Files
oracle-deep-data-security-lab/scenarios/04-view-bypass-mac/README.md
Rodrigo 1d11986e94
Some checks failed
Repo Quality / structure (push) Has been cancelled
Improve view bypass lab before and after flow
2026-05-18 12:22:35 -03:00

115 lines
2.7 KiB
Markdown
Executable File

# 04 - View Bypass Mandatory Access Control
## Objective
Show that views and alternate access paths must not bypass the policy on the base table.
## What This Lab Shows
Before Oracle Deep Data Security, a legacy view can expose rows that should be protected. After data grants and `USE DATA GRANTS ONLY` are applied, both the table and the view respect the same access boundary.
## Personas
- `emma`: account owner.
- `marvin`: account owner.
- `erik`: account owner.
## Where To Run The Commands
Run commands from the repository root:
```powershell
cd <repo-root>
```
Connect to the database with SQLcl or SQL*Plus:
```bash
sql "<connect_string>"
```
## Step By Step - Before, Vulnerable Environment
1. Connect to the database:
```bash
sql "<connect_string>"
```
2. Reset the scenario:
```sql
@scenarios/04-view-bypass-mac/sql/99_reset.sql
```
3. Create the table, view, data, and personas:
```sql
@scenarios/04-view-bypass-mac/sql/00_schema.sql
@scenarios/04-view-bypass-mac/sql/01_seed_data.sql
@scenarios/04-view-bypass-mac/sql/02_identities.sql
```
4. Connect as `emma` and query both access paths:
```bash
sql 'emma/Welcome1_DDS!@ddslab_tunnel'
```
```sql
ALTER SESSION SET CURRENT_SCHEMA = ADMIN;
SELECT account_id, account_name, owner_name, region, balance
FROM dds_mac_accounts
ORDER BY account_id;
SELECT account_id, account_name, owner_name, region, balance
FROM dds_mac_accounts_view
ORDER BY account_id;
```
Expected result before protection: both direct table access and the legacy view may show accounts owned by other users.
## Step By Step - After, With Deep Data Security
1. Apply data grants and Mandatory Access Control:
```sql
@scenarios/04-view-bypass-mac/sql/03_data_grants.sql
```
2. Run the base table and view queries:
```sql
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql
```
3. Repeat the test by simulating `emma`, `marvin`, and `erik`.
Expected result after protection:
- The table returns only the authorized account.
- The view returns the same authorized subset.
- `emma` sees `Account Alpha`, `marvin` sees `Account Beta`, and `erik` sees `Account Gamma`.
- The alternate access path no longer works as a bypass.
## Optional Automated Execution
Windows:
```powershell
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 04-view-bypass-mac -ConnectString "<connect_string>"
```
Linux/macOS:
```bash
./scripts/run-scenario.sh 04-view-bypass-mac "<connect_string>"
```
## Demo Details
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).
For a LiveLabs-style guided workshop, use [WORKSHOP.md](WORKSHOP.md).