Files
oracle-deep-data-security-lab/scenarios/04-view-bypass-mac
Rodrigo b8d6de0fb5
Some checks failed
Repo Quality / structure (push) Has been cancelled
Add workshop guides for all lab scenarios
2026-05-14 14:50:21 -03:00
..

04 - View Bypass Mandatory Access Control

Objective

Show that views and alternate access paths must not bypass the policy on the base table.

What This Lab Shows

Before Oracle Deep Data Security, a legacy view can expose rows that should be protected. After data grants and USE DATA GRANTS ONLY are applied, both the table and the view respect the same access boundary.

Personas

  • emma: account owner.
  • marvin: account owner.

Where To Run The Commands

Run commands from the repository root:

cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab

Connect to the database with SQLcl or SQL*Plus:

sql "<connect_string>"

Step By Step - Before, Vulnerable Environment

  1. Connect to the database:

    sql "<connect_string>"
    
  2. Reset the scenario:

    @scenarios/04-view-bypass-mac/sql/99_reset.sql
    
  3. Create the table, view, data, and personas:

    @scenarios/04-view-bypass-mac/sql/00_schema.sql
    @scenarios/04-view-bypass-mac/sql/01_seed_data.sql
    @scenarios/04-view-bypass-mac/sql/02_identities.sql
    
  4. Query the legacy view:

    SELECT account_id, account_name, owner_name, region, balance
    FROM dds_mac_accounts_view
    ORDER BY account_id;
    

Expected result before protection: the view may show accounts owned by other users.

Step By Step - After, With Deep Data Security

  1. Apply data grants and Mandatory Access Control:

    @scenarios/04-view-bypass-mac/sql/03_data_grants.sql
    
  2. Run the base table and view queries:

    @scenarios/04-view-bypass-mac/sql/04_test_queries.sql
    
  3. Repeat the test by simulating emma and marvin.

Expected result after protection:

  • The table returns only the authorized account.
  • The view returns the same authorized subset.
  • The alternate access path no longer works as a bypass.

Optional Automated Execution

Windows:

powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 04-view-bypass-mac -ConnectString "<connect_string>"

Linux/macOS:

./scripts/run-scenario.sh 04-view-bypass-mac "<connect_string>"

Demo Details

See the complete walkthrough, evidence, and official references in RUNBOOK.md.

For a LiveLabs-style guided workshop, use WORKSHOP.md.