An admin user should grant execute privilege to Select AI database users
on the packages DBMS_CLOUD, DBMS_CLOUD_AI, DBMS_CLOUD_AI_AGENT,
and DBMS_CLOUD_PIPELINE.
The privilege helper APIs are intended for database administrators who need to prepare one or more database schemas for Select AI workloads. These operations should be run from a connection that has permission to grant package execute privileges and manage database network ACLs.
There are two separate setup steps:
Package privileges allow a Select AI database user to call the Oracle Database PL/SQL packages used by this library.
Network access allows the database user to make outbound calls to specific hosts, such as AI provider endpoints or SMTP servers.
The users argument accepts either a single database user name or a list of
database user names.
Note
All sample scripts in this documentation read Oracle database connection
details from the environment. Create a dotenv file .env, export the
following environment variables and source it before running the
scripts.
export SELECT_AI_ADMIN_USER=<db_admin>
export SELECT_AI_ADMIN_PASSWORD=<db_admin_password>
export SELECT_AI_USER=<select_ai_db_user>
export SELECT_AI_PASSWORD=<select_ai_db_password>
export SELECT_AI_DB_CONNECT_STRING=<db_connect_string>
export TNS_ADMIN=<path/to/dir_containing_tnsnames.ora>
1. Grant privilege¶
Connect as an admin user and run
select_ai.grant_privileges(users=select_ai_user) to grant the package
execute privileges required by Select AI. This grants execute access on
DBMS_CLOUD, DBMS_CLOUD_AI, DBMS_CLOUD_AI_AGENT, and
DBMS_CLOUD_PIPELINE.
import os
import select_ai
admin_user = os.getenv("SELECT_AI_ADMIN_USER")
password = os.getenv("SELECT_AI_ADMIN_PASSWORD")
dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")
select_ai_user = os.getenv("SELECT_AI_USER")
select_ai.connect(user=admin_user, password=password, dsn=dsn)
select_ai.grant_privileges(users=select_ai_user)
print("Granted privileges to: ", select_ai_user)
output:
Granted privileges to: <select_ai_db_user>
2. Revoke privilege¶
Similarly, to revoke use the method
select_ai.revoke_privileges(users=select_ai_user)
import os
import select_ai
admin_user = os.getenv("SELECT_AI_ADMIN_USER")
password = os.getenv("SELECT_AI_ADMIN_PASSWORD")
dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")
select_ai_user = os.getenv("SELECT_AI_USER")
select_ai.connect(user=admin_user, password=password, dsn=dsn)
select_ai.revoke_privileges(users=select_ai_user)
print("Revoked privileges from: ", select_ai_user)
output:
Revoked privileges from: <select_ai_db_user>
3. Grant network access¶
Connect as admin and run
select_ai.grant_network_access(...) to add a network ACL entry for
host access. This wraps DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE and can be
used for hosts that require privileges such as connect, http, or
smtp.
Network ACLs are required when the database needs to reach an external host.
For example, use http access for AI provider endpoints and smtp access
for mail servers. Include connect with protocol-specific privileges when
the host requires it.
When granting access, specify the target host and, when applicable, the port range. When revoking access, use the same host, privileges, and port range that were used for the grant.
import os
import select_ai
admin_user = os.getenv("SELECT_AI_ADMIN_USER")
password = os.getenv("SELECT_AI_ADMIN_PASSWORD")
dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")
select_ai_user = os.getenv("SELECT_AI_USER")
select_ai.connect(user=admin_user, password=password, dsn=dsn)
select_ai.grant_network_access(
users=select_ai_user,
host="smtp.example.com",
privileges=["connect", "smtp"],
lower_port=587,
upper_port=587,
)
print("Granted network access to: ", select_ai_user)
output:
Granted network access to: <select_ai_db_user>
The async API is select_ai.async_grant_network_access(...).
import asyncio
import os
import select_ai
admin_user = os.getenv("SELECT_AI_ADMIN_USER")
password = os.getenv("SELECT_AI_ADMIN_PASSWORD")
dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")
select_ai_user = os.getenv("SELECT_AI_USER")
async def main():
await select_ai.async_connect(user=admin_user, password=password, dsn=dsn)
await select_ai.async_grant_network_access(
users=select_ai_user,
host="smtp.example.com",
privileges=["connect", "smtp"],
lower_port=587,
upper_port=587,
)
print("Granted network access to: ", select_ai_user)
asyncio.run(main())
4. Revoke network access¶
Connect as admin and run
select_ai.revoke_network_access(...) to remove a network ACL entry for
host access. This wraps DBMS_NETWORK_ACL_ADMIN.REMOVE_HOST_ACE and should
use the same host, privileges, and port range that were used to grant access.
import os
import select_ai
admin_user = os.getenv("SELECT_AI_ADMIN_USER")
password = os.getenv("SELECT_AI_ADMIN_PASSWORD")
dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")
select_ai_user = os.getenv("SELECT_AI_USER")
select_ai.connect(user=admin_user, password=password, dsn=dsn)
select_ai.revoke_network_access(
users=select_ai_user,
host="smtp.example.com",
privileges=["connect", "smtp"],
lower_port=587,
upper_port=587,
)
print("Revoked network access from: ", select_ai_user)
output:
Revoked network access from: <select_ai_db_user>
The async API is select_ai.async_revoke_network_access(...).
import asyncio
import os
import select_ai
admin_user = os.getenv("SELECT_AI_ADMIN_USER")
password = os.getenv("SELECT_AI_ADMIN_PASSWORD")
dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")
select_ai_user = os.getenv("SELECT_AI_USER")
async def main():
await select_ai.async_connect(user=admin_user, password=password, dsn=dsn)
await select_ai.async_revoke_network_access(
users=select_ai_user,
host="smtp.example.com",
privileges=["connect", "smtp"],
lower_port=587,
upper_port=587,
)
print("Revoked network access from: ", select_ai_user)
asyncio.run(main())