2.3 KiB
Executable File
2.3 KiB
Executable File
Runbook - 04 View Bypass MAC
Objective
Show that views and alternate access paths can bypass poorly designed controls, and that USE DATA GRANTS ONLY enforces Mandatory Access Control on the protected object.
Security Value
- Prevents bypass through legacy views.
- Enforces a consistent policy across the base table and views.
- Helps customers with many reports, synonyms, views, and BI tools.
Prerequisites
- Oracle AI Database compatible with Oracle Deep Data Security.
- SQLcl or SQL*Plus.
Before - Vulnerable Environment
-
Reset the scenario:
@scenarios/04-view-bypass-mac/sql/99_reset.sql -
Create the table, view, data, and personas:
@scenarios/04-view-bypass-mac/sql/00_schema.sql @scenarios/04-view-bypass-mac/sql/01_seed_data.sql @scenarios/04-view-bypass-mac/sql/02_identities.sql -
Simulate a legacy view that returns all data:
SELECT account_id, account_name, owner_name, region, balance FROM dds_mac_accounts_view ORDER BY account_id;
Expected Result Before
- The view may expose accounts owned by other users.
- The alternate access path does not honor the intended base table policy.
After - Applying Deep Data Security
-
Apply data grants and enable MAC:
@scenarios/04-view-bypass-mac/sql/03_data_grants.sql -
Query the table and the view:
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql
Expected Result After
- The base table returns only the account owned by the current end user.
- The view returns the same restricted rows.
- The broad view data grant cannot bypass the base table policy when MAC is enabled.
Demo Evidence
- Table and view results before and after.
- SQL statement
SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED. - Explanation that MAC removes inconsistencies across access paths.
Official References
- SET USE DATA GRANTS ONLY: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/set-use-data-grants-only.html
- Fine-Grained Data Authorization - Mandatory Access Control: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html
- Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html