Files
oracle-deep-data-security-lab/scenarios/04-view-bypass-mac/RUNBOOK.md
Rodrigo 033d5e9456
Some checks failed
Repo Quality / structure (push) Has been cancelled
Clarify view bypass lab access paths
2026-05-18 12:29:10 -03:00

2.7 KiB
Executable File

Runbook - 04 View Bypass MAC

Objective

Show that a view can contain the intended access rule while direct table access still bypasses that path, and that USE DATA GRANTS ONLY enforces Mandatory Access Control on the protected object.

Security Value

  • Prevents bypass through direct table access, reports, BI tools, and other alternate paths.
  • Enforces a consistent policy across the base table and views.
  • Helps customers with many reports, synonyms, views, and BI tools.

Prerequisites

  • Oracle AI Database compatible with Oracle Deep Data Security.
  • SQLcl or SQL*Plus.

Before - Vulnerable Environment

  1. Reset the scenario:

    @scenarios/04-view-bypass-mac/sql/99_reset.sql
    
  2. Create the table, view, data, and personas:

    @scenarios/04-view-bypass-mac/sql/00_schema.sql
    @scenarios/04-view-bypass-mac/sql/01_seed_data.sql
    @scenarios/04-view-bypass-mac/sql/02_identities.sql
    
  3. Connect as emma and query the base table directly:

    sql 'emma/Welcome1_DDS!@ddslab_tunnel'
    
    ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
    
    SELECT account_id, account_name, owner_name, region, balance
    FROM dds_mac_accounts
    ORDER BY account_id;
    
  4. Query the intended legacy view:

    SELECT account_id, account_name, owner_name, region, balance
    FROM dds_mac_accounts_view
    ORDER BY account_id;
    

Expected Result Before

  • Direct table access may expose accounts owned by other users.
  • The view returns only the current user's account because it contains the intended owner filter.
  • The security rule depends on using the correct access path.

After - Applying Deep Data Security

  1. Apply data grants and enable MAC:

    @scenarios/04-view-bypass-mac/sql/03_data_grants.sql
    
  2. Query the table and the view:

    @scenarios/04-view-bypass-mac/sql/04_test_queries.sql
    

Expected Result After

  • The base table returns only the account owned by the current end user.
  • The view returns the same restricted rows.
  • Direct table access no longer bypasses the owner policy when MAC is enabled.

Demo Evidence

  • Table and view results before and after.
  • SQL statement SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED.
  • Explanation that MAC removes inconsistencies across access paths.

Official References