Clarify view bypass lab access paths
Some checks failed
Repo Quality / structure (push) Has been cancelled
Some checks failed
Repo Quality / structure (push) Has been cancelled
This commit is contained in:
@@ -2,11 +2,11 @@
|
||||
|
||||
## Objective
|
||||
|
||||
Show that views and alternate access paths can bypass poorly designed controls, and that `USE DATA GRANTS ONLY` enforces Mandatory Access Control on the protected object.
|
||||
Show that a view can contain the intended access rule while direct table access still bypasses that path, and that `USE DATA GRANTS ONLY` enforces Mandatory Access Control on the protected object.
|
||||
|
||||
## Security Value
|
||||
|
||||
- Prevents bypass through legacy views.
|
||||
- Prevents bypass through direct table access, reports, BI tools, and other alternate paths.
|
||||
- Enforces a consistent policy across the base table and views.
|
||||
- Helps customers with many reports, synonyms, views, and BI tools.
|
||||
|
||||
@@ -31,7 +31,21 @@ Show that views and alternate access paths can bypass poorly designed controls,
|
||||
@scenarios/04-view-bypass-mac/sql/02_identities.sql
|
||||
```
|
||||
|
||||
3. Simulate a legacy view that returns all data:
|
||||
3. Connect as `emma` and query the base table directly:
|
||||
|
||||
```bash
|
||||
sql 'emma/Welcome1_DDS!@ddslab_tunnel'
|
||||
```
|
||||
|
||||
```sql
|
||||
ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
|
||||
|
||||
SELECT account_id, account_name, owner_name, region, balance
|
||||
FROM dds_mac_accounts
|
||||
ORDER BY account_id;
|
||||
```
|
||||
|
||||
4. Query the intended legacy view:
|
||||
|
||||
```sql
|
||||
SELECT account_id, account_name, owner_name, region, balance
|
||||
@@ -41,8 +55,9 @@ Show that views and alternate access paths can bypass poorly designed controls,
|
||||
|
||||
## Expected Result Before
|
||||
|
||||
- The view may expose accounts owned by other users.
|
||||
- The alternate access path does not honor the intended base table policy.
|
||||
- Direct table access may expose accounts owned by other users.
|
||||
- The view returns only the current user's account because it contains the intended owner filter.
|
||||
- The security rule depends on using the correct access path.
|
||||
|
||||
## After - Applying Deep Data Security
|
||||
|
||||
@@ -62,7 +77,7 @@ Show that views and alternate access paths can bypass poorly designed controls,
|
||||
|
||||
- The base table returns only the account owned by the current end user.
|
||||
- The view returns the same restricted rows.
|
||||
- The broad view data grant cannot bypass the base table policy when MAC is enabled.
|
||||
- Direct table access no longer bypasses the owner policy when MAC is enabled.
|
||||
|
||||
## Demo Evidence
|
||||
|
||||
@@ -75,4 +90,3 @@ Show that views and alternate access paths can bypass poorly designed controls,
|
||||
- SET USE DATA GRANTS ONLY: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/set-use-data-grants-only.html
|
||||
- Fine-Grained Data Authorization - Mandatory Access Control: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html
|
||||
- Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html
|
||||
|
||||
|
||||
Reference in New Issue
Block a user