Fix PII lab persona tests
Some checks failed
Repo Quality / structure (push) Has been cancelled

This commit is contained in:
2026-05-18 12:02:13 -03:00
parent 2188ea8e58
commit 07390ff902
6 changed files with 53 additions and 21 deletions

View File

@@ -130,6 +130,14 @@ sql 'emma/Welcome1_DDS!@ddslab_tunnel'
Expected result: Emma sees her own authorized view. Expected result: Emma sees her own authorized view.
Run Emma's self-service phone update:
```sql
@scenarios/03-pii-row-column-cell/sql/05_update_phone_test.sql
```
Expected result: Emma can update only her own `PHONE` value.
### Task 4.2 - Marvin Manager Access ### Task 4.2 - Marvin Manager Access
```sql ```sql
@@ -146,6 +154,8 @@ sql 'marvin/Welcome1_DDS!@ddslab_tunnel'
Expected result: Marvin sees direct reports and not their `SSN`. Expected result: Marvin sees direct reports and not their `SSN`.
Do not run `05_update_phone_test.sql` as Marvin for the core demo. That script represents employee self-service phone updates, while Marvin's manager-specific update permission is for `SALARY` on direct reports.
### Task 4.3 - Victoria HR Access ### Task 4.3 - Victoria HR Access
```sql ```sql
@@ -162,6 +172,8 @@ sql 'victoria/Welcome1_DDS!@ddslab_tunnel'
Expected result: Victoria sees HR-authorized sensitive data. Expected result: Victoria sees HR-authorized sensitive data.
Do not run `05_update_phone_test.sql` as Victoria for the core demo. HR has read access in this lab, but the employee self-service phone update is intentionally tied to the employee role.
## Lab 5 - Clean Up ## Lab 5 - Clean Up
```sql ```sql
@@ -194,4 +206,3 @@ The trust chain is: **end-user identity -> DATA ROLE -> DATA GRANT -> row, colum
- DDS supports row, column, and update controls in one model. - DDS supports row, column, and update controls in one model.
- The database enforces the boundary even when SQL asks for too much. - The database enforces the boundary even when SQL asks for too much.
- PII protection is close to the data and independent of application-only filtering. - PII protection is close to the data and independent of application-only filtering.

View File

@@ -1,5 +1,7 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE WHENEVER SQLERROR EXIT SQL.SQLCODE
BEGIN
EXECUTE IMMEDIATE q'[
CREATE TABLE dds_employees ( CREATE TABLE dds_employees (
employee_id NUMBER PRIMARY KEY, employee_id NUMBER PRIMARY KEY,
first_name VARCHAR2(50) NOT NULL, first_name VARCHAR2(50) NOT NULL,
@@ -9,5 +11,12 @@ CREATE TABLE dds_employees (
ssn VARCHAR2(30), ssn VARCHAR2(30),
salary NUMBER(12,2), salary NUMBER(12,2),
phone VARCHAR2(30) phone VARCHAR2(30)
); )
]';
EXCEPTION
WHEN OTHERS THEN
IF SQLCODE != -955 THEN
RAISE;
END IF;
END;
/

View File

@@ -1,5 +1,7 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE WHENEVER SQLERROR EXIT SQL.SQLCODE
DELETE FROM dds_employees;
INSERT INTO dds_employees VALUES (100, 'Victoria', 'Williams', 'victoria', NULL, '219-09-9999', 13000, '555-0100'); INSERT INTO dds_employees VALUES (100, 'Victoria', 'Williams', 'victoria', NULL, '219-09-9999', 13000, '555-0100');
INSERT INTO dds_employees VALUES (200, 'Marvin', 'Anderson', 'marvin', 'victoria', '457-55-5462', 12030, '555-0200'); INSERT INTO dds_employees VALUES (200, 'Marvin', 'Anderson', 'marvin', 'victoria', '457-55-5462', 12030, '555-0200');
INSERT INTO dds_employees VALUES (300, 'Chris', 'Evans', 'chris', 'victoria', '321-12-4567', 6900, '555-0300'); INSERT INTO dds_employees VALUES (300, 'Chris', 'Evans', 'chris', 'victoria', '321-12-4567', 6900, '555-0300');
@@ -7,4 +9,3 @@ INSERT INTO dds_employees VALUES (400, 'Emma', 'Baker', 'emma', 'marvin', '733-0
INSERT INTO dds_employees VALUES (500, 'Taylor', 'Mills', 'taylor', 'marvin', '558-76-1243', 9000, '555-0500'); INSERT INTO dds_employees VALUES (500, 'Taylor', 'Mills', 'taylor', 'marvin', '558-76-1243', 9000, '555-0500');
COMMIT; COMMIT;

View File

@@ -3,13 +3,13 @@ WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE OR REPLACE DATA GRANT employees_own_record CREATE OR REPLACE DATA GRANT employees_own_record
AS SELECT, UPDATE (phone) AS SELECT, UPDATE (phone)
ON dds_employees ON dds_employees
WHERE email = ORA_END_USER_CONTEXT.username WHERE UPPER(email) = ORA_END_USER_CONTEXT.username
TO employee_role; TO employee_role;
CREATE OR REPLACE DATA GRANT manager_direct_reports CREATE OR REPLACE DATA GRANT manager_direct_reports
AS SELECT (ALL COLUMNS EXCEPT ssn), UPDATE (salary) AS SELECT (ALL COLUMNS EXCEPT ssn), UPDATE (salary)
ON dds_employees ON dds_employees
WHERE manager = ORA_END_USER_CONTEXT.username WHERE UPPER(manager) = ORA_END_USER_CONTEXT.username
TO manager_role; TO manager_role;
CREATE OR REPLACE DATA GRANT hr_all_employees CREATE OR REPLACE DATA GRANT hr_all_employees

View File

@@ -6,9 +6,3 @@ ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
SELECT employee_id, first_name, last_name, email, manager, ssn, salary, phone SELECT employee_id, first_name, last_name, email, manager, ssn, salary, phone
FROM dds_employees FROM dds_employees
ORDER BY employee_id; ORDER BY employee_id;
UPDATE dds_employees
SET phone = '555-9999'
WHERE email = ORA_END_USER_CONTEXT.username;
COMMIT;

View File

@@ -0,0 +1,17 @@
SET PAGESIZE 100
SET LINESIZE 200
ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
PROMPT Employee self-service update: change own phone number.
UPDATE dds_employees
SET phone = '555-9999'
WHERE UPPER(email) = ORA_END_USER_CONTEXT.username;
COMMIT;
SELECT employee_id, first_name, last_name, email, phone
FROM dds_employees
WHERE UPPER(email) = ORA_END_USER_CONTEXT.username
ORDER BY employee_id;