Translate lab documentation to English
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled

This commit is contained in:
Rodrigo Pace
2026-05-08 14:50:52 -03:00
parent cde150b705
commit 52bf971b8b
33 changed files with 939 additions and 702 deletions

View File

@@ -1,54 +1,54 @@
# 02 - Shared App Account
## Objetivo
## Objective
Demonstrar o risco de uma conta tecnica de aplicacao usada por muitos usuarios e como o banco deve aplicar autorizacao com base no usuario final.
Show the risk of a technical application account used by many users and how the database should enforce authorization based on the end user.
## O Que Este Lab Mostra
## What This Lab Shows
Antes do Oracle Deep Data Security, uma conta tecnica ou connection pool pode consultar pedidos de todos os vendedores e regioes. Depois dos data grants, o retorno passa a depender da persona propagada pela aplicacao.
Before Oracle Deep Data Security, a technical account or connection pool can query orders from every seller and region. After data grants are applied, the result depends on the persona propagated by the application.
## Personas
- `alice`: vendedora.
- `bruno`: gerente LATAM.
- `dds_app`: conta tecnica da aplicacao.
- `alice`: sales representative.
- `bruno`: LATAM manager.
- `dds_app`: technical application account.
## Onde Executar Os Comandos
## Where To Run The Commands
Execute os comandos a partir da raiz do repositorio:
Run commands from the repository root:
```powershell
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
```
Conecte no banco com SQLcl ou SQL*Plus:
Connect to the database with SQLcl or SQL*Plus:
```bash
sql "<connect_string>"
```
Exemplo:
Example:
```text
ADMIN/<senha>@ddslab_high
ADMIN/<password>@ddslab_high
```
## Passo A Passo - Antes, Ambiente Vulneravel
## Step By Step - Before, Vulnerable Environment
1. Acesse o banco:
1. Connect to the database:
```bash
sql "<connect_string>"
```
2. Limpe o cenario:
2. Reset the scenario:
```sql
@scenarios/02-shared-app-account/sql/99_reset.sql
```
3. Crie tabela, dados, usuarios e conta tecnica:
3. Create the table, data, users, and technical account:
```sql
@scenarios/02-shared-app-account/sql/00_schema.sql
@@ -56,37 +56,37 @@ ADMIN/<senha>@ddslab_high
@scenarios/02-shared-app-account/sql/02_identities.sql
```
4. Simule uma aplicacao consultando pedidos com SQL amplo:
4. Simulate an application querying orders with broad SQL:
```sql
@scenarios/02-shared-app-account/sql/04_test_queries.sql
```
Resultado esperado antes: pedidos de varias regioes e campos como `MARGIN` podem aparecer para quem nao deveria.
Expected result before protection: orders from multiple regions and fields such as `MARGIN` may appear to users who should not see them.
## Passo A Passo - Depois, Com Deep Data Security
## Step By Step - After, With Deep Data Security
1. Aplique os data grants:
1. Apply the data grants:
```sql
@scenarios/02-shared-app-account/sql/03_data_grants.sql
```
2. Execute novamente a consulta:
2. Run the query again:
```sql
@scenarios/02-shared-app-account/sql/04_test_queries.sql
```
3. Repita o teste simulando `alice` e `bruno` como usuarios finais.
3. Repeat the test by simulating `alice` and `bruno` as end users.
Resultado esperado depois:
Expected result after protection:
- `alice` ve somente seus pedidos e nao ve `MARGIN`.
- `bruno` ve pedidos LATAM com visao gerencial.
- A conta tecnica deixa de ser o unico ponto de autorizacao.
- `alice` sees only her orders and does not see `MARGIN`.
- `bruno` sees LATAM orders with manager visibility.
- The technical account is no longer the only authorization boundary.
## Execucao Automatizada Opcional
## Optional Automated Execution
Windows:
@@ -100,7 +100,7 @@ Linux/macOS:
./scripts/run-scenario.sh 02-shared-app-account "<connect_string>"
```
## Detalhes Da Demo
## Demo Details
Veja o passo a passo completo, evidencias e referencias oficiais em [RUNBOOK.md](RUNBOOK.md).
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).