Improve view bypass lab before and after flow
Some checks failed
Repo Quality / structure (push) Has been cancelled
Some checks failed
Repo Quality / structure (push) Has been cancelled
This commit is contained in:
@@ -12,6 +12,7 @@ Before Oracle Deep Data Security, a legacy view can expose rows that should be p
|
||||
|
||||
- `emma`: account owner.
|
||||
- `marvin`: account owner.
|
||||
- `erik`: account owner.
|
||||
|
||||
## Where To Run The Commands
|
||||
|
||||
@@ -49,15 +50,25 @@ sql "<connect_string>"
|
||||
@scenarios/04-view-bypass-mac/sql/02_identities.sql
|
||||
```
|
||||
|
||||
4. Query the legacy view:
|
||||
4. Connect as `emma` and query both access paths:
|
||||
|
||||
```bash
|
||||
sql 'emma/Welcome1_DDS!@ddslab_tunnel'
|
||||
```
|
||||
|
||||
```sql
|
||||
ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
|
||||
|
||||
SELECT account_id, account_name, owner_name, region, balance
|
||||
FROM dds_mac_accounts
|
||||
ORDER BY account_id;
|
||||
|
||||
SELECT account_id, account_name, owner_name, region, balance
|
||||
FROM dds_mac_accounts_view
|
||||
ORDER BY account_id;
|
||||
```
|
||||
|
||||
Expected result before protection: the view may show accounts owned by other users.
|
||||
Expected result before protection: both direct table access and the legacy view may show accounts owned by other users.
|
||||
|
||||
## Step By Step - After, With Deep Data Security
|
||||
|
||||
@@ -73,12 +84,13 @@ Expected result before protection: the view may show accounts owned by other use
|
||||
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql
|
||||
```
|
||||
|
||||
3. Repeat the test by simulating `emma` and `marvin`.
|
||||
3. Repeat the test by simulating `emma`, `marvin`, and `erik`.
|
||||
|
||||
Expected result after protection:
|
||||
|
||||
- The table returns only the authorized account.
|
||||
- The view returns the same authorized subset.
|
||||
- `emma` sees `Account Alpha`, `marvin` sees `Account Beta`, and `erik` sees `Account Gamma`.
|
||||
- The alternate access path no longer works as a bypass.
|
||||
|
||||
## Optional Automated Execution
|
||||
|
||||
Reference in New Issue
Block a user