103 lines
2.3 KiB
Markdown
Executable File
103 lines
2.3 KiB
Markdown
Executable File
# 04 - View Bypass Mandatory Access Control
|
|
|
|
## Objective
|
|
|
|
Show that views and alternate access paths must not bypass the policy on the base table.
|
|
|
|
## What This Lab Shows
|
|
|
|
Before Oracle Deep Data Security, a legacy view can expose rows that should be protected. After data grants and `USE DATA GRANTS ONLY` are applied, both the table and the view respect the same access boundary.
|
|
|
|
## Personas
|
|
|
|
- `emma`: account owner.
|
|
- `marvin`: account owner.
|
|
|
|
## Where To Run The Commands
|
|
|
|
Run commands from the repository root:
|
|
|
|
```powershell
|
|
cd <repo-root>
|
|
```
|
|
|
|
Connect to the database with SQLcl or SQL*Plus:
|
|
|
|
```bash
|
|
sql "<connect_string>"
|
|
```
|
|
|
|
## Step By Step - Before, Vulnerable Environment
|
|
|
|
1. Connect to the database:
|
|
|
|
```bash
|
|
sql "<connect_string>"
|
|
```
|
|
|
|
2. Reset the scenario:
|
|
|
|
```sql
|
|
@scenarios/04-view-bypass-mac/sql/99_reset.sql
|
|
```
|
|
|
|
3. Create the table, view, data, and personas:
|
|
|
|
```sql
|
|
@scenarios/04-view-bypass-mac/sql/00_schema.sql
|
|
@scenarios/04-view-bypass-mac/sql/01_seed_data.sql
|
|
@scenarios/04-view-bypass-mac/sql/02_identities.sql
|
|
```
|
|
|
|
4. Query the legacy view:
|
|
|
|
```sql
|
|
SELECT account_id, account_name, owner_name, region, balance
|
|
FROM dds_mac_accounts_view
|
|
ORDER BY account_id;
|
|
```
|
|
|
|
Expected result before protection: the view may show accounts owned by other users.
|
|
|
|
## Step By Step - After, With Deep Data Security
|
|
|
|
1. Apply data grants and Mandatory Access Control:
|
|
|
|
```sql
|
|
@scenarios/04-view-bypass-mac/sql/03_data_grants.sql
|
|
```
|
|
|
|
2. Run the base table and view queries:
|
|
|
|
```sql
|
|
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql
|
|
```
|
|
|
|
3. Repeat the test by simulating `emma` and `marvin`.
|
|
|
|
Expected result after protection:
|
|
|
|
- The table returns only the authorized account.
|
|
- The view returns the same authorized subset.
|
|
- The alternate access path no longer works as a bypass.
|
|
|
|
## Optional Automated Execution
|
|
|
|
Windows:
|
|
|
|
```powershell
|
|
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 04-view-bypass-mac -ConnectString "<connect_string>"
|
|
```
|
|
|
|
Linux/macOS:
|
|
|
|
```bash
|
|
./scripts/run-scenario.sh 04-view-bypass-mac "<connect_string>"
|
|
```
|
|
|
|
## Demo Details
|
|
|
|
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).
|
|
|
|
For a LiveLabs-style guided workshop, use [WORKSHOP.md](WORKSHOP.md).
|