Files
Rodrigo 033d5e9456
Some checks failed
Repo Quality / structure (push) Has been cancelled
Clarify view bypass lab access paths
2026-05-18 12:29:10 -03:00
..
2026-05-18 12:29:10 -03:00
2026-05-18 12:29:10 -03:00

04 - View Bypass Mandatory Access Control

Objective

Show that views and alternate access paths must not bypass the policy on the base table.

What This Lab Shows

Before Oracle Deep Data Security, a legacy view may apply the expected owner filter, but direct table access can bypass that application access path and expose rows that should be protected. After data grants and USE DATA GRANTS ONLY are applied, both the table and the view respect the same access boundary.

Personas

  • emma: account owner.
  • marvin: account owner.
  • erik: account owner.

Where To Run The Commands

Run commands from the repository root:

cd <repo-root>

Connect to the database with SQLcl or SQL*Plus:

sql "<connect_string>"

Step By Step - Before, Vulnerable Environment

  1. Connect to the database:

    sql "<connect_string>"
    
  2. Reset the scenario:

    @scenarios/04-view-bypass-mac/sql/99_reset.sql
    
  3. Create the table, view, data, and personas:

    @scenarios/04-view-bypass-mac/sql/00_schema.sql
    @scenarios/04-view-bypass-mac/sql/01_seed_data.sql
    @scenarios/04-view-bypass-mac/sql/02_identities.sql
    
  4. Connect as emma and query both access paths:

    sql 'emma/Welcome1_DDS!@ddslab_tunnel'
    
    ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
    
    SELECT account_id, account_name, owner_name, region, balance
    FROM dds_mac_accounts
    ORDER BY account_id;
    
    SELECT account_id, account_name, owner_name, region, balance
    FROM dds_mac_accounts_view
    ORDER BY account_id;
    

Expected result before protection: the view shows only Emma's account, but direct table access can still show accounts owned by other users.

Step By Step - After, With Deep Data Security

  1. Apply data grants and Mandatory Access Control:

    @scenarios/04-view-bypass-mac/sql/03_data_grants.sql
    
  2. Run the base table and view queries:

    @scenarios/04-view-bypass-mac/sql/04_test_queries.sql
    
  3. Repeat the test by simulating emma, marvin, and erik.

Expected result after protection:

  • The table returns only the authorized account.
  • The view returns the same authorized subset.
  • emma sees Account Alpha, marvin sees Account Beta, and erik sees Account Gamma.
  • The direct table access path no longer works as a bypass.

Optional Automated Execution

Windows:

powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 04-view-bypass-mac -ConnectString "<connect_string>"

Linux/macOS:

./scripts/run-scenario.sh 04-view-bypass-mac "<connect_string>"

Demo Details

See the complete walkthrough, evidence, and official references in RUNBOOK.md.

For a LiveLabs-style guided workshop, use WORKSHOP.md.