DECLARE
  acl_id RAW(16);
  cnt    NUMBER;
BEGIN
  -- Look for the object ID of the ACL currently assigned to '*'
  SELECT aclid
    INTO acl_id
    FROM dba_network_acls
   WHERE host = '*'
     AND lower_port IS NULL
     AND upper_port IS NULL;

  -- If just some users referenced in the ACL are invalid, remove just those
  -- users in the ACL. Otherwise, drop the ACL completely.
  SELECT COUNT(principal)
    INTO cnt
    FROM xds_ace
   WHERE aclid = acl_id
     AND EXISTS (SELECT NULL
            FROM all_users
           WHERE username = principal);

  IF (cnt > 0) THEN
  
    FOR r IN (SELECT principal
                FROM xds_ace
               WHERE aclid = acl_id
                 AND NOT EXISTS (SELECT NULL
                        FROM all_users
                       WHERE username = principal)) LOOP
      UPDATE xdb.xdb$acl
         SET object_value = deletexml(object_value
                                     ,'/ACL/ACE[PRINCIPAL="' || r.principal || '"]')
       WHERE object_id = acl_id;
    END LOOP;
  
  ELSE
    DELETE FROM xdb.xdb$acl
     WHERE object_id = acl_id;
  END IF;

END;
/

rem COMMIT THE changes.

COMMIT;