# Runbook - 02 Shared App Account ## Objective Show that a shared technical application account should not be the real data authorization boundary. ## Security Value - Reduces the risk of overprivileged connection pools. - Lets the database evaluate the end user, not only the technical account. - Helps protect web applications, APIs, BI tools, and agents that use shared accounts. ## Prerequisites - Oracle AI Database compatible with Oracle Deep Data Security. - SQLcl or SQL*Plus. - Understanding of which end-user identity the application will propagate. ## Before - Vulnerable Environment 1. Reset the scenario: ```sql @scenarios/02-shared-app-account/sql/99_reset.sql ``` 2. Create the table, data, and technical account: ```sql @scenarios/02-shared-app-account/sql/00_schema.sql @scenarios/02-shared-app-account/sql/01_seed_data.sql @scenarios/02-shared-app-account/sql/02_identities.sql ``` 3. Simulate an application or API using the `DDS_APP` account to query all orders: ```sql @scenarios/02-shared-app-account/sql/04_test_queries.sql ``` ## Expected Result Before - The shared account can see orders from every seller and region. - Fields such as `MARGIN` may be exposed if the application generates incorrect SQL. - A bug, prompt injection, or abused endpoint may query more data than the user should see. ## After - Applying Deep Data Security 1. Apply data grants by business role: ```sql @scenarios/02-shared-app-account/sql/03_data_grants.sql ``` 2. Run the same query in the context of `alice` and `bruno`: ```sql @scenarios/02-shared-app-account/sql/04_test_queries.sql ``` ## Expected Result After - `alice` sees only her orders and does not see `margin`. - `bruno` sees LATAM orders with full manager visibility. - The technical account is no longer the only security boundary. ## Demo Evidence - Before/after comparison of the same SQL. - Explanation of data roles. - Simple flow: end user -> app -> database -> data grants. ## Official References - Oracle Deep Data Security Guide: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/index.html - Fine-Grained Data Authorization: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html - Create Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/create-data-grants.html - End-User Security Contexts: https://docs.oracle.com/en/database/oracle/oracle-database/26/refrn/DBA_END_USER_SECURITY_CONTEXTS.html