Initial Oracle Deep Data Security lab kit
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled

This commit is contained in:
Rodrigo Pace
2026-05-08 12:08:05 -03:00
commit 5cd8752a90
88 changed files with 2189 additions and 0 deletions

View File

@@ -0,0 +1,10 @@
# 03 - PII Row/Column/Cell
## Objetivo
Demonstrar controle fino de PII por linha, coluna e célula.
## Narrativa
Funcionários podem consultar seus próprios dados. Gerentes podem consultar subordinados, mas não SSN. RH pode consultar dados sensíveis. Atualizações são limitadas por coluna.

View File

@@ -0,0 +1,7 @@
# Expected Results
- `emma` sees only her own record.
- `marvin` sees his record plus direct reports, with direct-report SSN as `NULL`.
- `victoria` sees all employees and sensitive columns through HR role.
- Employee phone update succeeds only for the user's own row.

View File

@@ -0,0 +1,12 @@
id: "03-pii-row-column-cell"
title: "PII Row Column Cell"
criticality: "high"
estimated_time_minutes: 25
audience:
- compliance
- dba
- security
products:
- "Oracle Deep Data Security"
reset_supported: true

View File

@@ -0,0 +1,13 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE TABLE dds_employees (
employee_id NUMBER PRIMARY KEY,
first_name VARCHAR2(50) NOT NULL,
last_name VARCHAR2(50) NOT NULL,
email VARCHAR2(80) NOT NULL,
manager VARCHAR2(80),
ssn VARCHAR2(30),
salary NUMBER(12,2),
phone VARCHAR2(30)
);

View File

@@ -0,0 +1,10 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
INSERT INTO dds_employees VALUES (100, 'Victoria', 'Williams', 'victoria', NULL, '219-09-9999', 13000, '555-0100');
INSERT INTO dds_employees VALUES (200, 'Marvin', 'Anderson', 'marvin', 'victoria', '457-55-5462', 12030, '555-0200');
INSERT INTO dds_employees VALUES (300, 'Chris', 'Evans', 'chris', 'victoria', '321-12-4567', 6900, '555-0300');
INSERT INTO dds_employees VALUES (400, 'Emma', 'Baker', 'emma', 'marvin', '733-02-9821', 8200, '555-0400');
INSERT INTO dds_employees VALUES (500, 'Taylor', 'Mills', 'taylor', 'marvin', '558-76-1243', 9000, '555-0500');
COMMIT;

View File

@@ -0,0 +1,15 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE END USER emma IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER marvin IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER victoria IDENTIFIED BY "Welcome1_DDS!";
CREATE DATA ROLE employee_role;
CREATE DATA ROLE manager_role;
CREATE DATA ROLE hr_role;
GRANT DATA ROLE employee_role TO emma;
GRANT DATA ROLE employee_role TO marvin;
GRANT DATA ROLE manager_role TO marvin;
GRANT DATA ROLE hr_role TO victoria;

View File

@@ -0,0 +1,21 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE OR REPLACE DATA GRANT employees_own_record
AS SELECT, UPDATE (phone)
ON dds_employees
WHERE email = ORA_END_USER_CONTEXT.username
TO employee_role;
CREATE OR REPLACE DATA GRANT manager_direct_reports
AS SELECT (ALL COLUMNS EXCEPT ssn), UPDATE (salary)
ON dds_employees
WHERE manager = ORA_END_USER_CONTEXT.username
TO manager_role;
CREATE OR REPLACE DATA GRANT hr_all_employees
AS SELECT
ON dds_employees
TO hr_role;
SET USE DATA GRANTS ONLY ON dds_employees ENABLED;

View File

@@ -0,0 +1,13 @@
SET PAGESIZE 100
SET LINESIZE 200
SELECT employee_id, first_name, last_name, email, manager, ssn, salary, phone
FROM dds_employees
ORDER BY employee_id;
UPDATE dds_employees
SET phone = '555-9999'
WHERE email = ORA_END_USER_CONTEXT.username;
COMMIT;

View File

@@ -0,0 +1,23 @@
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_employees DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT employees_own_record'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT manager_direct_reports'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT hr_all_employees'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_employees PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE employee_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE manager_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE hr_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER emma'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER marvin'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER victoria'; EXCEPTION WHEN OTHERS THEN NULL; END;
/

View File

@@ -0,0 +1,3 @@
PROMPT Negative test: managers must not see SSN for direct reports.
SELECT employee_id, email, ssn FROM dds_employees WHERE manager = ORA_END_USER_CONTEXT.username;

View File

@@ -0,0 +1,3 @@
PROMPT Positive test: row, column and cell-level policies apply by end-user role.
@../sql/04_test_queries.sql