Files
oracle-deep-data-security-lab/scenarios/02-shared-app-account/README.md
Rodrigo db3d68af10
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled
Improve Deep Data Security lab scenarios
2026-05-13 16:13:04 -03:00

107 lines
2.5 KiB
Markdown
Executable File

# 02 - Shared App Account
## Objective
Show the risk of a technical application account used by many users and how the database should enforce authorization based on the end user.
## What This Lab Shows
Before Oracle Deep Data Security, a technical account or connection pool can query orders from every seller and region. After data grants are applied, the result depends on the persona propagated by the application.
## Personas
- `alice`: sales representative.
- `bruno`: LATAM manager.
- `dds_app`: technical application account.
## Where To Run The Commands
Run commands from the repository root:
```powershell
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
```
Connect to the database with SQLcl or SQL*Plus:
```bash
sql "<connect_string>"
```
Example:
```text
ADMIN/<password>@ddslab_high
```
## Step By Step - Before, Vulnerable Environment
1. Connect to the database:
```bash
sql "<connect_string>"
```
2. Reset the scenario:
```sql
@scenarios/02-shared-app-account/sql/99_reset.sql
```
3. Create the table, data, users, and technical account:
```sql
@scenarios/02-shared-app-account/sql/00_schema.sql
@scenarios/02-shared-app-account/sql/01_seed_data.sql
@scenarios/02-shared-app-account/sql/02_identities.sql
```
4. Simulate an application querying orders with broad SQL:
```sql
@scenarios/02-shared-app-account/sql/04_test_queries.sql
```
Expected result before protection: orders from multiple regions and fields such as `MARGIN` may appear to users who should not see them.
## Step By Step - After, With Deep Data Security
1. Apply the data grants:
```sql
@scenarios/02-shared-app-account/sql/03_data_grants.sql
```
2. Run the query again:
```sql
@scenarios/02-shared-app-account/sql/04_test_queries.sql
```
3. Repeat the test by simulating `alice` and `bruno` as end users.
Expected result after protection:
- `alice` sees only her orders and does not see `MARGIN`.
- `bruno` sees LATAM orders with manager visibility.
- The technical account is no longer the only authorization boundary.
## Optional Automated Execution
Windows:
```powershell
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 02-shared-app-account -ConnectString "<connect_string>"
```
Linux/macOS:
```bash
./scripts/run-scenario.sh 02-shared-app-account "<connect_string>"
```
## Demo Details
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).