Initial Oracle Deep Data Security lab kit
This commit is contained in:
10
scenarios/03-pii-row-column-cell/README.md
Normal file
10
scenarios/03-pii-row-column-cell/README.md
Normal file
@@ -0,0 +1,10 @@
|
||||
# 03 - PII Row/Column/Cell
|
||||
|
||||
## Objetivo
|
||||
|
||||
Demonstrar controle fino de PII por linha, coluna e célula.
|
||||
|
||||
## Narrativa
|
||||
|
||||
Funcionários podem consultar seus próprios dados. Gerentes podem consultar subordinados, mas não SSN. RH pode consultar dados sensíveis. Atualizações são limitadas por coluna.
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
# Expected Results
|
||||
|
||||
- `emma` sees only her own record.
|
||||
- `marvin` sees his record plus direct reports, with direct-report SSN as `NULL`.
|
||||
- `victoria` sees all employees and sensitive columns through HR role.
|
||||
- Employee phone update succeeds only for the user's own row.
|
||||
|
||||
12
scenarios/03-pii-row-column-cell/metadata.yaml
Normal file
12
scenarios/03-pii-row-column-cell/metadata.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
id: "03-pii-row-column-cell"
|
||||
title: "PII Row Column Cell"
|
||||
criticality: "high"
|
||||
estimated_time_minutes: 25
|
||||
audience:
|
||||
- compliance
|
||||
- dba
|
||||
- security
|
||||
products:
|
||||
- "Oracle Deep Data Security"
|
||||
reset_supported: true
|
||||
|
||||
13
scenarios/03-pii-row-column-cell/sql/00_schema.sql
Normal file
13
scenarios/03-pii-row-column-cell/sql/00_schema.sql
Normal file
@@ -0,0 +1,13 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE TABLE dds_employees (
|
||||
employee_id NUMBER PRIMARY KEY,
|
||||
first_name VARCHAR2(50) NOT NULL,
|
||||
last_name VARCHAR2(50) NOT NULL,
|
||||
email VARCHAR2(80) NOT NULL,
|
||||
manager VARCHAR2(80),
|
||||
ssn VARCHAR2(30),
|
||||
salary NUMBER(12,2),
|
||||
phone VARCHAR2(30)
|
||||
);
|
||||
|
||||
10
scenarios/03-pii-row-column-cell/sql/01_seed_data.sql
Normal file
10
scenarios/03-pii-row-column-cell/sql/01_seed_data.sql
Normal file
@@ -0,0 +1,10 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
INSERT INTO dds_employees VALUES (100, 'Victoria', 'Williams', 'victoria', NULL, '219-09-9999', 13000, '555-0100');
|
||||
INSERT INTO dds_employees VALUES (200, 'Marvin', 'Anderson', 'marvin', 'victoria', '457-55-5462', 12030, '555-0200');
|
||||
INSERT INTO dds_employees VALUES (300, 'Chris', 'Evans', 'chris', 'victoria', '321-12-4567', 6900, '555-0300');
|
||||
INSERT INTO dds_employees VALUES (400, 'Emma', 'Baker', 'emma', 'marvin', '733-02-9821', 8200, '555-0400');
|
||||
INSERT INTO dds_employees VALUES (500, 'Taylor', 'Mills', 'taylor', 'marvin', '558-76-1243', 9000, '555-0500');
|
||||
|
||||
COMMIT;
|
||||
|
||||
15
scenarios/03-pii-row-column-cell/sql/02_identities.sql
Normal file
15
scenarios/03-pii-row-column-cell/sql/02_identities.sql
Normal file
@@ -0,0 +1,15 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE END USER emma IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER marvin IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER victoria IDENTIFIED BY "Welcome1_DDS!";
|
||||
|
||||
CREATE DATA ROLE employee_role;
|
||||
CREATE DATA ROLE manager_role;
|
||||
CREATE DATA ROLE hr_role;
|
||||
|
||||
GRANT DATA ROLE employee_role TO emma;
|
||||
GRANT DATA ROLE employee_role TO marvin;
|
||||
GRANT DATA ROLE manager_role TO marvin;
|
||||
GRANT DATA ROLE hr_role TO victoria;
|
||||
|
||||
21
scenarios/03-pii-row-column-cell/sql/03_data_grants.sql
Normal file
21
scenarios/03-pii-row-column-cell/sql/03_data_grants.sql
Normal file
@@ -0,0 +1,21 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE OR REPLACE DATA GRANT employees_own_record
|
||||
AS SELECT, UPDATE (phone)
|
||||
ON dds_employees
|
||||
WHERE email = ORA_END_USER_CONTEXT.username
|
||||
TO employee_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT manager_direct_reports
|
||||
AS SELECT (ALL COLUMNS EXCEPT ssn), UPDATE (salary)
|
||||
ON dds_employees
|
||||
WHERE manager = ORA_END_USER_CONTEXT.username
|
||||
TO manager_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT hr_all_employees
|
||||
AS SELECT
|
||||
ON dds_employees
|
||||
TO hr_role;
|
||||
|
||||
SET USE DATA GRANTS ONLY ON dds_employees ENABLED;
|
||||
|
||||
13
scenarios/03-pii-row-column-cell/sql/04_test_queries.sql
Normal file
13
scenarios/03-pii-row-column-cell/sql/04_test_queries.sql
Normal file
@@ -0,0 +1,13 @@
|
||||
SET PAGESIZE 100
|
||||
SET LINESIZE 200
|
||||
|
||||
SELECT employee_id, first_name, last_name, email, manager, ssn, salary, phone
|
||||
FROM dds_employees
|
||||
ORDER BY employee_id;
|
||||
|
||||
UPDATE dds_employees
|
||||
SET phone = '555-9999'
|
||||
WHERE email = ORA_END_USER_CONTEXT.username;
|
||||
|
||||
COMMIT;
|
||||
|
||||
23
scenarios/03-pii-row-column-cell/sql/99_reset.sql
Normal file
23
scenarios/03-pii-row-column-cell/sql/99_reset.sql
Normal file
@@ -0,0 +1,23 @@
|
||||
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_employees DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT employees_own_record'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT manager_direct_reports'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT hr_all_employees'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_employees PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE employee_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE manager_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE hr_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER emma'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER marvin'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER victoria'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
PROMPT Negative test: managers must not see SSN for direct reports.
|
||||
SELECT employee_id, email, ssn FROM dds_employees WHERE manager = ORA_END_USER_CONTEXT.username;
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
PROMPT Positive test: row, column and cell-level policies apply by end-user role.
|
||||
@../sql/04_test_queries.sql
|
||||
|
||||
Reference in New Issue
Block a user