2.7 KiB
Executable File
2.7 KiB
Executable File
Runbook - 04 View Bypass MAC
Objective
Show that a view can contain the intended access rule while direct table access still bypasses that path, and that USE DATA GRANTS ONLY enforces Mandatory Access Control on the protected object.
Security Value
- Prevents bypass through direct table access, reports, BI tools, and other alternate paths.
- Enforces a consistent policy across the base table and views.
- Helps customers with many reports, synonyms, views, and BI tools.
Prerequisites
- Oracle AI Database compatible with Oracle Deep Data Security.
- SQLcl or SQL*Plus.
Before - Vulnerable Environment
-
Reset the scenario:
@scenarios/04-view-bypass-mac/sql/99_reset.sql -
Create the table, view, data, and personas:
@scenarios/04-view-bypass-mac/sql/00_schema.sql @scenarios/04-view-bypass-mac/sql/01_seed_data.sql @scenarios/04-view-bypass-mac/sql/02_identities.sql -
Connect as
emmaand query the base table directly:sql 'emma/Welcome1_DDS!@ddslab_tunnel'ALTER SESSION SET CURRENT_SCHEMA = ADMIN; SELECT account_id, account_name, owner_name, region, balance FROM dds_mac_accounts ORDER BY account_id; -
Query the intended legacy view:
SELECT account_id, account_name, owner_name, region, balance FROM dds_mac_accounts_view ORDER BY account_id;
Expected Result Before
- Direct table access may expose accounts owned by other users.
- The view returns only the current user's account because it contains the intended owner filter.
- The security rule depends on using the correct access path.
After - Applying Deep Data Security
-
Apply data grants and enable MAC:
@scenarios/04-view-bypass-mac/sql/03_data_grants.sql -
Query the table and the view:
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql
Expected Result After
- The base table returns only the account owned by the current end user.
- The view returns the same restricted rows.
- Direct table access no longer bypasses the owner policy when MAC is enabled.
Demo Evidence
- Table and view results before and after.
- SQL statement
SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED. - Explanation that MAC removes inconsistencies across access paths.
Official References
- SET USE DATA GRANTS ONLY: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/set-use-data-grants-only.html
- Fine-Grained Data Authorization - Mandatory Access Control: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html
- Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html