102 lines
2.2 KiB
Markdown
Executable File
102 lines
2.2 KiB
Markdown
Executable File
# 03 - PII Row Column Cell
|
|
|
|
## Objective
|
|
|
|
Show fine-grained PII controls at row, column, and cell level.
|
|
|
|
## What This Lab Shows
|
|
|
|
Before Oracle Deep Data Security, a broad query can expose employee records, SSNs, and salaries. After data grants are applied, each persona sees only what their business function allows.
|
|
|
|
## Personas
|
|
|
|
- `emma`: employee.
|
|
- `marvin`: manager.
|
|
- `victoria`: HR user.
|
|
|
|
## Where To Run The Commands
|
|
|
|
Run commands from the repository root:
|
|
|
|
```powershell
|
|
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
|
|
```
|
|
|
|
Connect to the database with SQLcl or SQL*Plus:
|
|
|
|
```bash
|
|
sql "<connect_string>"
|
|
```
|
|
|
|
## Step By Step - Before, Vulnerable Environment
|
|
|
|
1. Connect to the database:
|
|
|
|
```bash
|
|
sql "<connect_string>"
|
|
```
|
|
|
|
2. Reset the scenario:
|
|
|
|
```sql
|
|
@scenarios/03-pii-row-column-cell/sql/99_reset.sql
|
|
```
|
|
|
|
3. Create the employee table, data, and personas:
|
|
|
|
```sql
|
|
@scenarios/03-pii-row-column-cell/sql/00_schema.sql
|
|
@scenarios/03-pii-row-column-cell/sql/01_seed_data.sql
|
|
@scenarios/03-pii-row-column-cell/sql/02_identities.sql
|
|
```
|
|
|
|
4. Run the broad query:
|
|
|
|
```sql
|
|
@scenarios/03-pii-row-column-cell/sql/04_test_queries.sql
|
|
```
|
|
|
|
Expected result before protection: all records and sensitive columns may appear, including `SSN` and `SALARY`.
|
|
|
|
## Step By Step - After, With Deep Data Security
|
|
|
|
1. Apply the data grants:
|
|
|
|
```sql
|
|
@scenarios/03-pii-row-column-cell/sql/03_data_grants.sql
|
|
```
|
|
|
|
2. Run the query again:
|
|
|
|
```sql
|
|
@scenarios/03-pii-row-column-cell/sql/04_test_queries.sql
|
|
```
|
|
|
|
3. Repeat the test by simulating `emma`, `marvin`, and `victoria`.
|
|
|
|
Expected result after protection:
|
|
|
|
- `emma` sees only her own record.
|
|
- `marvin` sees direct reports, but SSN is hidden.
|
|
- `victoria` sees sensitive data through the HR role.
|
|
- Updates are limited to authorized columns.
|
|
|
|
## Optional Automated Execution
|
|
|
|
Windows:
|
|
|
|
```powershell
|
|
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 03-pii-row-column-cell -ConnectString "<connect_string>"
|
|
```
|
|
|
|
Linux/macOS:
|
|
|
|
```bash
|
|
./scripts/run-scenario.sh 03-pii-row-column-cell "<connect_string>"
|
|
```
|
|
|
|
## Demo Details
|
|
|
|
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).
|
|
|