2.8 KiB
Executable File
04 - View Bypass Mandatory Access Control
Objective
Show that views and alternate access paths must not bypass the policy on the base table.
What This Lab Shows
Before Oracle Deep Data Security, a legacy view may apply the expected owner filter, but direct table access can bypass that application access path and expose rows that should be protected. After data grants and USE DATA GRANTS ONLY are applied, both the table and the view respect the same access boundary.
Personas
emma: account owner.marvin: account owner.erik: account owner.
Where To Run The Commands
Run commands from the repository root:
cd <repo-root>
Connect to the database with SQLcl or SQL*Plus:
sql "<connect_string>"
Step By Step - Before, Vulnerable Environment
-
Connect to the database:
sql "<connect_string>" -
Reset the scenario:
@scenarios/04-view-bypass-mac/sql/99_reset.sql -
Create the table, view, data, and personas:
@scenarios/04-view-bypass-mac/sql/00_schema.sql @scenarios/04-view-bypass-mac/sql/01_seed_data.sql @scenarios/04-view-bypass-mac/sql/02_identities.sql -
Connect as
emmaand query both access paths:sql 'emma/Welcome1_DDS!@ddslab_tunnel'ALTER SESSION SET CURRENT_SCHEMA = ADMIN; SELECT account_id, account_name, owner_name, region, balance FROM dds_mac_accounts ORDER BY account_id; SELECT account_id, account_name, owner_name, region, balance FROM dds_mac_accounts_view ORDER BY account_id;
Expected result before protection: the view shows only Emma's account, but direct table access can still show accounts owned by other users.
Step By Step - After, With Deep Data Security
-
Apply data grants and Mandatory Access Control:
@scenarios/04-view-bypass-mac/sql/03_data_grants.sql -
Run the base table and view queries:
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql -
Repeat the test by simulating
emma,marvin, anderik.
Expected result after protection:
- The table returns only the authorized account.
- The view returns the same authorized subset.
emmaseesAccount Alpha,marvinseesAccount Beta, anderikseesAccount Gamma.- The direct table access path no longer works as a bypass.
Optional Automated Execution
Windows:
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 04-view-bypass-mac -ConnectString "<connect_string>"
Linux/macOS:
./scripts/run-scenario.sh 04-view-bypass-mac "<connect_string>"
Demo Details
See the complete walkthrough, evidence, and official references in RUNBOOK.md.
For a LiveLabs-style guided workshop, use WORKSHOP.md.