Files
oracle-deep-data-security-lab/scenarios/04-view-bypass-mac/RUNBOOK.md
Rodrigo Pace 52bf971b8b
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled
Translate lab documentation to English
2026-05-08 14:50:52 -03:00

79 lines
2.3 KiB
Markdown

# Runbook - 04 View Bypass MAC
## Objective
Show that views and alternate access paths can bypass poorly designed controls, and that `USE DATA GRANTS ONLY` enforces Mandatory Access Control on the protected object.
## Security Value
- Prevents bypass through legacy views.
- Enforces a consistent policy across the base table and views.
- Helps customers with many reports, synonyms, views, and BI tools.
## Prerequisites
- Oracle AI Database compatible with Oracle Deep Data Security.
- SQLcl or SQL*Plus.
## Before - Vulnerable Environment
1. Reset the scenario:
```sql
@scenarios/04-view-bypass-mac/sql/99_reset.sql
```
2. Create the table, view, data, and personas:
```sql
@scenarios/04-view-bypass-mac/sql/00_schema.sql
@scenarios/04-view-bypass-mac/sql/01_seed_data.sql
@scenarios/04-view-bypass-mac/sql/02_identities.sql
```
3. Simulate a legacy view that returns all data:
```sql
SELECT account_id, account_name, owner_name, region, balance
FROM dds_mac_accounts_view
ORDER BY account_id;
```
## Expected Result Before
- The view may expose accounts owned by other users.
- The alternate access path does not honor the intended base table policy.
## After - Applying Deep Data Security
1. Apply data grants and enable MAC:
```sql
@scenarios/04-view-bypass-mac/sql/03_data_grants.sql
```
2. Query the table and the view:
```sql
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql
```
## Expected Result After
- The base table returns only the account owned by the current end user.
- The view returns the same restricted rows.
- The broad view data grant cannot bypass the base table policy when MAC is enabled.
## Demo Evidence
- Table and view results before and after.
- SQL statement `SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED`.
- Explanation that MAC removes inconsistencies across access paths.
## Official References
- SET USE DATA GRANTS ONLY: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/set-use-data-grants-only.html
- Fine-Grained Data Authorization - Mandatory Access Control: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html
- Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html