Initial Oracle Deep Data Security lab kit
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled

This commit is contained in:
Rodrigo Pace
2026-05-08 12:08:05 -03:00
commit 5cd8752a90
88 changed files with 2189 additions and 0 deletions

View File

@@ -0,0 +1,10 @@
# 04 - View Bypass / Mandatory Access Control
## Objetivo
Demonstrar que views e caminhos alternativos de acesso não devem contornar a política da tabela base.
## Narrativa
Uma view legada expõe todos os dados. Com `USE DATA GRANTS ONLY`, a política da tabela base passa a ser aplicada de forma uniforme.

View File

@@ -0,0 +1,6 @@
# Expected Results
- The base table returns only the account owned by the current end user.
- The view returns the same restricted rows.
- The broad view data grant does not bypass the base table policy when MAC is enabled.

View File

@@ -0,0 +1,12 @@
id: "04-view-bypass-mac"
title: "View Bypass Mandatory Access Control"
criticality: "high"
estimated_time_minutes: 15
audience:
- dba
- architect
- security
products:
- "Oracle Deep Data Security"
reset_supported: true

View File

@@ -0,0 +1,14 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE TABLE dds_mac_accounts (
account_id NUMBER PRIMARY KEY,
account_name VARCHAR2(100),
owner_name VARCHAR2(60),
region VARCHAR2(30),
balance NUMBER(12,2)
);
CREATE VIEW dds_mac_accounts_view AS
SELECT account_id, account_name, owner_name, region, balance
FROM dds_mac_accounts;

View File

@@ -0,0 +1,8 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
INSERT INTO dds_mac_accounts VALUES (1, 'Conta Alpha', 'emma', 'LATAM', 100000);
INSERT INTO dds_mac_accounts VALUES (2, 'Conta Beta', 'marvin', 'LATAM', 250000);
INSERT INTO dds_mac_accounts VALUES (3, 'Conta Gamma', 'erik', 'EMEA', 900000);
COMMIT;

View File

@@ -0,0 +1,9 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE END USER emma IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER marvin IDENTIFIED BY "Welcome1_DDS!";
CREATE DATA ROLE account_owner_role;
GRANT DATA ROLE account_owner_role TO emma;
GRANT DATA ROLE account_owner_role TO marvin;

View File

@@ -0,0 +1,15 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE OR REPLACE DATA GRANT mac_account_owner
AS SELECT
ON dds_mac_accounts
WHERE owner_name = ORA_END_USER_CONTEXT.username
TO account_owner_role;
CREATE OR REPLACE DATA GRANT mac_accounts_view_broad
AS SELECT
ON dds_mac_accounts_view
TO account_owner_role;
SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED;

View File

@@ -0,0 +1,13 @@
SET PAGESIZE 100
SET LINESIZE 200
PROMPT Query base table
SELECT account_id, account_name, owner_name, region, balance
FROM dds_mac_accounts
ORDER BY account_id;
PROMPT Query view
SELECT account_id, account_name, owner_name, region, balance
FROM dds_mac_accounts_view
ORDER BY account_id;

View File

@@ -0,0 +1,17 @@
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_mac_accounts DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT mac_account_owner'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT mac_accounts_view_broad'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP VIEW dds_mac_accounts_view'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_mac_accounts PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE account_owner_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER emma'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER marvin'; EXCEPTION WHEN OTHERS THEN NULL; END;
/

View File

@@ -0,0 +1,3 @@
PROMPT Negative test: broad view grant must not override base table mandatory access control.
SELECT COUNT(*) AS visible_rows_from_view FROM dds_mac_accounts_view;

View File

@@ -0,0 +1,3 @@
PROMPT Positive test: base table and view return the same authorized subset.
@../sql/04_test_queries.sql