04 - View Bypass Mandatory Access Control
Objective
Show that views and alternate access paths must not bypass the policy on the base table.
What This Lab Shows
Before Oracle Deep Data Security, a legacy view can expose rows that should be protected. After data grants and USE DATA GRANTS ONLY are applied, both the table and the view respect the same access boundary.
Personas
emma: account owner.marvin: account owner.
Where To Run The Commands
Run commands from the repository root:
cd <repo-root>
Connect to the database with SQLcl or SQL*Plus:
sql "<connect_string>"
Step By Step - Before, Vulnerable Environment
-
Connect to the database:
sql "<connect_string>" -
Reset the scenario:
@scenarios/04-view-bypass-mac/sql/99_reset.sql -
Create the table, view, data, and personas:
@scenarios/04-view-bypass-mac/sql/00_schema.sql @scenarios/04-view-bypass-mac/sql/01_seed_data.sql @scenarios/04-view-bypass-mac/sql/02_identities.sql -
Query the legacy view:
SELECT account_id, account_name, owner_name, region, balance FROM dds_mac_accounts_view ORDER BY account_id;
Expected result before protection: the view may show accounts owned by other users.
Step By Step - After, With Deep Data Security
-
Apply data grants and Mandatory Access Control:
@scenarios/04-view-bypass-mac/sql/03_data_grants.sql -
Run the base table and view queries:
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql -
Repeat the test by simulating
emmaandmarvin.
Expected result after protection:
- The table returns only the authorized account.
- The view returns the same authorized subset.
- The alternate access path no longer works as a bypass.
Optional Automated Execution
Windows:
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 04-view-bypass-mac -ConnectString "<connect_string>"
Linux/macOS:
./scripts/run-scenario.sh 04-view-bypass-mac "<connect_string>"
Demo Details
See the complete walkthrough, evidence, and official references in RUNBOOK.md.
For a LiveLabs-style guided workshop, use WORKSHOP.md.