Translate lab documentation to English
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled

This commit is contained in:
Rodrigo Pace
2026-05-08 14:50:52 -03:00
parent cde150b705
commit 52bf971b8b
33 changed files with 939 additions and 702 deletions

View File

@@ -1,30 +1,30 @@
# Runbook - 02 Shared App Account
## Objetivo
## Objective
Demonstrar que uma conta tecnica compartilhada de aplicacao nao deve ser a fronteira real de autorizacao de dados.
Show that a shared technical application account should not be the real data authorization boundary.
## Valor De Seguranca
## Security Value
- Reduz o risco de connection pools com privilegios excessivos.
- Permite que o banco avalie o usuario final, e nao apenas a conta tecnica.
- Ajuda a proteger aplicacoes web, APIs, BI e agentes que usam contas compartilhadas.
- Reduces the risk of overprivileged connection pools.
- Lets the database evaluate the end user, not only the technical account.
- Helps protect web applications, APIs, BI tools, and agents that use shared accounts.
## Pre-Requisitos
## Prerequisites
- Banco Oracle AI Database compativel com Oracle Deep Data Security.
- SQLcl ou SQL*Plus.
- Entendimento de qual identidade final sera propagada pela aplicacao.
- Oracle AI Database compatible with Oracle Deep Data Security.
- SQLcl or SQL*Plus.
- Understanding of which end-user identity the application will propagate.
## Antes - Ambiente Vulneravel
## Before - Vulnerable Environment
1. Limpe o cenario:
1. Reset the scenario:
```sql
@scenarios/02-shared-app-account/sql/99_reset.sql
```
2. Crie a tabela, dados e conta tecnica:
2. Create the table, data, and technical account:
```sql
@scenarios/02-shared-app-account/sql/00_schema.sql
@@ -32,45 +32,45 @@ Demonstrar que uma conta tecnica compartilhada de aplicacao nao deve ser a front
@scenarios/02-shared-app-account/sql/02_identities.sql
```
3. Simule uma aplicacao ou API usando a conta `DDS_APP` para consultar todos os pedidos:
3. Simulate an application or API using the `DDS_APP` account to query all orders:
```sql
@scenarios/02-shared-app-account/sql/04_test_queries.sql
```
## Resultado Esperado Antes
## Expected Result Before
- A conta compartilhada consegue enxergar pedidos de todos os vendedores e regioes.
- Campos como `MARGIN` podem ficar expostos se a aplicacao gerar SQL incorreto.
- Um bug, prompt injection ou endpoint abusado pode consultar mais dados do que o usuario deveria ver.
- The shared account can see orders from every seller and region.
- Fields such as `MARGIN` may be exposed if the application generates incorrect SQL.
- A bug, prompt injection, or abused endpoint may query more data than the user should see.
## Depois - Aplicando Deep Data Security
## After - Applying Deep Data Security
1. Aplique data grants por papel de negocio:
1. Apply data grants by business role:
```sql
@scenarios/02-shared-app-account/sql/03_data_grants.sql
```
2. Execute a mesma query no contexto de `alice` e `bruno`:
2. Run the same query in the context of `alice` and `bruno`:
```sql
@scenarios/02-shared-app-account/sql/04_test_queries.sql
```
## Resultado Esperado Depois
## Expected Result After
- `alice` ve somente seus pedidos e nao ve `margin`.
- `bruno` ve pedidos LATAM com acesso gerencial.
- A conta tecnica deixa de ser a unica fronteira de seguranca.
- `alice` sees only her orders and does not see `margin`.
- `bruno` sees LATAM orders with full manager visibility.
- The technical account is no longer the only security boundary.
## Evidencias Para Demo
## Demo Evidence
- Comparacao antes/depois do mesmo SQL.
- Explicacao do uso de data roles.
- Diagrama simples: usuario final -> app -> banco -> data grants.
- Before/after comparison of the same SQL.
- Explanation of data roles.
- Simple flow: end user -> app -> database -> data grants.
## Referencias Oficiais
## Official References
- Oracle Deep Data Security Guide: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/index.html
- Fine-Grained Data Authorization: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html