2.5 KiB
2.5 KiB
Runbook - 02 Shared App Account
Objective
Show that a shared technical application account should not be the real data authorization boundary.
Security Value
- Reduces the risk of overprivileged connection pools.
- Lets the database evaluate the end user, not only the technical account.
- Helps protect web applications, APIs, BI tools, and agents that use shared accounts.
Prerequisites
- Oracle AI Database compatible with Oracle Deep Data Security.
- SQLcl or SQL*Plus.
- Understanding of which end-user identity the application will propagate.
Before - Vulnerable Environment
-
Reset the scenario:
@scenarios/02-shared-app-account/sql/99_reset.sql -
Create the table, data, and technical account:
@scenarios/02-shared-app-account/sql/00_schema.sql @scenarios/02-shared-app-account/sql/01_seed_data.sql @scenarios/02-shared-app-account/sql/02_identities.sql -
Simulate an application or API using the
DDS_APPaccount to query all orders:@scenarios/02-shared-app-account/sql/04_test_queries.sql
Expected Result Before
- The shared account can see orders from every seller and region.
- Fields such as
MARGINmay be exposed if the application generates incorrect SQL. - A bug, prompt injection, or abused endpoint may query more data than the user should see.
After - Applying Deep Data Security
-
Apply data grants by business role:
@scenarios/02-shared-app-account/sql/03_data_grants.sql -
Run the same query in the context of
aliceandbruno:@scenarios/02-shared-app-account/sql/04_test_queries.sql
Expected Result After
alicesees only her orders and does not seemargin.brunosees LATAM orders with full manager visibility.- The technical account is no longer the only security boundary.
Demo Evidence
- Before/after comparison of the same SQL.
- Explanation of data roles.
- Simple flow: end user -> app -> database -> data grants.
Official References
- Oracle Deep Data Security Guide: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/index.html
- Fine-Grained Data Authorization: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html
- Create Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/create-data-grants.html
- End-User Security Contexts: https://docs.oracle.com/en/database/oracle/oracle-database/26/refrn/DBA_END_USER_SECURITY_CONTEXTS.html