107 lines
2.5 KiB
Markdown
107 lines
2.5 KiB
Markdown
# 02 - Shared App Account
|
|
|
|
## Objective
|
|
|
|
Show the risk of a technical application account used by many users and how the database should enforce authorization based on the end user.
|
|
|
|
## What This Lab Shows
|
|
|
|
Before Oracle Deep Data Security, a technical account or connection pool can query orders from every seller and region. After data grants are applied, the result depends on the persona propagated by the application.
|
|
|
|
## Personas
|
|
|
|
- `alice`: sales representative.
|
|
- `bruno`: LATAM manager.
|
|
- `dds_app`: technical application account.
|
|
|
|
## Where To Run The Commands
|
|
|
|
Run commands from the repository root:
|
|
|
|
```powershell
|
|
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
|
|
```
|
|
|
|
Connect to the database with SQLcl or SQL*Plus:
|
|
|
|
```bash
|
|
sql "<connect_string>"
|
|
```
|
|
|
|
Example:
|
|
|
|
```text
|
|
ADMIN/<password>@ddslab_high
|
|
```
|
|
|
|
## Step By Step - Before, Vulnerable Environment
|
|
|
|
1. Connect to the database:
|
|
|
|
```bash
|
|
sql "<connect_string>"
|
|
```
|
|
|
|
2. Reset the scenario:
|
|
|
|
```sql
|
|
@scenarios/02-shared-app-account/sql/99_reset.sql
|
|
```
|
|
|
|
3. Create the table, data, users, and technical account:
|
|
|
|
```sql
|
|
@scenarios/02-shared-app-account/sql/00_schema.sql
|
|
@scenarios/02-shared-app-account/sql/01_seed_data.sql
|
|
@scenarios/02-shared-app-account/sql/02_identities.sql
|
|
```
|
|
|
|
4. Simulate an application querying orders with broad SQL:
|
|
|
|
```sql
|
|
@scenarios/02-shared-app-account/sql/04_test_queries.sql
|
|
```
|
|
|
|
Expected result before protection: orders from multiple regions and fields such as `MARGIN` may appear to users who should not see them.
|
|
|
|
## Step By Step - After, With Deep Data Security
|
|
|
|
1. Apply the data grants:
|
|
|
|
```sql
|
|
@scenarios/02-shared-app-account/sql/03_data_grants.sql
|
|
```
|
|
|
|
2. Run the query again:
|
|
|
|
```sql
|
|
@scenarios/02-shared-app-account/sql/04_test_queries.sql
|
|
```
|
|
|
|
3. Repeat the test by simulating `alice` and `bruno` as end users.
|
|
|
|
Expected result after protection:
|
|
|
|
- `alice` sees only her orders and does not see `MARGIN`.
|
|
- `bruno` sees LATAM orders with manager visibility.
|
|
- The technical account is no longer the only authorization boundary.
|
|
|
|
## Optional Automated Execution
|
|
|
|
Windows:
|
|
|
|
```powershell
|
|
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 02-shared-app-account -ConnectString "<connect_string>"
|
|
```
|
|
|
|
Linux/macOS:
|
|
|
|
```bash
|
|
./scripts/run-scenario.sh 02-shared-app-account "<connect_string>"
|
|
```
|
|
|
|
## Demo Details
|
|
|
|
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).
|
|
|