Files
oracle-deep-data-security-lab/scenarios/04-view-bypass-mac/RUNBOOK.md
Rodrigo 033d5e9456
Some checks failed
Repo Quality / structure (push) Has been cancelled
Clarify view bypass lab access paths
2026-05-18 12:29:10 -03:00

93 lines
2.7 KiB
Markdown
Executable File

# Runbook - 04 View Bypass MAC
## Objective
Show that a view can contain the intended access rule while direct table access still bypasses that path, and that `USE DATA GRANTS ONLY` enforces Mandatory Access Control on the protected object.
## Security Value
- Prevents bypass through direct table access, reports, BI tools, and other alternate paths.
- Enforces a consistent policy across the base table and views.
- Helps customers with many reports, synonyms, views, and BI tools.
## Prerequisites
- Oracle AI Database compatible with Oracle Deep Data Security.
- SQLcl or SQL*Plus.
## Before - Vulnerable Environment
1. Reset the scenario:
```sql
@scenarios/04-view-bypass-mac/sql/99_reset.sql
```
2. Create the table, view, data, and personas:
```sql
@scenarios/04-view-bypass-mac/sql/00_schema.sql
@scenarios/04-view-bypass-mac/sql/01_seed_data.sql
@scenarios/04-view-bypass-mac/sql/02_identities.sql
```
3. Connect as `emma` and query the base table directly:
```bash
sql 'emma/Welcome1_DDS!@ddslab_tunnel'
```
```sql
ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
SELECT account_id, account_name, owner_name, region, balance
FROM dds_mac_accounts
ORDER BY account_id;
```
4. Query the intended legacy view:
```sql
SELECT account_id, account_name, owner_name, region, balance
FROM dds_mac_accounts_view
ORDER BY account_id;
```
## Expected Result Before
- Direct table access may expose accounts owned by other users.
- The view returns only the current user's account because it contains the intended owner filter.
- The security rule depends on using the correct access path.
## After - Applying Deep Data Security
1. Apply data grants and enable MAC:
```sql
@scenarios/04-view-bypass-mac/sql/03_data_grants.sql
```
2. Query the table and the view:
```sql
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql
```
## Expected Result After
- The base table returns only the account owned by the current end user.
- The view returns the same restricted rows.
- Direct table access no longer bypasses the owner policy when MAC is enabled.
## Demo Evidence
- Table and view results before and after.
- SQL statement `SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED`.
- Explanation that MAC removes inconsistencies across access paths.
## Official References
- SET USE DATA GRANTS ONLY: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/set-use-data-grants-only.html
- Fine-Grained Data Authorization - Mandatory Access Control: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html
- Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html