# Runbook - 04 View Bypass MAC ## Objective Show that a view can contain the intended access rule while direct table access still bypasses that path, and that `USE DATA GRANTS ONLY` enforces Mandatory Access Control on the protected object. ## Security Value - Prevents bypass through direct table access, reports, BI tools, and other alternate paths. - Enforces a consistent policy across the base table and views. - Helps customers with many reports, synonyms, views, and BI tools. ## Prerequisites - Oracle AI Database compatible with Oracle Deep Data Security. - SQLcl or SQL*Plus. ## Before - Vulnerable Environment 1. Reset the scenario: ```sql @scenarios/04-view-bypass-mac/sql/99_reset.sql ``` 2. Create the table, view, data, and personas: ```sql @scenarios/04-view-bypass-mac/sql/00_schema.sql @scenarios/04-view-bypass-mac/sql/01_seed_data.sql @scenarios/04-view-bypass-mac/sql/02_identities.sql ``` 3. Connect as `emma` and query the base table directly: ```bash sql 'emma/Welcome1_DDS!@ddslab_tunnel' ``` ```sql ALTER SESSION SET CURRENT_SCHEMA = ADMIN; SELECT account_id, account_name, owner_name, region, balance FROM dds_mac_accounts ORDER BY account_id; ``` 4. Query the intended legacy view: ```sql SELECT account_id, account_name, owner_name, region, balance FROM dds_mac_accounts_view ORDER BY account_id; ``` ## Expected Result Before - Direct table access may expose accounts owned by other users. - The view returns only the current user's account because it contains the intended owner filter. - The security rule depends on using the correct access path. ## After - Applying Deep Data Security 1. Apply data grants and enable MAC: ```sql @scenarios/04-view-bypass-mac/sql/03_data_grants.sql ``` 2. Query the table and the view: ```sql @scenarios/04-view-bypass-mac/sql/04_test_queries.sql ``` ## Expected Result After - The base table returns only the account owned by the current end user. - The view returns the same restricted rows. - Direct table access no longer bypasses the owner policy when MAC is enabled. ## Demo Evidence - Table and view results before and after. - SQL statement `SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED`. - Explanation that MAC removes inconsistencies across access paths. ## Official References - SET USE DATA GRANTS ONLY: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/set-use-data-grants-only.html - Fine-Grained Data Authorization - Mandatory Access Control: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html - Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html