Files
oracle-deep-data-security-lab/scenarios/02-shared-app-account/README.md
Rodrigo db3d68af10
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled
Improve Deep Data Security lab scenarios
2026-05-13 16:13:04 -03:00

2.5 KiB
Executable File

02 - Shared App Account

Objective

Show the risk of a technical application account used by many users and how the database should enforce authorization based on the end user.

What This Lab Shows

Before Oracle Deep Data Security, a technical account or connection pool can query orders from every seller and region. After data grants are applied, the result depends on the persona propagated by the application.

Personas

  • alice: sales representative.
  • bruno: LATAM manager.
  • dds_app: technical application account.

Where To Run The Commands

Run commands from the repository root:

cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab

Connect to the database with SQLcl or SQL*Plus:

sql "<connect_string>"

Example:

ADMIN/<password>@ddslab_high

Step By Step - Before, Vulnerable Environment

  1. Connect to the database:

    sql "<connect_string>"
    
  2. Reset the scenario:

    @scenarios/02-shared-app-account/sql/99_reset.sql
    
  3. Create the table, data, users, and technical account:

    @scenarios/02-shared-app-account/sql/00_schema.sql
    @scenarios/02-shared-app-account/sql/01_seed_data.sql
    @scenarios/02-shared-app-account/sql/02_identities.sql
    
  4. Simulate an application querying orders with broad SQL:

    @scenarios/02-shared-app-account/sql/04_test_queries.sql
    

Expected result before protection: orders from multiple regions and fields such as MARGIN may appear to users who should not see them.

Step By Step - After, With Deep Data Security

  1. Apply the data grants:

    @scenarios/02-shared-app-account/sql/03_data_grants.sql
    
  2. Run the query again:

    @scenarios/02-shared-app-account/sql/04_test_queries.sql
    
  3. Repeat the test by simulating alice and bruno as end users.

Expected result after protection:

  • alice sees only her orders and does not see MARGIN.
  • bruno sees LATAM orders with manager visibility.
  • The technical account is no longer the only authorization boundary.

Optional Automated Execution

Windows:

powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 02-shared-app-account -ConnectString "<connect_string>"

Linux/macOS:

./scripts/run-scenario.sh 02-shared-app-account "<connect_string>"

Demo Details

See the complete walkthrough, evidence, and official references in RUNBOOK.md.