Improve view bypass lab before and after flow
Some checks failed
Repo Quality / structure (push) Has been cancelled

This commit is contained in:
2026-05-18 12:22:35 -03:00
parent 07390ff902
commit 1d11986e94
7 changed files with 164 additions and 24 deletions

View File

@@ -12,6 +12,7 @@ Before Oracle Deep Data Security, a legacy view can expose rows that should be p
- `emma`: account owner.
- `marvin`: account owner.
- `erik`: account owner.
## Where To Run The Commands
@@ -49,15 +50,25 @@ sql "<connect_string>"
@scenarios/04-view-bypass-mac/sql/02_identities.sql
```
4. Query the legacy view:
4. Connect as `emma` and query both access paths:
```bash
sql 'emma/Welcome1_DDS!@ddslab_tunnel'
```
```sql
ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
SELECT account_id, account_name, owner_name, region, balance
FROM dds_mac_accounts
ORDER BY account_id;
SELECT account_id, account_name, owner_name, region, balance
FROM dds_mac_accounts_view
ORDER BY account_id;
```
Expected result before protection: the view may show accounts owned by other users.
Expected result before protection: both direct table access and the legacy view may show accounts owned by other users.
## Step By Step - After, With Deep Data Security
@@ -73,12 +84,13 @@ Expected result before protection: the view may show accounts owned by other use
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql
```
3. Repeat the test by simulating `emma` and `marvin`.
3. Repeat the test by simulating `emma`, `marvin`, and `erik`.
Expected result after protection:
- The table returns only the authorized account.
- The view returns the same authorized subset.
- `emma` sees `Account Alpha`, `marvin` sees `Account Beta`, and `erik` sees `Account Gamma`.
- The alternate access path no longer works as a bypass.
## Optional Automated Execution