Translate lab documentation to English
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled

This commit is contained in:
Rodrigo Pace
2026-05-08 14:50:52 -03:00
parent cde150b705
commit 52bf971b8b
33 changed files with 939 additions and 702 deletions

View File

@@ -1,48 +1,48 @@
# 03 - PII Row Column Cell
## Objetivo
## Objective
Demonstrar controle fino de PII por linha, coluna e celula.
Show fine-grained PII controls at row, column, and cell level.
## O Que Este Lab Mostra
## What This Lab Shows
Antes do Oracle Deep Data Security, uma consulta ampla pode expor dados de funcionarios, SSN e salario. Depois dos data grants, cada persona ve apenas o que sua funcao permite.
Before Oracle Deep Data Security, a broad query can expose employee records, SSNs, and salaries. After data grants are applied, each persona sees only what their business function allows.
## Personas
- `emma`: funcionaria.
- `marvin`: gerente.
- `victoria`: RH.
- `emma`: employee.
- `marvin`: manager.
- `victoria`: HR user.
## Onde Executar Os Comandos
## Where To Run The Commands
Execute os comandos a partir da raiz do repositorio:
Run commands from the repository root:
```powershell
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
```
Conecte no banco com SQLcl ou SQL*Plus:
Connect to the database with SQLcl or SQL*Plus:
```bash
sql "<connect_string>"
```
## Passo A Passo - Antes, Ambiente Vulneravel
## Step By Step - Before, Vulnerable Environment
1. Acesse o banco:
1. Connect to the database:
```bash
sql "<connect_string>"
```
2. Limpe o cenario:
2. Reset the scenario:
```sql
@scenarios/03-pii-row-column-cell/sql/99_reset.sql
```
3. Crie a tabela de funcionarios, dados e personas:
3. Create the employee table, data, and personas:
```sql
@scenarios/03-pii-row-column-cell/sql/00_schema.sql
@@ -50,38 +50,38 @@ sql "<connect_string>"
@scenarios/03-pii-row-column-cell/sql/02_identities.sql
```
4. Execute a consulta ampla:
4. Run the broad query:
```sql
@scenarios/03-pii-row-column-cell/sql/04_test_queries.sql
```
Resultado esperado antes: todos os registros e colunas sensiveis podem aparecer, incluindo `SSN` e `SALARY`.
Expected result before protection: all records and sensitive columns may appear, including `SSN` and `SALARY`.
## Passo A Passo - Depois, Com Deep Data Security
## Step By Step - After, With Deep Data Security
1. Aplique os data grants:
1. Apply the data grants:
```sql
@scenarios/03-pii-row-column-cell/sql/03_data_grants.sql
```
2. Execute novamente a consulta:
2. Run the query again:
```sql
@scenarios/03-pii-row-column-cell/sql/04_test_queries.sql
```
3. Repita o teste simulando `emma`, `marvin` e `victoria`.
3. Repeat the test by simulating `emma`, `marvin`, and `victoria`.
Resultado esperado depois:
Expected result after protection:
- `emma` ve apenas seu proprio registro.
- `marvin` ve seus subordinados, mas SSN fica oculto.
- `victoria` ve dados sensiveis por papel de RH.
- Atualizacoes ficam limitadas a colunas autorizadas.
- `emma` sees only her own record.
- `marvin` sees direct reports, but SSN is hidden.
- `victoria` sees sensitive data through the HR role.
- Updates are limited to authorized columns.
## Execucao Automatizada Opcional
## Optional Automated Execution
Windows:
@@ -95,7 +95,7 @@ Linux/macOS:
./scripts/run-scenario.sh 03-pii-row-column-cell "<connect_string>"
```
## Detalhes Da Demo
## Demo Details
Veja o passo a passo completo, evidencias e referencias oficiais em [RUNBOOK.md](RUNBOOK.md).
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).

View File

@@ -1,30 +1,30 @@
# Runbook - 03 PII Row Column Cell
## Objetivo
## Objective
Demonstrar controle fino de PII em linhas, colunas e celulas: funcionario ve seu proprio registro, gerente ve subordinados com SSN oculto, e RH ve dados sensiveis.
Show fine-grained PII controls across rows, columns, and cells: an employee sees their own record, a manager sees direct reports with SSN hidden, and HR sees sensitive data.
## Valor De Seguranca
## Security Value
- Protege PII e dados salariais.
- Demonstra controle de coluna e celula, nao apenas RBAC simples.
- Ajuda em conversas de LGPD, privacidade, RH e segregacao de funcoes.
- Protects PII and salary data.
- Demonstrates column and cell-level access, not only simple RBAC.
- Supports privacy, HR, LGPD/GDPR, and segregation-of-duties conversations.
## Pre-Requisitos
## Prerequisites
- Banco Oracle AI Database compativel com Oracle Deep Data Security.
- SQLcl ou SQL*Plus.
- Usuario com privilegios para criar data grants.
- Oracle AI Database compatible with Oracle Deep Data Security.
- SQLcl or SQL*Plus.
- User with privileges to create data grants.
## Antes - Ambiente Vulneravel
## Before - Vulnerable Environment
1. Limpe o cenario:
1. Reset the scenario:
```sql
@scenarios/03-pii-row-column-cell/sql/99_reset.sql
```
2. Crie dados e personas, sem data grants:
2. Create data and personas without data grants:
```sql
@scenarios/03-pii-row-column-cell/sql/00_schema.sql
@@ -32,46 +32,46 @@ Demonstrar controle fino de PII em linhas, colunas e celulas: funcionario ve seu
@scenarios/03-pii-row-column-cell/sql/02_identities.sql
```
3. Execute a consulta ampla:
3. Run the broad query:
```sql
@scenarios/03-pii-row-column-cell/sql/04_test_queries.sql
```
## Resultado Esperado Antes
## Expected Result Before
- Todos os funcionarios aparecem.
- `SSN` e `SALARY` ficam visiveis para quem tiver acesso amplo ao objeto.
- Um gerente ou usuario operacional poderia ver PII alem do necessario se a aplicacao falhar.
- All employees are visible.
- `SSN` and `SALARY` are visible to users with broad object access.
- A manager or operational user could see more PII than required if the application fails.
## Depois - Aplicando Deep Data Security
## After - Applying Deep Data Security
1. Aplique data grants de funcionario, gerente e RH:
1. Apply employee, manager, and HR data grants:
```sql
@scenarios/03-pii-row-column-cell/sql/03_data_grants.sql
```
2. Execute a mesma consulta como `emma`, `marvin` e `victoria`:
2. Run the same query as `emma`, `marvin`, and `victoria`:
```sql
@scenarios/03-pii-row-column-cell/sql/04_test_queries.sql
```
## Resultado Esperado Depois
## Expected Result After
- `emma` ve somente seu proprio registro.
- `marvin` ve seu registro e subordinados, mas SSN dos subordinados aparece como `NULL`.
- `victoria` ve todos os registros por papel de RH.
- Atualizacao de telefone e permitida apenas na linha autorizada.
- `emma` sees only her own record.
- `marvin` sees his own record and direct reports, but direct-report SSN appears as `NULL`.
- `victoria` sees all records through the HR role.
- Phone updates are allowed only for the authorized row.
## Evidencias Para Demo
## Demo Evidence
- Screenshot mostrando `SSN` como `NULL` para gerente.
- Query de update de telefone funcionando no proprio registro.
- Explicacao de row, column e cell-level access.
- Screenshot showing `SSN` as `NULL` for a manager.
- Phone update query working only on the user's own record.
- Explanation of row, column, and cell-level access.
## Referencias Oficiais
## Official References
- Fine-Grained Data Authorization: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html
- Create Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/create-data-grants.html