Improve shared app account scenario
Some checks failed
Repo Quality / structure (push) Has been cancelled
Some checks failed
Repo Quality / structure (push) Has been cancelled
This commit is contained in:
@@ -6,7 +6,7 @@ Show the risk of a technical application account used by many users and how the
|
||||
|
||||
## What This Lab Shows
|
||||
|
||||
Before Oracle Deep Data Security, a technical account or connection pool can query orders from every seller and region. After data grants are applied, the result depends on the persona propagated by the application.
|
||||
Before Oracle Deep Data Security, a technical account or connection pool can query orders from every seller and region. After data grants are applied, the database authorizes access based on the end-user persona, not only on the shared technical account.
|
||||
|
||||
## Personas
|
||||
|
||||
@@ -16,39 +16,37 @@ Before Oracle Deep Data Security, a technical account or connection pool can que
|
||||
|
||||
## Where To Run The Commands
|
||||
|
||||
Run commands from the repository root:
|
||||
Run SQL scripts from the repository root. On Linux/macOS/WSL:
|
||||
|
||||
```bash
|
||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
||||
```
|
||||
|
||||
Connect as the lab administrator:
|
||||
|
||||
```bash
|
||||
sql admin@ddslab_tunnel
|
||||
```
|
||||
|
||||
SQLcl note: when running a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward, because `/` reruns the last command in the SQLcl buffer.
|
||||
|
||||
On Windows PowerShell:
|
||||
|
||||
```powershell
|
||||
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
|
||||
```
|
||||
|
||||
Connect to the database with SQLcl or SQL*Plus:
|
||||
|
||||
```bash
|
||||
sql "<connect_string>"
|
||||
```
|
||||
|
||||
Example:
|
||||
|
||||
```text
|
||||
ADMIN/<password>@ddslab_high
|
||||
sql admin@ddslab_tunnel
|
||||
```
|
||||
|
||||
## Step By Step - Before, Vulnerable Environment
|
||||
|
||||
1. Connect to the database:
|
||||
|
||||
```bash
|
||||
sql "<connect_string>"
|
||||
```
|
||||
|
||||
2. Reset the scenario:
|
||||
1. Reset the scenario as `ADMIN`:
|
||||
|
||||
```sql
|
||||
@scenarios/02-shared-app-account/sql/99_reset.sql
|
||||
```
|
||||
|
||||
3. Create the table, data, users, and technical account:
|
||||
2. Create the orders table, seed data, business personas, and the shared app account:
|
||||
|
||||
```sql
|
||||
@scenarios/02-shared-app-account/sql/00_schema.sql
|
||||
@@ -56,34 +54,82 @@ ADMIN/<password>@ddslab_high
|
||||
@scenarios/02-shared-app-account/sql/02_identities.sql
|
||||
```
|
||||
|
||||
4. Simulate an application querying orders with broad SQL:
|
||||
3. Show the full raw data as `ADMIN`:
|
||||
|
||||
```sql
|
||||
SELECT order_id, customer_name, region, seller, amount, margin
|
||||
FROM dds_orders
|
||||
ORDER BY order_id;
|
||||
```
|
||||
|
||||
4. Connect as the shared technical application account:
|
||||
|
||||
```bash
|
||||
sql 'dds_app/AppPool#2026Lab!@ddslab_tunnel'
|
||||
```
|
||||
|
||||
5. Run the broad application query:
|
||||
|
||||
```sql
|
||||
@scenarios/02-shared-app-account/sql/04_test_queries.sql
|
||||
```
|
||||
|
||||
Expected result before protection: orders from multiple regions and fields such as `MARGIN` may appear to users who should not see them.
|
||||
Expected result before protection: `DDS_APP` can see orders from all regions and the sensitive `MARGIN` column. This represents a common connection-pool problem where the database only sees the application account.
|
||||
|
||||
## Step By Step - After, With Deep Data Security
|
||||
|
||||
1. Apply the data grants:
|
||||
1. Reconnect as `ADMIN` and apply the data grants:
|
||||
|
||||
```sql
|
||||
@scenarios/02-shared-app-account/sql/03_data_grants.sql
|
||||
```
|
||||
|
||||
2. Run the query again:
|
||||
2. Connect as `alice`, a sales representative:
|
||||
|
||||
```sql
|
||||
@scenarios/02-shared-app-account/sql/04_test_queries.sql
|
||||
```bash
|
||||
sql 'alice/Welcome1_DDS!@ddslab_tunnel'
|
||||
```
|
||||
|
||||
3. Repeat the test by simulating `alice` and `bruno` as end users.
|
||||
3. Run Alice's normal business query, without the sensitive `MARGIN` column:
|
||||
|
||||
```sql
|
||||
ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
|
||||
|
||||
SELECT order_id, customer_name, region, seller, amount
|
||||
FROM dds_orders
|
||||
ORDER BY order_id;
|
||||
```
|
||||
|
||||
This query represents the normal sales workflow. Alice needs customer, region, seller, and order amount to follow her pipeline, but she does not need commercial margin.
|
||||
|
||||
4. Try to access the sensitive margin column as Alice:
|
||||
|
||||
```sql
|
||||
SELECT order_id, customer_name, region, seller, amount, margin
|
||||
FROM dds_orders
|
||||
ORDER BY order_id;
|
||||
```
|
||||
|
||||
This query represents an application bug, abused endpoint, prompt injection, or ad hoc SQL asking for a sensitive field outside Alice's business role.
|
||||
|
||||
5. Connect as `bruno`, the LATAM manager, and run the manager query:
|
||||
|
||||
```bash
|
||||
sql 'bruno/Welcome1_DDS!@ddslab_tunnel'
|
||||
```
|
||||
|
||||
```sql
|
||||
ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
|
||||
|
||||
SELECT order_id, customer_name, region, seller, amount, margin
|
||||
FROM dds_orders
|
||||
ORDER BY order_id;
|
||||
```
|
||||
|
||||
Expected result after protection:
|
||||
|
||||
- `alice` sees only her orders and does not see `MARGIN`.
|
||||
- `bruno` sees LATAM orders with manager visibility.
|
||||
- `alice` sees only her orders and does not get access to `MARGIN`.
|
||||
- `bruno` sees LATAM orders with manager visibility, including `MARGIN`.
|
||||
- The technical account is no longer the only authorization boundary.
|
||||
|
||||
## Optional Automated Execution
|
||||
@@ -103,4 +149,3 @@ Linux/macOS:
|
||||
## Demo Details
|
||||
|
||||
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).
|
||||
|
||||
|
||||
Reference in New Issue
Block a user