Initial commit — VPD Permission POC (clone-and-go)

ADB-centered row-level access control across heterogeneous DB sources
(AWS RDS Postgres + MySQL) using Oracle VPD + Data Redaction +
Secure Application Context, packaged as a one-click demo.

Mechanism:
- LOGON trigger calls ctx_pkg.init once per session to load the user's
  allowed regions from the permission mapping tables into a Secure App
  Context (VPD_CTX, USING ctx_pkg).
- VPD policy function vpd_region_filter reads SYS_CONTEXT and returns
  an IN-list predicate (or '1=0' for fail-closed, NULL for '*'),
  which Oracle injects into every SELECT on the protected views.
- Data Redaction reuses the same context to mask PII (email, full_name)
  when the allowed-regions value is not '*'.
- 5 documented bypass attempts (direct DB link SELECT, SET_CONTEXT
  spoof, DBMS_RLS drop, mapping table SELECT) all blocked by GRANT
  scoping + DEFINER rights on ctx_pkg.

One-click entrypoint:
- ./run.sh {prereq|source|adb|tests|audit|all|teardown}
- Source DDL (Postgres + MySQL customers + 12-row seed each) is
  applied via local psql/mysql; ADB-side setup via sqlplus with .env
  values injected as SQL*Plus DEFINE substitutions.

Verified E2E on ADB 26ai + AWS RDS PG + RDS MySQL (mysql_community
gateway) on 2026-05-26: VPDUSER_A sees only APAC rows (PG 2 / MySQL 6,
PII masked), VPDUSER_B sees all (PG 12 / MySQL 17, PII unmasked).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

sql/adb/06a_redaction.sql

@@ -0,0 +1,85 @@
+-- ============================================================
+-- 05a_redaction.sql
+-- Column-level masking with Oracle Data Redaction (DBMS_REDACT).
+--
+-- Policy:
+--   PII columns (email, full_name) are MASKED unless the session
+--   has full-region access ('*') on the corresponding view.
+--
+--   - VPDUSER_A (KR_ANALYSTS, regions = 'APAC')  -> sees masked PII
+--   - VPDUSER_B (GLOBAL_ADMINS, regions = '*')   -> sees real PII
+--
+-- Reuses the secure VPD_CTX populated at logon — no new context.
+-- Data Redaction and VPD compose: VPD filters rows first, Redaction
+-- then transforms columns on the surviving rows.
+--
+-- NOTE: ADMIN has the EXEMPT REDACTION POLICY system privilege
+-- implicitly via DBA, so ADMIN sessions still see real values.
+-- End-users do not have it, so they see the masked output.
+-- ============================================================
+SET ECHO OFF
+SET FEEDBACK ON
+SET DEFINE OFF
+
+PROMPT === Creating PII redaction policy on v_customers_pg ===
+BEGIN
+  DBMS_REDACT.ADD_POLICY(
+    object_schema       => USER,
+    object_name         => 'V_CUSTOMERS_PG',
+    column_name         => 'EMAIL',
+    policy_name         => 'PII_REDACT_PG',
+    function_type       => DBMS_REDACT.REGEXP,
+    regexp_pattern      => '^(.)(.*)(@.*)$',
+    regexp_replace_string => '\1****\3',
+    regexp_position     => 1,
+    regexp_occurrence   => 1,
+    expression          => 'SYS_CONTEXT(''VPD_CTX'',''V_CUSTOMERS_PG'') IS NULL OR SYS_CONTEXT(''VPD_CTX'',''V_CUSTOMERS_PG'') != ''*'''
+  );
+
+  DBMS_REDACT.ALTER_POLICY(
+    object_schema       => USER,
+    object_name         => 'V_CUSTOMERS_PG',
+    policy_name         => 'PII_REDACT_PG',
+    action              => DBMS_REDACT.ADD_COLUMN,
+    column_name         => 'FULL_NAME',
+    function_type       => DBMS_REDACT.REGEXP,
+    regexp_pattern      => '^(.)(.*)$',
+    regexp_replace_string => '\1****',
+    regexp_position     => 1,
+    regexp_occurrence   => 1
+  );
+END;
+/
+
+PROMPT === Creating PII redaction policy on v_customers_my ===
+BEGIN
+  DBMS_REDACT.ADD_POLICY(
+    object_schema       => USER,
+    object_name         => 'V_CUSTOMERS_MY',
+    column_name         => 'EMAIL',
+    policy_name         => 'PII_REDACT_MY',
+    function_type       => DBMS_REDACT.REGEXP,
+    regexp_pattern      => '^(.)(.*)(@.*)$',
+    regexp_replace_string => '\1****\3',
+    regexp_position     => 1,
+    regexp_occurrence   => 1,
+    expression          => 'SYS_CONTEXT(''VPD_CTX'',''V_CUSTOMERS_MY'') IS NULL OR SYS_CONTEXT(''VPD_CTX'',''V_CUSTOMERS_MY'') != ''*'''
+  );
+
+  DBMS_REDACT.ALTER_POLICY(
+    object_schema       => USER,
+    object_name         => 'V_CUSTOMERS_MY',
+    policy_name         => 'PII_REDACT_MY',
+    action              => DBMS_REDACT.ADD_COLUMN,
+    column_name         => 'FULL_NAME',
+    function_type       => DBMS_REDACT.REGEXP,
+    regexp_pattern      => '^(.)(.*)$',
+    regexp_replace_string => '\1****',
+    regexp_position     => 1,
+    regexp_occurrence   => 1
+  );
+END;
+/
+
+PROMPT === Redaction policies attached ===
+EXIT;