# 02 - Shared App Account ## Objective Show the risk of a technical application account used by many users and how the database should enforce authorization based on the end user. ## What This Lab Shows Before Oracle Deep Data Security, a technical account or connection pool can query orders from every seller and region. After data grants are applied, the result depends on the persona propagated by the application. ## Personas - `alice`: sales representative. - `bruno`: LATAM manager. - `dds_app`: technical application account. ## Where To Run The Commands Run commands from the repository root: ```powershell cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab ``` Connect to the database with SQLcl or SQL*Plus: ```bash sql "" ``` Example: ```text ADMIN/@ddslab_high ``` ## Step By Step - Before, Vulnerable Environment 1. Connect to the database: ```bash sql "" ``` 2. Reset the scenario: ```sql @scenarios/02-shared-app-account/sql/99_reset.sql ``` 3. Create the table, data, users, and technical account: ```sql @scenarios/02-shared-app-account/sql/00_schema.sql @scenarios/02-shared-app-account/sql/01_seed_data.sql @scenarios/02-shared-app-account/sql/02_identities.sql ``` 4. Simulate an application querying orders with broad SQL: ```sql @scenarios/02-shared-app-account/sql/04_test_queries.sql ``` Expected result before protection: orders from multiple regions and fields such as `MARGIN` may appear to users who should not see them. ## Step By Step - After, With Deep Data Security 1. Apply the data grants: ```sql @scenarios/02-shared-app-account/sql/03_data_grants.sql ``` 2. Run the query again: ```sql @scenarios/02-shared-app-account/sql/04_test_queries.sql ``` 3. Repeat the test by simulating `alice` and `bruno` as end users. Expected result after protection: - `alice` sees only her orders and does not see `MARGIN`. - `bruno` sees LATAM orders with manager visibility. - The technical account is no longer the only authorization boundary. ## Optional Automated Execution Windows: ```powershell powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 02-shared-app-account -ConnectString "" ``` Linux/macOS: ```bash ./scripts/run-scenario.sh 02-shared-app-account "" ``` ## Demo Details See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).