Clarify view bypass lab access paths
Some checks failed
Repo Quality / structure (push) Has been cancelled
Some checks failed
Repo Quality / structure (push) Has been cancelled
This commit is contained in:
@@ -6,7 +6,7 @@ Show that views and alternate access paths must not bypass the policy on the bas
|
||||
|
||||
## What This Lab Shows
|
||||
|
||||
Before Oracle Deep Data Security, a legacy view can expose rows that should be protected. After data grants and `USE DATA GRANTS ONLY` are applied, both the table and the view respect the same access boundary.
|
||||
Before Oracle Deep Data Security, a legacy view may apply the expected owner filter, but direct table access can bypass that application access path and expose rows that should be protected. After data grants and `USE DATA GRANTS ONLY` are applied, both the table and the view respect the same access boundary.
|
||||
|
||||
## Personas
|
||||
|
||||
@@ -68,7 +68,7 @@ sql "<connect_string>"
|
||||
ORDER BY account_id;
|
||||
```
|
||||
|
||||
Expected result before protection: both direct table access and the legacy view may show accounts owned by other users.
|
||||
Expected result before protection: the view shows only Emma's account, but direct table access can still show accounts owned by other users.
|
||||
|
||||
## Step By Step - After, With Deep Data Security
|
||||
|
||||
@@ -91,7 +91,7 @@ Expected result after protection:
|
||||
- The table returns only the authorized account.
|
||||
- The view returns the same authorized subset.
|
||||
- `emma` sees `Account Alpha`, `marvin` sees `Account Beta`, and `erik` sees `Account Gamma`.
|
||||
- The alternate access path no longer works as a bypass.
|
||||
- The direct table access path no longer works as a bypass.
|
||||
|
||||
## Optional Automated Execution
|
||||
|
||||
|
||||
Reference in New Issue
Block a user