# Runbook - 04 View Bypass MAC ## Objective Show that views and alternate access paths can bypass poorly designed controls, and that `USE DATA GRANTS ONLY` enforces Mandatory Access Control on the protected object. ## Security Value - Prevents bypass through legacy views. - Enforces a consistent policy across the base table and views. - Helps customers with many reports, synonyms, views, and BI tools. ## Prerequisites - Oracle AI Database compatible with Oracle Deep Data Security. - SQLcl or SQL*Plus. ## Before - Vulnerable Environment 1. Reset the scenario: ```sql @scenarios/04-view-bypass-mac/sql/99_reset.sql ``` 2. Create the table, view, data, and personas: ```sql @scenarios/04-view-bypass-mac/sql/00_schema.sql @scenarios/04-view-bypass-mac/sql/01_seed_data.sql @scenarios/04-view-bypass-mac/sql/02_identities.sql ``` 3. Simulate a legacy view that returns all data: ```sql SELECT account_id, account_name, owner_name, region, balance FROM dds_mac_accounts_view ORDER BY account_id; ``` ## Expected Result Before - The view may expose accounts owned by other users. - The alternate access path does not honor the intended base table policy. ## After - Applying Deep Data Security 1. Apply data grants and enable MAC: ```sql @scenarios/04-view-bypass-mac/sql/03_data_grants.sql ``` 2. Query the table and the view: ```sql @scenarios/04-view-bypass-mac/sql/04_test_queries.sql ``` ## Expected Result After - The base table returns only the account owned by the current end user. - The view returns the same restricted rows. - The broad view data grant cannot bypass the base table policy when MAC is enabled. ## Demo Evidence - Table and view results before and after. - SQL statement `SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED`. - Explanation that MAC removes inconsistencies across access paths. ## Official References - SET USE DATA GRANTS ONLY: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/set-use-data-grants-only.html - Fine-Grained Data Authorization - Mandatory Access Control: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html - Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html