This commit is contained in:
@@ -130,6 +130,14 @@ sql 'emma/Welcome1_DDS!@ddslab_tunnel'
|
||||
|
||||
Expected result: Emma sees her own authorized view.
|
||||
|
||||
Run Emma's self-service phone update:
|
||||
|
||||
```sql
|
||||
@scenarios/03-pii-row-column-cell/sql/05_update_phone_test.sql
|
||||
```
|
||||
|
||||
Expected result: Emma can update only her own `PHONE` value.
|
||||
|
||||
### Task 4.2 - Marvin Manager Access
|
||||
|
||||
```sql
|
||||
@@ -146,6 +154,8 @@ sql 'marvin/Welcome1_DDS!@ddslab_tunnel'
|
||||
|
||||
Expected result: Marvin sees direct reports and not their `SSN`.
|
||||
|
||||
Do not run `05_update_phone_test.sql` as Marvin for the core demo. That script represents employee self-service phone updates, while Marvin's manager-specific update permission is for `SALARY` on direct reports.
|
||||
|
||||
### Task 4.3 - Victoria HR Access
|
||||
|
||||
```sql
|
||||
@@ -162,6 +172,8 @@ sql 'victoria/Welcome1_DDS!@ddslab_tunnel'
|
||||
|
||||
Expected result: Victoria sees HR-authorized sensitive data.
|
||||
|
||||
Do not run `05_update_phone_test.sql` as Victoria for the core demo. HR has read access in this lab, but the employee self-service phone update is intentionally tied to the employee role.
|
||||
|
||||
## Lab 5 - Clean Up
|
||||
|
||||
```sql
|
||||
@@ -194,4 +206,3 @@ The trust chain is: **end-user identity -> DATA ROLE -> DATA GRANT -> row, colum
|
||||
- DDS supports row, column, and update controls in one model.
|
||||
- The database enforces the boundary even when SQL asks for too much.
|
||||
- PII protection is close to the data and independent of application-only filtering.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user