Files
oracle-deep-data-security-lab/scenarios/07-audit-evidence-data-safe
Rodrigo db3d68af10
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled
Improve Deep Data Security lab scenarios
2026-05-13 16:13:04 -03:00
..

07 - Audit Evidence With Data Safe

Objective

Show how to turn access to sensitive data into audit evidence using Unified Audit and OCI Data Safe.

What This Lab Shows

Before the controls are applied, a payments table can be queried without a clear evidence trail for the customer. Afterward, Oracle Deep Data Security restricts data by persona and Unified Audit/Data Safe help show who accessed what.

Personas

  • payment_operator: payment operations user.
  • auditor: auditor.
  • dds_audit_analyst: technical analysis account.

Where To Run The Commands

Run SQL commands from the repository root:

cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab

Connect to the database with SQLcl or SQL*Plus:

sql "<connect_string>"

The Data Safe portion must be performed in the OCI Console under Oracle Data Safe.

Step By Step - Before, Vulnerable Environment

  1. Connect to the database:

    sql "<connect_string>"
    
  2. Reset the scenario:

    @scenarios/07-audit-evidence-data-safe/sql/99_reset.sql
    
  3. Create the sensitive table, data, and personas:

    @scenarios/07-audit-evidence-data-safe/sql/00_schema.sql
    @scenarios/07-audit-evidence-data-safe/sql/01_seed_data.sql
    @scenarios/07-audit-evidence-data-safe/sql/02_identities.sql
    
  4. Run a broad payments query:

    SELECT payment_id, customer_name, country, payment_amount, card_token, risk_flag
    FROM dds_audit_payments
    ORDER BY payment_id;
    

Expected result before protection: CARD_TOKEN and other sensitive data may appear for users with broad access, and the evidence is not organized for audit review.

Step By Step - After, With Deep Data Security And Auditing

  1. Apply the data grants:

    @scenarios/07-audit-evidence-data-safe/sql/03_data_grants.sql
    
  2. Create the Unified Audit policies:

    @scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql
    
  3. Generate activity and review the local audit trail:

    @scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql
    
  4. In the OCI Console, open Oracle Data Safe and perform:

    Security Center > Data Safe
    Target Databases > Register Target Database
    Activity Auditing > Start Audit Trail
    Activity Auditing > Reports or Events
    

Expected result after protection:

  • payment_operator sees Brazil operational payment fields without CARD_TOKEN.
  • auditor sees the data required for review.
  • UNIFIED_AUDIT_TRAIL records access to DDS_AUDIT_PAYMENTS.
  • Data Safe presents events, reports, and evidence for the customer.

Optional Automated Execution

Windows:

powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 07-audit-evidence-data-safe -ConnectString "<connect_string>"

Linux/macOS:

./scripts/run-scenario.sh 07-audit-evidence-data-safe "<connect_string>"

Demo Details

See the complete walkthrough, evidence, and official references in RUNBOOK.md.