joungmin/vpd-permission-poc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Pivot scenario from region-based 2 users to source-based 4 users

Browse Source 
Replaces the original APAC-vs-all 2-user demo (vpduser_a/b on
KR_ANALYSTS/GLOBAL_ADMINS groups) with a 2x2 source-access matrix:

  vpduser_my    -> MY_ONLY      group  -> MySQL view only
  vpduser_pg    -> PG_ONLY      group  -> Postgres view only
  vpduser_both  -> BOTH_SOURCES group  -> both views
  vpduser_none  -> (no group)          -> nothing (default deny)

Why: source-level segmentation is the more common production
permission story than region-level filtering. Region filtering
remains available as an opt-in variant via commented UPDATE in
sql/adb/03_seed.sql.

Key changes:
- 03_seed.sql, 07_end_users.sql, 00_cleanup.sql, .env.example,
  run.sh updated for the new 4-user model. All 4 users get
  identical view GRANTs; the only differentiator is the
  permission table (proves the model is "data-driven, not
  GRANT-driven").
- 08-11 split into one file per user: my (+ 5 bypass attempts),
  pg, both, none (default-deny verification).
- 12_tests_admin_audit.sql uses LEFT JOIN so vpduser_none shows
  up as NULL permissions, and filters by object_owner=USER to
  exclude cross-schema policies.
- Removed inline "-- comment" after ";" lines in 03_seed.sql:
  SQL*Plus silently skipped the inserts (documented gotcha).
- README.md + docs/01,02 updated for the 4-user matrix. docs/03
  detailed guide keeps the region-filter example but now has a
  preface explaining it's a variant of the default 4-user model.
- docs/04: db_type='mysql_community' note added (RDS MySQL).

E2E verified: PG=0/MY=17, PG=12/MY=0, PG=12/MY=17, PG=0/MY=0
plus all 5 bypass attempts blocked.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
devmrko
2026-05-26 14:42:11 +09:00
parent 68d53dc5a9
commit ed91306ee3
17 changed files with 424 additions and 191 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
sql/adb/06a_redaction.sql
View File

@@ -6,8 +6,10 @@
-- PII columns (email, full_name) are MASKED unless the session
-- has full-region access ('*') on the corresponding view.
--
-- - VPDUSER_A (KR_ANALYSTS, regions = 'APAC') -> sees masked PII
-- - VPDUSER_B (GLOBAL_ADMINS, regions = '*') -> sees real PII
-- - VPDUSER_MY -> PG view masked, MY view unmasked (allowed '*')
-- - VPDUSER_PG -> PG view unmasked, MY view masked
-- - VPDUSER_BOTH -> both views unmasked
-- - VPDUSER_NONE -> both masked (but rows filtered to 0 anyway)
--
-- Reuses the secure VPD_CTX populated at logon — no new context.
-- Data Redaction and VPD compose: VPD filters rows first, Redaction