Improve shared app account scenario
Some checks failed
Repo Quality / structure (push) Has been cancelled

This commit is contained in:
2026-05-14 11:49:45 -03:00
parent 5fa6b34d1e
commit 77ecd70622
7 changed files with 220 additions and 53 deletions

View File

@@ -6,7 +6,7 @@ Show the risk of a technical application account used by many users and how the
## What This Lab Shows
Before Oracle Deep Data Security, a technical account or connection pool can query orders from every seller and region. After data grants are applied, the result depends on the persona propagated by the application.
Before Oracle Deep Data Security, a technical account or connection pool can query orders from every seller and region. After data grants are applied, the database authorizes access based on the end-user persona, not only on the shared technical account.
## Personas
@@ -16,39 +16,37 @@ Before Oracle Deep Data Security, a technical account or connection pool can que
## Where To Run The Commands
Run commands from the repository root:
Run SQL scripts from the repository root. On Linux/macOS/WSL:
```bash
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
```
Connect as the lab administrator:
```bash
sql admin@ddslab_tunnel
```
SQLcl note: when running a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward, because `/` reruns the last command in the SQLcl buffer.
On Windows PowerShell:
```powershell
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
```
Connect to the database with SQLcl or SQL*Plus:
```bash
sql "<connect_string>"
```
Example:
```text
ADMIN/<password>@ddslab_high
sql admin@ddslab_tunnel
```
## Step By Step - Before, Vulnerable Environment
1. Connect to the database:
```bash
sql "<connect_string>"
```
2. Reset the scenario:
1. Reset the scenario as `ADMIN`:
```sql
@scenarios/02-shared-app-account/sql/99_reset.sql
```
3. Create the table, data, users, and technical account:
2. Create the orders table, seed data, business personas, and the shared app account:
```sql
@scenarios/02-shared-app-account/sql/00_schema.sql
@@ -56,34 +54,82 @@ ADMIN/<password>@ddslab_high
@scenarios/02-shared-app-account/sql/02_identities.sql
```
4. Simulate an application querying orders with broad SQL:
3. Show the full raw data as `ADMIN`:
```sql
SELECT order_id, customer_name, region, seller, amount, margin
FROM dds_orders
ORDER BY order_id;
```
4. Connect as the shared technical application account:
```bash
sql 'dds_app/AppPool#2026Lab!@ddslab_tunnel'
```
5. Run the broad application query:
```sql
@scenarios/02-shared-app-account/sql/04_test_queries.sql
```
Expected result before protection: orders from multiple regions and fields such as `MARGIN` may appear to users who should not see them.
Expected result before protection: `DDS_APP` can see orders from all regions and the sensitive `MARGIN` column. This represents a common connection-pool problem where the database only sees the application account.
## Step By Step - After, With Deep Data Security
1. Apply the data grants:
1. Reconnect as `ADMIN` and apply the data grants:
```sql
@scenarios/02-shared-app-account/sql/03_data_grants.sql
```
2. Run the query again:
2. Connect as `alice`, a sales representative:
```sql
@scenarios/02-shared-app-account/sql/04_test_queries.sql
```bash
sql 'alice/Welcome1_DDS!@ddslab_tunnel'
```
3. Repeat the test by simulating `alice` and `bruno` as end users.
3. Run Alice's normal business query, without the sensitive `MARGIN` column:
```sql
ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
SELECT order_id, customer_name, region, seller, amount
FROM dds_orders
ORDER BY order_id;
```
This query represents the normal sales workflow. Alice needs customer, region, seller, and order amount to follow her pipeline, but she does not need commercial margin.
4. Try to access the sensitive margin column as Alice:
```sql
SELECT order_id, customer_name, region, seller, amount, margin
FROM dds_orders
ORDER BY order_id;
```
This query represents an application bug, abused endpoint, prompt injection, or ad hoc SQL asking for a sensitive field outside Alice's business role.
5. Connect as `bruno`, the LATAM manager, and run the manager query:
```bash
sql 'bruno/Welcome1_DDS!@ddslab_tunnel'
```
```sql
ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
SELECT order_id, customer_name, region, seller, amount, margin
FROM dds_orders
ORDER BY order_id;
```
Expected result after protection:
- `alice` sees only her orders and does not see `MARGIN`.
- `bruno` sees LATAM orders with manager visibility.
- `alice` sees only her orders and does not get access to `MARGIN`.
- `bruno` sees LATAM orders with manager visibility, including `MARGIN`.
- The technical account is no longer the only authorization boundary.
## Optional Automated Execution
@@ -103,4 +149,3 @@ Linux/macOS:
## Demo Details
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).