Files
oracle-deep-data-security-lab/scenarios/04-view-bypass-mac/RUNBOOK.md
Rodrigo db3d68af10
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled
Improve Deep Data Security lab scenarios
2026-05-13 16:13:04 -03:00

2.3 KiB
Executable File

Runbook - 04 View Bypass MAC

Objective

Show that views and alternate access paths can bypass poorly designed controls, and that USE DATA GRANTS ONLY enforces Mandatory Access Control on the protected object.

Security Value

  • Prevents bypass through legacy views.
  • Enforces a consistent policy across the base table and views.
  • Helps customers with many reports, synonyms, views, and BI tools.

Prerequisites

  • Oracle AI Database compatible with Oracle Deep Data Security.
  • SQLcl or SQL*Plus.

Before - Vulnerable Environment

  1. Reset the scenario:

    @scenarios/04-view-bypass-mac/sql/99_reset.sql
    
  2. Create the table, view, data, and personas:

    @scenarios/04-view-bypass-mac/sql/00_schema.sql
    @scenarios/04-view-bypass-mac/sql/01_seed_data.sql
    @scenarios/04-view-bypass-mac/sql/02_identities.sql
    
  3. Simulate a legacy view that returns all data:

    SELECT account_id, account_name, owner_name, region, balance
    FROM dds_mac_accounts_view
    ORDER BY account_id;
    

Expected Result Before

  • The view may expose accounts owned by other users.
  • The alternate access path does not honor the intended base table policy.

After - Applying Deep Data Security

  1. Apply data grants and enable MAC:

    @scenarios/04-view-bypass-mac/sql/03_data_grants.sql
    
  2. Query the table and the view:

    @scenarios/04-view-bypass-mac/sql/04_test_queries.sql
    

Expected Result After

  • The base table returns only the account owned by the current end user.
  • The view returns the same restricted rows.
  • The broad view data grant cannot bypass the base table policy when MAC is enabled.

Demo Evidence

  • Table and view results before and after.
  • SQL statement SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED.
  • Explanation that MAC removes inconsistencies across access paths.

Official References