首先我们创建一个rule,一个rule set,然后将rule添加到rule set,这个rule set随后可以用来实现禁止运行alter system disable restricted session 的目的,只能alter system enable restricted session,但是不能disable 。虽然没啥实际使用价值,做个测试吧
15:50:59 SQL> exec dbms_macadm.create_rule_set(rule_set_name=>'can not disable restricted session',description=>'not allow to run alter system disable restricted session',enabled=>dbms_macutl.g_yes,eval_options=>dbms_macutl.g_ruleset_eval_all,audit_options=>dbms_macutl.g_ruleset_audit_off,fail_options=>dbms_macutl.g_ruleset_fail_show,fail_message=>'please do not disable restricted session',fail_code=>20555,handler_options=>dbms_macutl.g_ruleset_handler_off,handler=>'',is_static=>false);
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.02
15:43:47 SQL> exec dbms_macadm.create_rule(rule_name=>'restricted session can not disable',rule_expr=>'upper(parameter_value)=''ENABLE''');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.04
15:58:19 SQL> exec dbms_macadm.add_rule_to_rule_set('can not disable restricted session','restricted session can not disable');
PL/SQL procedure successfully completed.
我们先创建一个command rule
15:38:27 SQL> exec dbms_macadm.create_command_rule(command=>'alter system',rule_set_name=>'Enabled',object_owner=>'%',object_name=>'%',enabled=>dbms_macutl.g_yes,clause_name=>'security',parameter_name=>'restricted session');
PL/SQL procedure successfully completed.
rule set设为了enabled,这其实就是不限制,因为rule set总是evaluate为true,所以无论是enable restricted session还是disable restricted session都能实现
15:52:08 SQL> alter system enable restricted session;
System altered.
Elapsed: 00:00:00.02
15:54:43 SQL> select logins from v$instance;
LOGINS
----------
RESTRICTED
Elapsed: 00:00:00.02
15:54:53 SQL> alter system disable restricted session;
System altered.
Elapsed: 00:00:00.00
15:55:03 SQL> select logins from v$instance;
LOGINS
----------
ALLOWED
Elapsed: 00:00:00.00
下面我们将这个command rule的rule set更改为可以限制disable restricted session的rule set,再测试结果
15:55:14 SQL> exec dbms_macadm.update_command_rule(command=>'alter system',rule_set_name=>'can not disable restricted session',object_owner=>'%',object_name=>'%',enabled=>dbms_macutl.g_yes,clause_name=>'security',parameter_name=>'restricted session');
PL/SQL procedure successfully completed.
下面的效果就是只能enable,而不能disable了
达到目的了
16:00:24 SQL> alter system enable restricted session;
System altered.
Elapsed: 00:00:00.01
16:00:34 SQL> select logins from v$instance;
LOGINS
----------
RESTRICTED
Elapsed: 00:00:00.01
16:00:40 SQL> alter system disable restricted session;
alter system disable restricted session
*
ERROR at line 1:
ORA-47306: 20555: please do not disable restricted session
Elapsed: 00:00:00.01