My Oracle Support Banner

Known Issues When Apparently Correctly Configured ACLs Fail Don't Prevent the ORA-24247 Error (Doc ID 1074843.1)

Last updated on AUGUST 13, 2020

Applies to:

Oracle Database - Enterprise Edition - Version 11.2.0.1 and later
Information in this document applies to any platform.

Symptoms

This note tries to put together known issues when ACLs that are correctly configured don't allow the access to the requested network services and the service access attempts fail with

ORA-24247: network access denied by access control list (ACL)

1. The ACL is configured for a synonym or the IP of the invoked service name.

 

The ACL privileges check does not do any (reverse) name resolution, if the ACL is configured for an IP, using the hostname will not work and vice versa.

 

Example 1.
This example presents the incorrect setting and what to do to address the problem.

 

12. The user being granted the ACL privilege was previously identified globally.

If a user that is identified globally is switched to database authentication, the ACL ceases to work.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
 1. The ACL is configured for a synonym or the IP of the invoked service name.
 2. ACL for utl_inaddr.get_host_name or utl_inaddr.get_host_address without parameters is not functional
 3. The ACLs are not functional when accessed services are behind a proxy.
 4. Granting the ACL via roles does not work when the service is requested through from a PLSQL procedure
 5. Calling a PLSQL in another schema fails with ORA-24247 despite the granted ACL privilege to the invoker.
 6. Multiple ACLs defined for the same host, using wildcards for different orders of precedence.
 7. ACL properly defined, yet DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE shows that the user is not allowed to use the ACL.
 8. (RAC specific): Dropping a user account which has been granted ACL permissions causes other accounts using the same ACL to throw ORA-24247 errors
 9. ACLs don't work when granted through roles
 10. http_proxy environment variable is set at database level.
 11. There is no ACL configured for local wallet access
 12. The user being granted the ACL privilege was previously identified globally.
Cause
 1. The ACL is configured for a synonym or the IP of the invoked service name.
 2. ACL for utl_inaddr.get_host_name or utl_inaddr.get_host_address without parameters is not functional, with IP or service name
 3.The ACLs are not functional when accessed services are behind a proxy.
 4. Granting the ACL via roles does not work when the service is requested through from a PLSQL procedure
 5. Calling a PLSQL in another schema fails with ORA-24247 despite the granted ACL privilege to the invoker.
 6. Multiple ACLs defined for the same host, using wildcards for different orders of precedence.
 7. ACL properly defined, yet DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE shows that the user is not allowed to use the ACL.
 8. (RAC specific): Dropping a user account which has been granted ACL permissions causes other accounts using the same ACL to throw ORA-24247 errors
 9. ACLs don't work when granted through roles
 10. http_proxy environment variable is set at database level.
 11. There is no ACL configured for local wallet access
 12. The user being granted the ACL privilege was previously identified globally.
Solution
 1. The ACL is configured for a synonym or the IP of the invoked service name.
 2. ACL for utl_inaddr.get_host_name or utl_inaddr.get_host_address without parameters is not functional
 3. The ACLs are not functional when accessed services are behind a proxy.
 4. Granting the ACL via roles does not work when the service is called from a PLSQL procedure.
 5. Calling a PLSQL in another schema fails with ORA-24247 despite the granted ACL privilege to the invoker.
 6. Multiple ACLs defined for the same host, using wildcards for different orders of precedence.
 7. ACL properly defined, yet DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE shows that the user is not allowed to use the ACL.
 8. (RAC specific): Dropping a user account which has been granted ACL permissions causes other accounts using the same ACL to throw ORA-24247 errors
 9. ACLs don't work when granted through roles
 10. http_proxy environment variable is set at database level.
 11. There is no ACL configured for local wallet access
 12. The user being granted the ACL privilege was previously identified globally.
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.