the table or view has more than one version per version
101 -- history, throw error unless delete_old_versions is set to TRUE.
102 -- delete_old_versions
103 -- Should old versions for a version history be deleted?
104 -- (1) TRUE : delete all versions in each version history other than the
105 -- one with the latest lastModifiedTime.
106 -- (2) FALSE : do not delete old versions. The user needs to ensure that
107 -- the table or view does not have more than one version per version
108 -- history; otherwise, an error is thrown.
109 ----------------------------------------------------------------------------
110 PROCEDURE disable_hierarchy(object_schema IN VARCHAR2,
111 object_name VARCHAR2,
112 hierarchy_type IN PLS_INTEGER := DISABLE_ALL,
113 delete_old_versions IN BOOLEAN := FALSE);
114 PRAGMA SUPPLEMENTAL_LOG_DATA(disable_hierarchy, AUTO_WITH_COMMIT);
115
116 ----------------------------------------------------------------------------
117 -- FUNCTION - is_hierarchy_enabled
118 -- Checks if the XDB Hierarchy is enabled for a given xmltype table/view
119 -- PARAMETERS -
120 -- object_schema
121 -- Schema name of the xmltype table/view
122 -- object_name
123 -- Object name of the xmltype table/view
124 -- hierarchy_type
125 -- The type of hierarchy to check for. Must be one of the following:
126 -- IS_ENABLED_CONTENTS : if table/view is hierarchy-enabled for contents
127 -- IS_ENABLED_RESMETADATA : if table/view is hierarchy-enabled for
128 -- resource metadata
129 -- IS_ENABLED_VERSION : if table/view is version-enabled
130 -- RETURN -
131 -- True, if given xmltype table/view has the XDB Hierarchy enabled of
132 -- the specified type
133 ----------------------------------------------------------------------------
134 FUNCTION is_hierarchy_enabled(object_schema IN VARCHAR2,
135 object_name VARCHAR2,
136 hierarchy_type IN pls_integer
137 := IS_ENABLED_CONTENTS)
138 RETURN BOOLEAN;
139
140 ---------------------------------------------
141 -- FUNCTION - purgeLdapCache
142 -- Purges ldap nickname cache
143 -- RETURNS
144 -- True if successful, false otherwise
145 ---------------------------------------------
146 FUNCTION purgeLdapCache RETURN BOOLEAN;
147
148 ----------------------------------------------------------------------------
149 -- FUNCTION - get_acloid
150 -- Get's an ACL OID given the XDB Hierarchy path for the ACL Resource
151 -- PARAMETERS -
152 -- acl_path
153 -- ACL Resource path in the XDB Hierarchy
154 -- acloid [OUT]
155 -- Returns the corresponding ACLOID to the given ACL Resource
156 -- RETURN -
157 -- True, if ACLOID is succesfully retrieved
158 -- The typical use of this function is to pass the acloid as an
159 -- argument to the SYS_CHECKACL sql operator.
160 ----------------------------------------------------------------------------
161 FUNCTION get_acloid(aclpath IN VARCHAR2,
162 acloid OUT RAW) RETURN BOOLEAN;
163
164 ----------------------------------------------------------------------------
165 -- FUNCTION - get_userid
166 -- Retrieves the userid for the given user name
167 -- PARAMETERS -
168 -- username
169 -- Name of the resource user
170 -- userid [OUT]
171 -- Returns the corresponding USERID for the given user name.
172 -- format (optional)
173 -- Format of the specified user name. By default, the name is assumed
174 -- to be either a database user name or a LDAP nickname. The following
175 -- are the allowed values for this argument :
176 -- DBMS_XDBZ.NAME_FORMAT_SHORT
177 -- DBMS_XDBZ.NAME_FORMAT_DISTINGUISHED
178 -- DBMS_XDBZ.NAME_FORMAT_APPLICATION
179 -- RETURN -
180 -- True, if USERID is succesfully retrieved
181 -- NOTE -
182 -- The user name is first looked up in the local database,
183 -- if it is not found there, and if an ldap server is available,
184 -- it is looked up in this latter one. In this case a GUID will be
185 -- returned in USERID.
186 -- The typical use of this function is to pass the userid as an
187 -- argument to the SYS_CHECKACL sql operator.
188 ----------------------------------------------------------------------------
189 FUNCTION get_userid(username IN VARCHAR2,
190 userid OUT RAW,
191 format IN pls_integer := NAME_FORMAT_SHORT) RETURN BOOLEAN;
192
193 ----------------------------------------------------------------------------
194 -- PROCEDURE - ValidateAcl
195 -- This function will validate the following aspects of the acl:
196 -- (1) Validate the security class for the acl. This validates the
197 -- security class and all its parents.
198 -- (2) Check for existence of the specified roles and users in each of the
199 -- aces.
200 -- (3) Validate that all custom privileges specified in the acl are
201 -- defined in the associated security class.
202 -- (4) Validate that security class of the parent acl is in the ancestor
203 -- tree of the associated security class.
204 -- PARAMETERS -
205 -- acloid [in]
206 -- aclid of the acl to be validated
207 -- skip system constraining acls from certain validations(default false)
208 ----------------------------------------------------------------------------
209 PROCEDURE ValidateAcl(acloid IN RAW,
210 skip_scacl IN pls_integer := SKIP_SYSCONSACL_FLG)
211 ;
212
213 ----------------------------------------------------------------------------
214 -- PROCEDURE - ValidateFusionAcl
215 -- This function will validate all aspects of the acl (covered by
216 -- ValidateAcl) plus the following
217 -- (1) For a given acl chain, it must have a system constraining acl at
218 -- its root.
219 -- (2) For any non-system constraining acl in this chain, all inheritance
220 -- relationships till the first system constraining acl up in its
221 -- chain should be constraining.
222 -- (3) For any acl in the system, which has a system constraining acl as its
223 -- parent, the inheritance relationship between the two should be
224 -- constraining.
225 -- PARAMETERS -
226 -- acloid [in]
227 -- aclid of the acl to be validated
228 ----------------------------------------------------------------------------
229 PROCEDURE ValidateFusionAcl(acloid IN RAW);
230
231 ----------------------------------------------------------------------------
232 -- FUNCTION - add_application_principal
233 -- Registers with XDB an Application user or workgroup/role.
234 -- PARAMETERS -
235 -- name - The name of the user or role/workgroup
236 -- flags - Whether user (if XDB.DBMS_XDBZ.APPLICATION_USER, default)
237 -- or role (XDB.DBMS_XDBZ.APPLICATION_ROLE)
238 -- RETURNS -
239 -- The status of the addition (TRUE if successful, FALSE otherwise)
240 ----------------------------------------------------------------------------
241 FUNCTION add_application_principal(
242 name IN VARCHAR2,
243 flags IN PLS_INTEGER := XDB.DBMS_XDBZ.APPLICATION_USER)
244 return BOOLEAN;
245 PRAGMA SUPPLEMENTAL_LOG_DATA(add_application_principal, UNSUPPORTED_WITH_COMMIT);
246
247 ----------------------------------------------------------------------------
248 -- FUNCTION - change_application_membership
249 -- Adds or removes an Application user to/from a role/workgroup.
250 -- If either the user or the role/workgroup have not been
251 -- previously registered with XDB, registration is done.
252 -- PARAMETERS -
253 -- user_name - The name of the Application user/role
254 -- group_name - The name of the role/workgroup
255 -- op_mode - Whether the user/role is to be added (XDB.DBMS_XDBZ.MODE_MEMBERSHIP_ADD),
256 -- which is the default, or deleted (XDB.DBMS_XDBZ.MODE_MEMBERSHIP_DELETE)
257 -- to/from the workgroup/role.
258 -- user_flags - Whether user_name is the name of a user
259 -- (XDB.DBMS_XDBZ.APPLICATION_USER, default), or
260 -- group (XDB.DBMS_XDBZ.APPLICATION_ROLE). Currently,
261 -- only XDB.DBMS_XDBZ.APPLICATION_USER supported.
262 -- RETURNS -
263 -- The status of the operation (TRUE if successful, FALSE otherwise)
264 ----------------------------------------------------------------------------
265 FUNCTION change_application_membership(
266 user_name IN VARCHAR2,
267 group_name IN VARCHAR2,
268 op_mode IN PLS_INTEGER := XDB.DBMS_XDBZ.MODE_MEMBERSHIP_ADD,
269 user_flags IN NUMBER := XDB.DBMS_XDBZ.APPLICATION_USER)
270 return BOOLEAN;
271 PRAGMA SUPPLEMENTAL_LOG_DATA(change_application_membership, UNSUPPORTED_WITH_COMMIT);
272
273 ----------------------------------------------------------------------------
274 -- FUNCTION - delete_application_principal
275 -- Delete all information about an Application user or role/workgroup.
276 -- PARAMETERS -
277 -- name - Name of the Application user or role/workgroup
278 -- op_mode - Whether to raise an error if deleting a role/workgroup with
279 -- active members (if XDB.DBMS_XDBZ.DELETE_APP_NOFORCE, default),
280 -- or to delete all group membership information otherwise
281 -- (if XDB.DBMS_XDBZ.DELETE_APP_FORCE).
282 -- Applies only in the case of role/workgroup names.
283 -- RETURNS -
284 -- The status of the deletion (TRUE if successful, FALSE otherwise)
285 --
286 ----------------------------------------------------------------------------
287 FUNCTION delete_application_principal(
288 name IN VARCHAR2,
289 op_mode IN PLS_INTEGER := XDB.DBMS_XDBZ.DELETE_APP_NOFORCE)
290 return BOOLEAN;
291 PRAGMA SUPPLEMENTAL_LOG_DATA(delete_application_principal, UNSUPPORTED_WITH_COMMIT);
292
293 ----------------------------------------------------------------------------
294 -- FUNCTION - purgeApplicationCache
295 -- Purges the shared cache of GUIDs to Application user or roles names mappings.
296 --
297 -- RETURNS -
298 -- The status of the operation (TRUE if successful, FALSE otherwise)
299 ----------------------------------------------------------------------------
300 FUNCTION purgeApplicationCache RETURN BOOLEAN;
301
302 -----------------------------------------------------------------------------
303 -- FUNCTION - set_application_principal
304 -- If the current user and schema are trusted (determined based on
305 -- XDB configuration document, allows the passed application user
306 -- to be set as the current user in the session, for the purpose of
307 -- XDB repository access. This API is to be used for local application
308 -- group membership scheme.
309 -- PARAMETERS -
310 -- principal_name - Name of the application user (mandatory if local
311 -- application store
312 -- principal_guid - GUID of the application user; mandatory only under
313 -- dynamic group membership scheme
314 -- allow_registration - Used only under local group scheme;
315 -- if true and the application user is not already
316 -- known to XDB, then the user is automatically registered with XDB.
317 -- group_membership - Used only under dynamic group scheme;
318 -- Concatenated list of GUIDs of all application
319 -- roles currently enabled for the application user.
320 -- RETURNS -
321 -- TRUE if the user was successfully set in the session (FALSE otherwise).
322 -----------------------------------------------------------------------------
323 FUNCTION set_application_principal(principal_name IN VARCHAR2 := NULL,
324 allow_registration IN BOOLEAN := TRUE,
325 principal_guid IN RAW := NULL,
326 group_membership IN RAW := NULL)
327 RETURN BOOLEAN;
328 PRAGMA SUPPLEMENTAL_LOG_DATA(set_application_principal, UNSUPPORTED_WITH_COMMIT);
329
330 FUNCTION reset_application_principal RETURN BOOLEAN;
331
332 end dbms_xdbz;