Pivot scenario from region-based 2 users to source-based 4 users

Replaces the original APAC-vs-all 2-user demo (vpduser_a/b on KR_ANALYSTS/GLOBAL_ADMINS groups) with a 2x2 source-access matrix: vpduser_my -> MY_ONLY group -> MySQL view only vpduser_pg -> PG_ONLY group -> Postgres view only vpduser_both -> BOTH_SOURCES group -> both views vpduser_none -> (no group) -> nothing (default deny) Why: source-level segmentation is the more common production permission story than region-level filtering. Region filtering remains available as an opt-in variant via commented UPDATE in sql/adb/03_seed.sql. Key changes: - 03_seed.sql, 07_end_users.sql, 00_cleanup.sql, .env.example, run.sh updated for the new 4-user model. All 4 users get identical view GRANTs; the only differentiator is the permission table (proves the model is "data-driven, not GRANT-driven"). - 08-11 split into one file per user: my (+ 5 bypass attempts), pg, both, none (default-deny verification). - 12_tests_admin_audit.sql uses LEFT JOIN so vpduser_none shows up as NULL permissions, and filters by object_owner=USER to exclude cross-schema policies. - Removed inline "-- comment" after ";" lines in 03_seed.sql: SQL*Plus silently skipped the inserts (documented gotcha). - README.md + docs/01,02 updated for the 4-user matrix. docs/03 detailed guide keeps the region-filter example but now has a preface explaining it's a variant of the default 4-user model. - docs/04: db_type='mysql_community' note added (RDS MySQL). E2E verified: PG=0/MY=17, PG=12/MY=0, PG=12/MY=17, PG=0/MY=0 plus all 5 bypass attempts blocked. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-26 14:42:11 +09:00
parent 68d53dc5a9
commit ed91306ee3
17 changed files with 424 additions and 191 deletions
--- a/.env.example
+++ b/.env.example
@@ -22,8 +22,15 @@ export ADB_PASSWORD=""                                           # 비워두면
 # --- (3) 데모용 ADB 엔드유저 비밀번호 (sql/adb/07_end_users.sql 에서 사용) ---
 # ADB 비번 정책: 12자 이상, 대/소/숫자/특수 조합.
-export VPDUSER_A_PASSWORD="RowFilter#A2026"
+# 4명의 데모 유저:
-export VPDUSER_B_PASSWORD="RowFilter#B2026"
+#   vpduser_my   → MySQL view 만 SELECT 가능
 #   vpduser_pg   → Postgres view 만 SELECT 가능
 #   vpduser_both → 양쪽 view 모두 SELECT 가능
 #   vpduser_none → 양쪽 view 모두 fail-closed (0 rows)
 export VPDUSER_MY_PASSWORD="RowFilter#My2026"
 export VPDUSER_PG_PASSWORD="RowFilter#Pg2026"
 export VPDUSER_BOTH_PASSWORD="RowFilter#Both26"
 export VPDUSER_NONE_PASSWORD="RowFilter#None26"
 # --- (4) 원격 Postgres (AWS RDS, Cloud SQL, ...) ---
 # sql/source/postgres_setup.sql 가 여기로 customers 테이블/seed 생성.
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@ End-to-End 데모입니다.
 | ADB - 컨텍스트 | `vpd_ctx` (Secure Application Context) + `ctx_pkg` | 로그인 시 권한을 세션 컨텍스트로 로딩 |
 | ADB - 뷰 | `v_customers_pg`, `v_customers_my` | DB Link 위의 통합 뷰. **이 뷰에만 VPD/Redaction 정책이 붙음** |
 | ADB - 정책 | `CUSTOMERS_PG_POLICY`, `CUSTOMERS_MY_POLICY`, `PII_REDACT_PG/MY` | VPD 행 필터 + 이메일 마스킹 |
-| ADB - 엔드유저 | `vpduser_a`, `vpduser_b` | 최소 권한. 뷰만 SELECT 가능. LOGON 트리거로 컨텍스트 자동 로딩 |
+| ADB - 엔드유저 | `vpduser_my`, `vpduser_pg`, `vpduser_both`, `vpduser_none` | 최소 권한. 뷰만 SELECT 가능. LOGON 트리거로 컨텍스트 자동 로딩 |
 ---
@@ -44,7 +44,7 @@ $EDITOR .env
 1. **prereq** — `sqlplus`, `psql`, `mysql` 존재 + `.env` 변수 검증
 2. **source** — 원격 PG/MySQL 에 `customers` 테이블 + seed (멱등)
 3. **adb** — ADB 측 cleanup → DB Link → 권한 테이블/seed → context/view/policy → 엔드유저
-4. **tests** — `vpduser_a` 와 `vpduser_b` 로 접속해 행 필터/마스킹 검증
+4. **tests** — 4 명 (`vpduser_my`/`vpduser_pg`/`vpduser_both`/`vpduser_none`) 로 접속해 행 필터/마스킹/default-deny 검증
 5. **audit** — ADMIN 으로 정책/뷰/유저 상태 점검
 세부 단계만 따로 돌리려면:
@@ -73,23 +73,33 @@ $EDITOR .env
 ---
-## 데모 시나리오
+## 데모 시나리오 — 2×2 source access matrix
-`sql/adb/03_seed.sql` 의 매핑:
+`sql/adb/03_seed.sql` 의 매핑 (4 유저, 4 케이스):
-| DB 유저 | 그룹 | 볼 수 있는 region |
+| DB 유저 | 그룹 | PG 뷰 | MySQL 뷰 | VPD 결과 |
-|---|---|---|
+|---|---|---|---|---|
-| `vpduser_a` | `KR_ANALYSTS` | `APAC` 만 |
+| `vpduser_my`   | `MY_ONLY`      | ✗ 0 rows | ✓ ALL    | PG=`1=0` / MY=`NULL` |
-| `vpduser_b` | `GLOBAL_ADMINS` | `*` (전체) |
+| `vpduser_pg`   | `PG_ONLY`      | ✓ ALL    | ✗ 0 rows | PG=`NULL` / MY=`1=0` |
 | `vpduser_both` | `BOTH_SOURCES` | ✓ ALL    | ✓ ALL    | PG=`NULL` / MY=`NULL` |
 | `vpduser_none` | (그룹 없음)    | ✗ 0 rows | ✗ 0 rows | PG=`1=0` / MY=`1=0` (default deny) |
-따라서:
+핵심 포인트:
-* `vpduser_a` 로 `SELECT * FROM admin.v_customers_pg` → APAC rows 만, 이메일 마스킹됨
+* 네 유저 모두 **양쪽 뷰에 SELECT GRANT 는 동일하게 주어집니다.** 차이를 만드는 건
-* `vpduser_b` 로 같은 쿼리 → 전체 rows, 이메일 원본
+  GRANT 가 아니라 `permission` 테이블의 행. 즉 **권한 회수 = GRANT 해제가 아니라
-* 누구든 원본 테이블 직접 접근 시도 (`@RDS_POSTGRES_LINK` 등) → 권한 없음
+  permission row 삭제**.
 * `vpduser_none` 처럼 매핑이 아예 없는 유저는 자동으로 fail-closed
  (`1=0` predicate) — **deny by default**.
 * 누구든 원본 테이블 직접 접근 시도 (`@RDS_POSTGRES_LINK` 등) → 권한 없음.
-`sql/adb/08_tests_user_a.sql` 가 우회 시도 5개 (DBMS_RLS 변경, 다른 유저 컨텍스트
+`sql/adb/08_tests_user_my.sql` 가 우회 시도 5개 (원격 직접 SELECT, 컨텍스트
-설정 등) 를 시도하고 모두 ORA-xxxxx 로 실패하는 것을 보여줍니다.
+스푸핑, DBMS_RLS 변경, 매핑 테이블 SELECT) 를 시도하고 모두 ORA-xxxxx 로 실패하는 것을
 보여줍니다. 09/10/11 은 각 유저의 expected 행 수를 가볍게 확인합니다.
 > Row-level region 필터링 (예: `vpduser_both` 가 PG 는 APAC 만) 도 정책 함수에
 > 그대로 살아있습니다. `03_seed.sql` 하단의 주석 처리된 `UPDATE permission ...
 > allowed_regions='APAC'` 한 줄이면 활성화됩니다.
 ---
@@ -113,10 +123,12 @@ $EDITOR .env
 │       ├── 05_views.sql         # DB Link 통합 뷰
 │       ├── 06_policy.sql        # VPD 정책 + 정책 함수
 │       ├── 06a_redaction.sql    # Data Redaction (이메일 마스킹)
-│       ├── 07_end_users.sql     # vpduser_a/b + LOGON 트리거
+│       ├── 07_end_users.sql        # 4 유저 + LOGON 트리거
-│       ├── 08_tests_user_a.sql  # APAC-only 검증 + 우회 시도
+│       ├── 08_tests_user_my.sql    # MY only — 우회 시도 5종 포함
-│       ├── 09_tests_user_b.sql  # GLOBAL_ADMIN 검증
+│       ├── 09_tests_user_pg.sql    # PG only
-│       └── 10_tests_admin_audit.sql
+│       ├── 10_tests_user_both.sql  # both
 │       ├── 11_tests_user_none.sql  # default deny (fail-closed) 검증
 │       └── 12_tests_admin_audit.sql
 └── docs/
    └── 03-detailed-guide.md     # 한국어 상세 설명 (아키텍처, 정책 로직, 운영 고려사항)
 ```
--- a/docs/01-quickstart.md
+++ b/docs/01-quickstart.md
@@ -53,8 +53,8 @@ $EDITOR .env
 | `PG_HOST` 등 | 원격 Postgres 연결정보 |
 | `MY_HOST` 등 | 원격 MySQL 연결정보 |
-VPDUSER A/B 의 패스워드는 데모용 기본값이 들어있으니 그대로 써도 무방하지만,
+VPDUSER (`my` / `pg` / `both` / `none`) 의 패스워드는 데모용 기본값이 들어있으니 그대로
-공유 환경이면 바꿔주세요.
+써도 무방하지만, 공유 환경이면 바꿔주세요.
 ---
@@ -71,7 +71,7 @@ VPDUSER A/B 의 패스워드는 데모용 기본값이 들어있으니 그대로
 [ OK ] Postgres source 준비 완료
 [ OK ] MySQL source 준비 완료
 [ OK ] ADB setup 완료
-[ OK ] user_a / user_b 테스트 실행 완료 (위 출력에서 행 수 / 거부 결과 확인)
+[ OK ] 4명 (MY / PG / BOTH / NONE) 테스트 실행 완료 (위 출력에서 행 수 / 거부 결과 확인)
 [ OK ] audit 완료
 [ OK ] === ALL DONE — VPD POC 전체 파이프라인 통과 ===
 ```
@@ -79,9 +79,15 @@ VPDUSER A/B 의 패스워드는 데모용 기본값이 들어있으니 그대로
 이후 직접 검증해보고 싶으면:
 ```bash
-# vpduser_a 로 접속 → APAC rows 만 보여야 함
+# vpduser_pg 로 접속 → PG 뷰는 전부 보이고 MY 뷰는 0 rows 여야 함
-sqlplus vpduser_a/${VPDUSER_A_PASSWORD}@${ADB_TNS}
+sqlplus vpduser_pg/${VPDUSER_PG_PASSWORD}@${ADB_TNS}
-SQL> SELECT region, COUNT(*) FROM admin.v_customers_pg GROUP BY region;
+SQL> SELECT COUNT(*) FROM admin.v_customers_pg;   -- 12
 SQL> SELECT COUNT(*) FROM admin.v_customers_my;   -- 0
 # vpduser_none 으로 접속 → 양쪽 뷰 모두 0 rows (default deny)
 sqlplus vpduser_none/${VPDUSER_NONE_PASSWORD}@${ADB_TNS}
 SQL> SELECT COUNT(*) FROM admin.v_customers_pg;   -- 0
 SQL> SELECT COUNT(*) FROM admin.v_customers_my;   -- 0
 ```
 ---
--- a/docs/02-architecture.md
+++ b/docs/02-architecture.md
@@ -43,7 +43,8 @@ LOGON 시 한 번만 읽으므로 쿼리 부하 0.
 ```
            +---------------------+
-            |  vpduser_a / b      |  ← 사용자 로그인
+            |  vpduser_my / pg /  |  ← 사용자 로그인
            |  both / none        |
            +----------+----------+
                       |
              (1) LOGON 트리거
@@ -88,7 +89,7 @@ LOGON 시 한 번만 읽으므로 쿼리 부하 0.
 |---|---|
 | `app_customer` | 도메인의 "고객사" 개념 (멀티 테넌트 hook) |
 | `app_user` | DB 유저 → 도메인 유저 매핑 (`db_username` 컬럼이 핵심) |
-| `app_group` | 그룹 (KR_ANALYSTS, GLOBAL_ADMINS, ...) |
+| `app_group` | 그룹 (MY_ONLY, PG_ONLY, BOTH_SOURCES, ...) |
 | `user_group` | user ↔ group N:N |
 | `db_source` | 원본 소스 식별자 (PG, MY) |
 | `permission` | (group, source, region) 행 — `region='*'` 이면 전체 허용 |
@@ -112,7 +113,7 @@ LOGON 시 한 번만 읽으므로 쿼리 부하 0.
 4. 그 외 → `RETURN 'region IN (''APAC'',''EMEA'')'` 형식으로 in-list
 → 컨텍스트는 **Secure Application Context** (`USING ctx_pkg`) 라 다른 패키지에서
-설정 불가. `vpduser_a` 가 `DBMS_SESSION.SET_CONTEXT('VPD_CTX', ...)` 직접 호출 →
+설정 불가. 엔드유저가 `DBMS_SESSION.SET_CONTEXT('VPD_CTX', ...)` 직접 호출 →
 ORA-01031.
 ---
@@ -134,8 +135,8 @@ ORA-01031.
 | 누가 | 무엇을 할 수 있나 |
 |---|---|
 | `ADMIN` (ADB 관리자) | 전부 다. 정책 BYPASS. **운영에선 절대 일반 사용자에게 주지 말 것** |
-| `vpduser_a/b` | (a) 자기에게 GRANT 된 뷰 SELECT, (b) `ctx_pkg.init` 호출 |
+| `vpduser_*` (my/pg/both/none) | (a) 자기에게 GRANT 된 뷰 SELECT, (b) `ctx_pkg.init` 호출 |
-| `vpduser_a/b` 가 **못** 하는 것 | DBMS_RLS 변경, EXEMPT ACCESS POLICY, CREATE TABLE (스냅샷 방지), 매핑 테이블 직접 SELECT, DB Link 직접 SELECT |
+| `vpduser_*` 가 **못** 하는 것 | DBMS_RLS 변경, EXEMPT ACCESS POLICY, CREATE TABLE (스냅샷 방지), 매핑 테이블 직접 SELECT, DB Link 직접 SELECT |
 → 즉 엔드유저 입장에서 정책을 우회할 표면이 없습니다. `07_end_users.sql` 의
 주석에서 "what we are deliberately NOT granting" 섹션이 그 목록.
--- a/docs/03-detailed-guide.md
+++ b/docs/03-detailed-guide.md
@@ -3,6 +3,13 @@
 > **이 문서의 대상 독자:** 데이터베이스 보안이나 Oracle 기술에 익숙하지 않은 분.
 > 용어가 나올 때마다 풀어서 설명하고, 왜 그 장치가 필요한지를 함께 적습니다.
 > **시나리오 안내:** 현재 `./run.sh` 가 자동으로 깔아주는 기본 시나리오는 4명의
 > 엔드유저 (`vpduser_my`/`pg`/`both`/`none`) 가 각각 다른 소스에 접근 가능한 **소스
 > 단위 매트릭스** 입니다 (README 참고). 본 상세 가이드는 그 위에 얹을 수 있는 **행
 > 단위 region 필터링** 변형(`KR_ANALYSTS → APAC`, `GLOBAL_ADMINS → '*'`) 을 예시로
 > 사용합니다 — VPD 메커니즘 자체는 동일하므로 개념 이해에는 차이가 없습니다.
 > region 필터를 실제로 켜려면 `sql/adb/03_seed.sql` 하단의 주석을 해제하세요.
 ---
 ## 목차
@@ -470,24 +477,35 @@ AUDIT POLICY vpd_view_access;
 ## 9. 디렉터리·파일 구조
 ```
-ords/
+vpd-permission-poc/
-├── .env                      ← ADB 연결 정보 (비밀번호 포함, .gitignore 됨)
+├── .env                      ← ADB + RDS 연결 정보 (.gitignore 됨)
-├── .gitignore                ← .env, *.log 제외
+├── .env.example
-├── README.md                 ← (선택) 실행 가이드
+├── README.md                 ← 클론-앤-고 가이드
-├── run_poc.sh                ← 셋업/테스트/감사 일괄 실행 스크립트
+├── run.sh                    ← 원클릭 오케스트레이터
 ├── scripts/lib/common.sh
 ├── sql/
-│   ├── 00_cleanup.sql        ← 초기화 (멱등성)
+│   ├── source/
-│   ├── 01_perm_tables.sql    ← 권한 모델 6개 테이블 생성
+│   │   ├── postgres_setup.sql   ← 원격 PG: customers + 12 rows
-│   ├── 02_seed.sql           ← 데모 데이터 주입
+│   │   └── mysql_setup.sql      ← 원격 MySQL: customers + 12 rows
-│   ├── 03_secure_ctx.sql     ← ctx_pkg + Secure Context 생성
+│   └── adb/
-│   ├── 04_views.sql          ← 외부 테이블에 대한 로컬 뷰 2개
+│       ├── 00_cleanup.sql       ← 멱등 초기화
-│   ├── 05_policy.sql         ← VPD 정책 함수 + ADD_POLICY
+│       ├── 01_dblinks.sql       ← DB Link + credential
-│   ├── 06_end_users.sql      ← 일반 사용자 2명 + LOGON 트리거
+│       ├── 02_perm_tables.sql   ← 권한 매핑 6개 테이블
-│   ├── 07_tests_user_a.sql   ← VPDUSER_A 입장에서 검증
+│       ├── 03_seed.sql          ← 4-user 매트릭스 시드
-│   ├── 08_tests_user_b.sql   ← VPDUSER_B 입장에서 검증
+│       ├── 04_secure_ctx.sql    ← ctx_pkg + Secure Context
-│   └── 09_tests_admin_audit.sql ← ADMIN 입장에서 정책·권한 현황 감사
+│       ├── 05_views.sql         ← DB Link 통합 뷰
 │       ├── 06_policy.sql        ← VPD 정책 + 정책 함수
 │       ├── 06a_redaction.sql    ← Data Redaction (이메일/이름 마스킹)
 │       ├── 07_end_users.sql     ← 4 유저 + LOGON 트리거
 │       ├── 08_tests_user_my.sql    ← MY only + 우회 시도 5종
 │       ├── 09_tests_user_pg.sql    ← PG only
 │       ├── 10_tests_user_both.sql  ← both
 │       ├── 11_tests_user_none.sql  ← default deny 검증
 │       └── 12_tests_admin_audit.sql
 └── docs/
-    └── 설명.md               ← (이 문서)
+    ├── 01-quickstart.md
    ├── 02-architecture.md
    └── 03-detailed-guide.md     ← (이 문서)
 ```
 ---
@@ -495,18 +513,18 @@ ords/
 ## 10. 실행 방법
 ```bash
-cd /Users/joungminko/devkit/ords
+cd vpd-permission-poc
-# 1) 전체 셋업 + 테스트 + 감사 한 번에
+# 1) 전체 파이프라인 한 번에
-./run_poc.sh all
+./run.sh                # = ./run.sh all
 # 또는 단계별로:
-./run_poc.sh setup     # 정리 + 모든 객체 생성
+./run.sh prereq         # 도구/.env 검증
-./run_poc.sh test      # VPDUSER_A, VPDUSER_B 시점 테스트
+./run.sh source         # 원격 PG + MySQL 에 customers 테이블/seed
-./run_poc.sh audit     # ADMIN 시점 정책·권한 감사
+./run.sh adb            # ADB 측 cleanup → dblink → 권한/뷰/정책 → 4 유저
-./run_poc.sh teardown  # 전부 삭제
+./run.sh tests          # 4 명 (MY/PG/BOTH/NONE) 시점 테스트
-
+./run.sh audit          # ADMIN 시점 정책·권한 감사
-# .env 파일이 있어야 합니다. (이 POC 에는 포함됨)
+./run.sh teardown       # ADB 측 객체 + dblink 정리
 ```
 ### 사람의 눈으로 직접 확인하고 싶을 때
@@ -514,15 +532,21 @@ cd /Users/joungminko/devkit/ords
 ```bash
 source .env
-# VPDUSER_A로 직접 들어가서 쿼리해보기:
+# 기본 시나리오 — vpduser_pg: PG 뷰는 다 보이고 MySQL 뷰는 0 rows
-sqlplus "vpduser_a/\"RowFilter#A2026\"@$ADB_TNS"
+sqlplus "vpduser_pg/\"${VPDUSER_PG_PASSWORD}\"@$ADB_TNS"
 SQL> SELECT COUNT(*) FROM admin.v_customers_pg;   -- 12
 SQL> SELECT COUNT(*) FROM admin.v_customers_my;   -- 0
 # vpduser_none — default deny
 sqlplus "vpduser_none/\"${VPDUSER_NONE_PASSWORD}\"@$ADB_TNS"
 SQL> SELECT COUNT(*) FROM admin.v_customers_pg;   -- 0
 SQL> SELECT COUNT(*) FROM admin.v_customers_my;   -- 0
 # region 필터 변형을 켰을 때 — vpduser_both 에게 APAC 만 허용한 경우
 # (sql/adb/03_seed.sql 하단 UPDATE 주석 해제 후)
 sqlplus "vpduser_both/\"${VPDUSER_BOTH_PASSWORD}\"@$ADB_TNS"
 SQL> SELECT region, COUNT(*) FROM admin.v_customers_pg GROUP BY region;
 -- 결과: APAC 만 보임
 # VPDUSER_B로:
 sqlplus "vpduser_b/\"RowFilter#B2026\"@$ADB_TNS"
 SQL> SELECT region, COUNT(*) FROM admin.v_customers_pg GROUP BY region;
 -- 결과: APAC, EMEA, NA 모두 보임
 ```
 ---
--- a/docs/04-source-setup.md
+++ b/docs/04-source-setup.md
@@ -41,7 +41,7 @@ seed rows : 12 (PK 101~112, 역시 APAC/EMEA/AMER 4/4/4)
 PK 범위를 PG (1~12) 와 다르게 가져간 이유:
 * 두 소스는 서로 독립적인 별개의 데이터 라는 것을 데모에서 시각적으로 보여주기 위함
-* `vpduser_b` 가 양쪽 뷰를 합칠 때 PK 가 겹치지 않아 UNION 데모하기 쉬움
+* `vpduser_both` 가 양쪽 뷰를 합칠 때 PK 가 겹치지 않아 UNION 데모하기 쉬움
 수동 실행:
@@ -68,7 +68,8 @@ DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
 );
 ```
-MySQL 도 동일 패턴, `db_type` 만 `'mysql'`.
+MySQL 도 동일 패턴, `db_type` 만 `'mysql_community'` (AWS RDS MySQL 은 Community 빌드 — 기본
 `'mysql'` 은 Enterprise Server 전용이라 `ORA-28500` 으로 거절됨).
 링크 검증:
--- a/run.sh
+++ b/run.sh
@@ -7,7 +7,7 @@
 #   ./run.sh prereq       # 도구 존재 / .env 변수만 검증
 #   ./run.sh source       # 원격 PG + MySQL 에 customers 테이블/seed 생성
 #   ./run.sh adb          # ADB 측 cleanup → dblinks → perm/ctx/view/policy → end_users
-#   ./run.sh tests        # vpduser_a / vpduser_b 로 접속해서 행 필터 검증
+#   ./run.sh tests        # 4-user (my/pg/both/none) 로 접속해서 행 필터 검증
 #   ./run.sh audit        # admin 으로 정책/뷰/유저 상태 점검
 #   ./run.sh all          # source → adb → tests → audit
 #   ./run.sh teardown     # ADB 측 객체 + 원격 link/cred 만 정리 (원격 PG/MySQL 데이터는 보존)
@@ -61,14 +61,16 @@ DEFINE MY_PORT            = ${MY_PORT}
 DEFINE MY_DB              = "${MY_DB}"
 DEFINE MY_USER            = "${MY_USER}"
 DEFINE MY_PASSWORD        = "${MY_PASSWORD}"
-DEFINE VPDUSER_A_PASSWORD = "${VPDUSER_A_PASSWORD}"
+DEFINE VPDUSER_MY_PASSWORD   = "${VPDUSER_MY_PASSWORD}"
-DEFINE VPDUSER_B_PASSWORD = "${VPDUSER_B_PASSWORD}"
+DEFINE VPDUSER_PG_PASSWORD   = "${VPDUSER_PG_PASSWORD}"
 DEFINE VPDUSER_BOTH_PASSWORD = "${VPDUSER_BOTH_PASSWORD}"
 DEFINE VPDUSER_NONE_PASSWORD = "${VPDUSER_NONE_PASSWORD}"
@${sql_file}
 SQLEOF
 }
 # ============================================================
-# 헬퍼: 엔드유저 (vpduser_a / vpduser_b) 로 sqlplus 호출
+# 헬퍼: 엔드유저 (vpduser_my / pg / both / none) 로 sqlplus 호출
 # 인자: $1 = USER, $2 = PASSWORD, $3 = SQL 파일
 # ============================================================
 run_sqlplus_as() {
@@ -93,7 +95,8 @@ do_prereq() {
  require_env \
    TNS_ADMIN ADB_TNS ADB_USER \
-    VPDUSER_A_PASSWORD VPDUSER_B_PASSWORD \
+    VPDUSER_MY_PASSWORD VPDUSER_PG_PASSWORD \
    VPDUSER_BOTH_PASSWORD VPDUSER_NONE_PASSWORD \
    PG_HOST PG_PORT PG_DB PG_USER \
    MY_HOST MY_PORT MY_DB MY_USER \
    DBLINK_PG_NAME DBLINK_MY_NAME
@@ -140,15 +143,17 @@ do_adb() {
 }
 do_tests() {
-  log "=== tests: 엔드유저 권한/필터 검증 ==="
+  log "=== tests: 4-user access matrix 검증 ==="
-  run_sqlplus_as vpduser_a "$VPDUSER_A_PASSWORD" "$ROOT/sql/adb/08_tests_user_a.sql"
+  run_sqlplus_as vpduser_my   "$VPDUSER_MY_PASSWORD"   "$ROOT/sql/adb/08_tests_user_my.sql"
-  run_sqlplus_as vpduser_b "$VPDUSER_B_PASSWORD" "$ROOT/sql/adb/09_tests_user_b.sql"
+  run_sqlplus_as vpduser_pg   "$VPDUSER_PG_PASSWORD"   "$ROOT/sql/adb/09_tests_user_pg.sql"
-  ok "user_a / user_b 테스트 실행 완료 (위 출력에서 행 수 / 거부 결과 확인)"
+  run_sqlplus_as vpduser_both "$VPDUSER_BOTH_PASSWORD" "$ROOT/sql/adb/10_tests_user_both.sql"
  run_sqlplus_as vpduser_none "$VPDUSER_NONE_PASSWORD" "$ROOT/sql/adb/11_tests_user_none.sql"
  ok "4명 (MY / PG / BOTH / NONE) 테스트 실행 완료"
 }
 do_audit() {
-  log "=== audit: admin 으로 정책 / 뷰 / 유저 상태 점검 ==="
+  log "=== audit: admin 으로 정책 / 뷰 / 매트릭스 점검 ==="
-  run_sqlplus_file "$ROOT/sql/adb/10_tests_admin_audit.sql"
+  run_sqlplus_file "$ROOT/sql/adb/12_tests_admin_audit.sql"
  ok "audit 완료"
 }
--- a/sql/adb/00_cleanup.sql
+++ b/sql/adb/00_cleanup.sql
@@ -42,9 +42,19 @@ BEGIN EXECUTE IMMEDIATE 'DROP FUNCTION vpd_region_filter';   EXCEPTION WHEN OTHE
 /
 PROMPT === Dropping end-user accounts (cascade) ===
-BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_a CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
+BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_my   CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
 /
-BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_b CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
+BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_pg   CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
 /
 BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_both CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
 /
 BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_none CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
 /
 -- Legacy names from the original 2-user scenario — kept for idempotent
 -- re-runs over an already-installed POC.
 BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_a    CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
 /
 BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_b    CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
 /
 PROMPT === Dropping permission tables ===
--- a/sql/adb/03_seed.sql
+++ b/sql/adb/03_seed.sql
@@ -1,9 +1,19 @@
 -- ============================================================
-- 02_seed.sql
+-- 03_seed.sql
-- Seed two end-users with different permissions to demonstrate VPD.
+-- Seed FOUR end-users to demonstrate a 2x2 source-access matrix:
 --
--   VPDUSER_A -> group KR_ANALYSTS   -> allowed_regions = 'APAC'
+--   user           PG view      MySQL view    VPD predicate effect
--   VPDUSER_B -> group GLOBAL_ADMINS -> allowed_regions = '*'  (all rows)
+--   -------------  -----------  ------------  ---------------------------
 --   VPDUSER_MY     blocked      ALL rows      PG='1=0'   / MY=NULL(='*')
 --   VPDUSER_PG     ALL rows     blocked       PG=NULL    / MY='1=0'
 --   VPDUSER_BOTH   ALL rows     ALL rows      PG=NULL    / MY=NULL
 --   VPDUSER_NONE   blocked      blocked       PG='1=0'   / MY='1=0'
 --
 -- The `permission` table grants per (group, source/view).
 -- For this simplified demo every grant uses allowed_regions='*'
 -- (full visibility within the source). Row-level region filtering
 -- is still supported by the policy function — see commented examples
 -- at the bottom of this file for how to layer it in.
 --
 -- Run as ADMIN.
 -- ============================================================
@@ -12,35 +22,66 @@ SET FEEDBACK ON
 PROMPT === Seeding permission data ===
 -- Tenant (kept generic — multi-tenant hook for future use).
 INSERT INTO app_customer (customer_id, customer_name) VALUES (1, 'Acme Corp');
-INSERT INTO app_user (user_id, db_username, customer_id) VALUES (1, 'VPDUSER_A', 1);
+-- Four end-users, each Oracle SESSION_USER value (uppercased).
-INSERT INTO app_user (user_id, db_username, customer_id) VALUES (2, 'VPDUSER_B', 1);
+INSERT INTO app_user (user_id, db_username, customer_id) VALUES (1, 'VPDUSER_MY',   1);
 INSERT INTO app_user (user_id, db_username, customer_id) VALUES (2, 'VPDUSER_PG',   1);
 INSERT INTO app_user (user_id, db_username, customer_id) VALUES (3, 'VPDUSER_BOTH', 1);
 INSERT INTO app_user (user_id, db_username, customer_id) VALUES (4, 'VPDUSER_NONE', 1);
-INSERT INTO app_group (group_id, customer_id, group_name) VALUES (10, 1, 'KR_ANALYSTS');
+-- One group per access pattern (1:1 in this demo; in production one
-INSERT INTO app_group (group_id, customer_id, group_name) VALUES (20, 1, 'GLOBAL_ADMINS');
+-- group typically aggregates many users).
 INSERT INTO app_group (group_id, customer_id, group_name) VALUES (10, 1, 'MY_ONLY');
 INSERT INTO app_group (group_id, customer_id, group_name) VALUES (20, 1, 'PG_ONLY');
 INSERT INTO app_group (group_id, customer_id, group_name) VALUES (30, 1, 'BOTH_SOURCES');
 -- (No group is needed for VPDUSER_NONE — absence of grants == fail-closed.)
-- A -> KR_ANALYSTS
+-- (VPDUSER_NONE deliberately has no user_group row -> fail-closed.)
 INSERT INTO user_group (user_id, group_id) VALUES (1, 10);
 -- B -> GLOBAL_ADMINS
 INSERT INTO user_group (user_id, group_id) VALUES (2, 20);
 INSERT INTO user_group (user_id, group_id) VALUES (3, 30);
 -- Source registry.
 INSERT INTO db_source (source_id, source_name, source_type, dblink_name)
  VALUES (100, 'RDS_POSTGRES', 'DBLINK_PG', 'RDS_POSTGRES_LINK');
 INSERT INTO db_source (source_id, source_name, source_type, dblink_name)
  VALUES (200, 'RDS_MYSQL',    'DBLINK_MY', 'RDS_LINK');
-- Permissions: KR analysts see APAC only; Global admins see everything.
+-- Permissions: '*' means no row filter (full visibility on that view).
 -- Mapping (group -> view):
 --   MY_ONLY(10)      -> V_CUSTOMERS_MY
 --   PG_ONLY(20)      -> V_CUSTOMERS_PG
 --   BOTH_SOURCES(30) -> V_CUSTOMERS_PG + V_CUSTOMERS_MY
 -- (VPDUSER_NONE has no group, hence no permission row.)
 INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
-  VALUES (1, 10, 100, 'V_CUSTOMERS_PG', 'APAC');
+  VALUES (1, 10, 200, 'V_CUSTOMERS_MY', '*');
 INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
-  VALUES (2, 10, 200, 'V_CUSTOMERS_MY', 'APAC');
+  VALUES (2, 20, 100, 'V_CUSTOMERS_PG', '*');
 INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
-  VALUES (3, 20, 100, 'V_CUSTOMERS_PG', '*');
+  VALUES (3, 30, 100, 'V_CUSTOMERS_PG', '*');
 INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
-  VALUES (4, 20, 200, 'V_CUSTOMERS_MY', '*');
+  VALUES (4, 30, 200, 'V_CUSTOMERS_MY', '*');
 COMMIT;
 -- ------------------------------------------------------------
 -- HOW TO LAYER IN ROW-LEVEL REGION FILTERS (uncomment to try)
 -- ------------------------------------------------------------
 -- 'BOTH_SOURCES' showing only APAC from PG instead of '*':
 --   UPDATE permission SET allowed_regions = 'APAC'
 --    WHERE group_id = 30 AND object_name = 'V_CUSTOMERS_PG';
 --   COMMIT;
 --
 -- Multi-region (CSV) example for the same group on MySQL:
 --   UPDATE permission SET allowed_regions = 'APAC,EMEA'
 --    WHERE group_id = 30 AND object_name = 'V_CUSTOMERS_MY';
 --   COMMIT;
 --
 -- The policy function vpd_region_filter handles CSV → IN-list
 -- conversion automatically. See sql/adb/06_policy.sql.
 -- ------------------------------------------------------------
 PROMPT === Seed complete ===
 EXIT;
--- a/sql/adb/06a_redaction.sql
+++ b/sql/adb/06a_redaction.sql
@@ -6,8 +6,10 @@
 --   PII columns (email, full_name) are MASKED unless the session
 --   has full-region access ('*') on the corresponding view.
 --
--   - VPDUSER_A (KR_ANALYSTS, regions = 'APAC')  -> sees masked PII
+--   - VPDUSER_MY    -> PG view masked, MY view unmasked (allowed '*')
--   - VPDUSER_B (GLOBAL_ADMINS, regions = '*')   -> sees real PII
+--   - VPDUSER_PG    -> PG view unmasked, MY view masked
 --   - VPDUSER_BOTH  -> both views unmasked
 --   - VPDUSER_NONE  -> both masked (but rows filtered to 0 anyway)
 --
 -- Reuses the secure VPD_CTX populated at logon — no new context.
 -- Data Redaction and VPD compose: VPD filters rows first, Redaction
--- a/sql/adb/07_end_users.sql
+++ b/sql/adb/07_end_users.sql
@@ -1,10 +1,11 @@
 -- ============================================================
 -- 07_end_users.sql
-- Create the two end-user accounts with MINIMAL privileges.
+-- Create the FOUR end-user accounts with MINIMAL privileges.
 -- Add a LOGON trigger that loads each user's context automatically.
 -- Run as ADMIN.
 --
-- DEFINE: &VPDUSER_A_PASSWORD, &VPDUSER_B_PASSWORD
+-- DEFINE: &VPDUSER_MY_PASSWORD, &VPDUSER_PG_PASSWORD,
 --         &VPDUSER_BOTH_PASSWORD, &VPDUSER_NONE_PASSWORD
 -- ============================================================
 SET ECHO OFF
 SET FEEDBACK ON
@@ -13,25 +14,38 @@ SET DEFINE ON
 PROMPT === Creating end-user accounts ===
 -- Passwords come from .env (DEFINE) so they aren't hardcoded in source.
 -- Production should use IAM / proxy auth / mTLS instead of static passwords.
-CREATE USER vpduser_a IDENTIFIED BY "&VPDUSER_A_PASSWORD";
+CREATE USER vpduser_my   IDENTIFIED BY "&VPDUSER_MY_PASSWORD";
-CREATE USER vpduser_b IDENTIFIED BY "&VPDUSER_B_PASSWORD";
+CREATE USER vpduser_pg   IDENTIFIED BY "&VPDUSER_PG_PASSWORD";
 CREATE USER vpduser_both IDENTIFIED BY "&VPDUSER_BOTH_PASSWORD";
 CREATE USER vpduser_none IDENTIFIED BY "&VPDUSER_NONE_PASSWORD";
-- ADB requires a tablespace quota even for read-only users in some setups; we
+-- Login privilege only. No QUOTA — these users never create objects.
-- skip QUOTA since these users won't create objects.
+GRANT CREATE SESSION TO vpduser_my;
-GRANT CREATE SESSION TO vpduser_a;
+GRANT CREATE SESSION TO vpduser_pg;
-GRANT CREATE SESSION TO vpduser_b;
+GRANT CREATE SESSION TO vpduser_both;
 GRANT CREATE SESSION TO vpduser_none;
 PROMPT === Granting SELECT on the policy-protected views ONLY ===
-GRANT SELECT ON v_customers_pg TO vpduser_a;
+-- We deliberately grant SELECT on BOTH views to all four users.
-GRANT SELECT ON v_customers_my TO vpduser_a;
+-- The VPD policy decides what they actually see — including 0 rows
-GRANT SELECT ON v_customers_pg TO vpduser_b;
+-- when there is no permission row. This is what makes the demo a
-GRANT SELECT ON v_customers_my TO vpduser_b;
+-- clean security boundary: revoking access doesn't mean revoking
 -- the GRANT; it means removing the row in `permission`.
 GRANT SELECT ON v_customers_pg TO vpduser_my;
 GRANT SELECT ON v_customers_my TO vpduser_my;
 GRANT SELECT ON v_customers_pg TO vpduser_pg;
 GRANT SELECT ON v_customers_my TO vpduser_pg;
 GRANT SELECT ON v_customers_pg TO vpduser_both;
 GRANT SELECT ON v_customers_my TO vpduser_both;
 GRANT SELECT ON v_customers_pg TO vpduser_none;
 GRANT SELECT ON v_customers_my TO vpduser_none;
-- Allow them to call ctx_pkg.init (the logon trigger needs this, and a manual
+-- ctx_pkg is bound to the secure context; calling it is harmless
-- re-init is sometimes useful). The package is bound to vpd_ctx so calling it
+-- (the package always loads ONLY the caller's own permissions).
-- is harmless: it only ever loads the caller's OWN permissions.
+GRANT EXECUTE ON ctx_pkg TO vpduser_my;
-GRANT EXECUTE ON ctx_pkg TO vpduser_a;
+GRANT EXECUTE ON ctx_pkg TO vpduser_pg;
-GRANT EXECUTE ON ctx_pkg TO vpduser_b;
+GRANT EXECUTE ON ctx_pkg TO vpduser_both;
 GRANT EXECUTE ON ctx_pkg TO vpduser_none;
 -- NOTE on what we are deliberately NOT granting:
 --   * NO grant on app_user / permission / etc.    -> users can't read who-can-see-what
@@ -46,7 +60,8 @@ CREATE OR REPLACE TRIGGER vpd_logon_trg
 AFTER LOGON ON DATABASE
 BEGIN
  -- Only fire for our application end-users. ADMIN logons keep normal behavior.
-  IF SYS_CONTEXT('USERENV','SESSION_USER') IN ('VPDUSER_A','VPDUSER_B') THEN
+  IF SYS_CONTEXT('USERENV','SESSION_USER') IN
       ('VPDUSER_MY','VPDUSER_PG','VPDUSER_BOTH','VPDUSER_NONE') THEN
    admin.ctx_pkg.init;
  END IF;
 EXCEPTION
--- a/sql/adb/08_tests_user_my.sql
+++ b/sql/adb/08_tests_user_my.sql
@@ -1,7 +1,13 @@
 -- ============================================================
-- 07_tests_user_a.sql
+-- 08_tests_user_my.sql
-- Run as VPDUSER_A (group KR_ANALYSTS, allowed_regions=APAC).
+-- Run as VPDUSER_MY (group MY_ONLY).
-- Expected: only APAC rows visible; bypass attempts fail.
+--
 -- Expected:
 --   - regions_pg = NULL  -> policy returns '1=0' -> 0 rows from PG view
 --   - regions_my = '*'   -> policy returns NULL  -> ALL rows from MySQL view
 --   - email/full_name on MySQL view are unmasked ('*' bypasses redaction)
 --   - all five bypass attempts fail (this is the full bypass-attempt suite;
 --     the other three user tests rerun the most relevant subset only)
 -- ============================================================
 SET FEEDBACK ON
 SET LINESIZE 200
@@ -9,42 +15,37 @@ SET PAGESIZE 100
 PROMPT
 PROMPT === Who am I, and what context did the LOGON trigger load? ===
-SELECT USER AS session_user,
+SELECT USER                                  AS session_user,
-       SYS_CONTEXT('VPD_CTX','USER_ID')         AS app_user_id,
+       SYS_CONTEXT('VPD_CTX','USER_ID')      AS app_user_id,
-       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG')  AS regions_pg,
+       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
-       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY')  AS regions_my
+       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
 FROM dual;
 PROMPT
-PROMPT === Distinct regions visible from Postgres view (expect: APAC only) ===
+PROMPT === Row counts (expect: PG=0, MY=17) ===
 SELECT DISTINCT region FROM admin.v_customers_pg ORDER BY 1;
 PROMPT
 PROMPT === Distinct regions visible from MySQL view (expect: APAC only) ===
 SELECT DISTINCT region FROM admin.v_customers_my ORDER BY 1;
 PROMPT
 PROMPT === Row counts ===
 SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
 UNION ALL
 SELECT 'V_CUSTOMERS_MY',                COUNT(*)                FROM admin.v_customers_my;
 PROMPT
-PROMPT === PII REDACTION (expect masked email/full_name: 'j****@...' / 'A****') ===
+PROMPT === MySQL view sample (expect: ALL regions, UNMASKED email/full_name) ===
 COLUMN customer_id FORMAT 9999
 COLUMN full_name   FORMAT A20
 COLUMN email       FORMAT A30
 COLUMN region      FORMAT A8
 SELECT customer_id, full_name, email, region
 FROM   admin.v_customers_my
 ORDER  BY customer_id
 FETCH FIRST 5 ROWS ONLY;
 PROMPT
 PROMPT === PG view sample (expect: NO ROWS — fail closed) ===
 SELECT customer_id, full_name, email, region
 FROM   admin.v_customers_pg
 ORDER  BY customer_id;
 SELECT customer_id, full_name, email, region
 FROM   admin.v_customers_my
 ORDER  BY customer_id;
 PROMPT
-PROMPT === BYPASS 1: query remote table directly (expect ORA-00942 / privilege error) ===
+PROMPT === BYPASS 1: query remote tables directly (expect ORA-00942 / privilege error) ===
 WHENEVER SQLERROR CONTINUE;
 SELECT COUNT(*) FROM "public"."customers"@RDS_POSTGRES_LINK;
 SELECT COUNT(*) FROM "ecommerce_poc"."customers"@RDS_LINK;
--- a/sql/adb/09_tests_user_b.sql
+++ b/sql/adb/09_tests_user_b.sql
@@ -1,46 +0,0 @@
 -- ============================================================
 -- 08_tests_user_b.sql
 -- Run as VPDUSER_B (group GLOBAL_ADMINS, allowed_regions=*).
 -- Expected: ALL regions visible (no row filter).
 -- ============================================================
 SET FEEDBACK ON
 SET LINESIZE 200
 SET PAGESIZE 100
 PROMPT
 PROMPT === Who am I, and what context did the LOGON trigger load? ===
 SELECT USER AS session_user,
       SYS_CONTEXT('VPD_CTX','USER_ID')         AS app_user_id,
       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG')  AS regions_pg,
       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY')  AS regions_my
 FROM dual;
 PROMPT
 PROMPT === Distinct regions visible from Postgres view (expect: all regions) ===
 SELECT DISTINCT region FROM admin.v_customers_pg ORDER BY 1;
 PROMPT
 PROMPT === Distinct regions visible from MySQL view (expect: all regions) ===
 SELECT DISTINCT region FROM admin.v_customers_my ORDER BY 1;
 PROMPT
 PROMPT === Row counts (expect higher than VPDUSER_A) ===
 SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
 UNION ALL
 SELECT 'V_CUSTOMERS_MY',                COUNT(*)                FROM admin.v_customers_my;
 PROMPT
 PROMPT === PII REDACTION (expect REAL email/full_name — GLOBAL_ADMINS has '*' so no masking) ===
 COLUMN customer_id FORMAT 9999
 COLUMN full_name   FORMAT A20
 COLUMN email       FORMAT A30
 COLUMN region      FORMAT A8
 SELECT customer_id, full_name, email, region
 FROM   admin.v_customers_pg
 ORDER  BY customer_id;
 SELECT customer_id, full_name, email, region
 FROM   admin.v_customers_my
 ORDER  BY customer_id;
 EXIT;
--- a/sql/adb/09_tests_user_pg.sql
+++ b/sql/adb/09_tests_user_pg.sql
@@ -0,0 +1,44 @@
 -- ============================================================
 -- 09_tests_user_pg.sql
 -- Run as VPDUSER_PG (group PG_ONLY).
 --
 -- Expected (mirror of 08):
 --   - regions_pg = '*'   -> ALL rows from PG view, unmasked
 --   - regions_my = NULL  -> 0 rows from MySQL view
 -- ============================================================
 SET FEEDBACK ON
 SET LINESIZE 200
 SET PAGESIZE 100
 PROMPT
 PROMPT === Who am I, and what context did the LOGON trigger load? ===
 SELECT USER                                  AS session_user,
       SYS_CONTEXT('VPD_CTX','USER_ID')      AS app_user_id,
       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
 FROM dual;
 PROMPT
 PROMPT === Row counts (expect: PG=12, MY=0) ===
 SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
 UNION ALL
 SELECT 'V_CUSTOMERS_MY',                COUNT(*)                FROM admin.v_customers_my;
 PROMPT
 PROMPT === PG view sample (expect: ALL regions, UNMASKED email/full_name) ===
 COLUMN customer_id FORMAT 9999
 COLUMN full_name   FORMAT A20
 COLUMN email       FORMAT A30
 COLUMN region      FORMAT A8
 SELECT customer_id, full_name, email, region
 FROM   admin.v_customers_pg
 ORDER  BY customer_id
 FETCH FIRST 5 ROWS ONLY;
 PROMPT
 PROMPT === MySQL view sample (expect: NO ROWS — fail closed) ===
 SELECT customer_id, full_name, email, region
 FROM   admin.v_customers_my
 ORDER  BY customer_id;
 EXIT;
--- a/sql/adb/10_tests_user_both.sql
+++ b/sql/adb/10_tests_user_both.sql
@@ -0,0 +1,45 @@
 -- ============================================================
 -- 10_tests_user_both.sql
 -- Run as VPDUSER_BOTH (group BOTH_SOURCES).
 --
 -- Expected:
 --   - regions_pg = '*' AND regions_my = '*'
 --   - Both views fully visible, PII unmasked everywhere
 -- ============================================================
 SET FEEDBACK ON
 SET LINESIZE 200
 SET PAGESIZE 100
 PROMPT
 PROMPT === Who am I, and what context did the LOGON trigger load? ===
 SELECT USER                                  AS session_user,
       SYS_CONTEXT('VPD_CTX','USER_ID')      AS app_user_id,
       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
 FROM dual;
 PROMPT
 PROMPT === Row counts (expect: PG=12, MY=17) ===
 SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
 UNION ALL
 SELECT 'V_CUSTOMERS_MY',                COUNT(*)                FROM admin.v_customers_my;
 PROMPT
 PROMPT === PG view sample (expect: UNMASKED) ===
 COLUMN customer_id FORMAT 9999
 COLUMN full_name   FORMAT A20
 COLUMN email       FORMAT A30
 COLUMN region      FORMAT A8
 SELECT customer_id, full_name, email, region
 FROM   admin.v_customers_pg
 ORDER  BY customer_id
 FETCH FIRST 5 ROWS ONLY;
 PROMPT
 PROMPT === MySQL view sample (expect: UNMASKED) ===
 SELECT customer_id, full_name, email, region
 FROM   admin.v_customers_my
 ORDER  BY customer_id
 FETCH FIRST 5 ROWS ONLY;
 EXIT;
--- a/sql/adb/11_tests_user_none.sql
+++ b/sql/adb/11_tests_user_none.sql
@@ -0,0 +1,53 @@
 -- ============================================================
 -- 11_tests_user_none.sql
 -- Run as VPDUSER_NONE — the "default deny" case.
 --
 -- This user has CREATE SESSION and SELECT on both views, but ZERO
 -- rows in the permission table. The LOGON trigger still fires and
 -- ctx_pkg.init still runs — it just finds nothing to load.
 --
 -- Expected:
 --   - regions_pg = NULL AND regions_my = NULL
 --   - Both views return 0 rows (policy returns '1=0' / fail-closed)
 --   - This proves the model is "deny by default" — adding a user
 --     without a permission row is automatically safe.
 -- ============================================================
 SET FEEDBACK ON
 SET LINESIZE 200
 SET PAGESIZE 100
 PROMPT
 PROMPT === Who am I, and what context did the LOGON trigger load? ===
 PROMPT === (expect: regions_pg and regions_my both NULL) ===
 SELECT USER                                  AS session_user,
       SYS_CONTEXT('VPD_CTX','USER_ID')      AS app_user_id,
       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
       SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
 FROM dual;
 PROMPT
 PROMPT === Row counts (expect: PG=0, MY=0 — fail-closed) ===
 SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
 UNION ALL
 SELECT 'V_CUSTOMERS_MY',                COUNT(*)                FROM admin.v_customers_my;
 PROMPT
 PROMPT === Confirm no rows leak through despite the GRANT on the view ===
 SELECT * FROM admin.v_customers_pg WHERE ROWNUM <= 1;
 SELECT * FROM admin.v_customers_my WHERE ROWNUM <= 1;
 PROMPT
 PROMPT === BYPASS: even with no permission row, all 4 bypass surfaces blocked ===
 WHENEVER SQLERROR CONTINUE;
 SELECT COUNT(*) FROM "public"."customers"@RDS_POSTGRES_LINK;
 SELECT COUNT(*) FROM admin.permission;
 BEGIN
  DBMS_SESSION.SET_CONTEXT('VPD_CTX','V_CUSTOMERS_PG','*');
 END;
 /
 BEGIN
  DBMS_RLS.DROP_POLICY('ADMIN','V_CUSTOMERS_PG','CUSTOMERS_PG_POLICY');
 END;
 /
 EXIT;
--- a/sql/adb/12_tests_admin_audit.sql
+++ b/sql/adb/12_tests_admin_audit.sql
@@ -1,6 +1,7 @@
 -- ============================================================
-- 09_tests_admin_audit.sql
+-- 12_tests_admin_audit.sql
-- Run as ADMIN to audit / verify policy attachment.
+-- Run as ADMIN to audit / verify policy attachment and the
 -- 4-user access matrix.
 -- ============================================================
 SET FEEDBACK ON
 SET LINESIZE 220
@@ -14,7 +15,7 @@ COL sel         FORMAT a3
 COL enable      FORMAT a6
 PROMPT
-PROMPT === Attached VPD policies ===
+PROMPT === Attached VPD policies (expect rows for V_CUSTOMERS_PG and V_CUSTOMERS_MY) ===
 SELECT object_name,
       policy_name AS policy,
       pf_owner,
@@ -24,6 +25,7 @@ SELECT object_name,
       enable
 FROM   dba_policies
 WHERE  object_owner = USER
  AND  object_name IN ('V_CUSTOMERS_PG','V_CUSTOMERS_MY')
 ORDER BY object_name, policy_name;
 PROMPT
@@ -39,7 +41,7 @@ WHERE  object_owner = USER
 ORDER  BY object_name, policy_name;
 PROMPT
-PROMPT === Redacted columns (which columns get masked, and how) ===
+PROMPT === Redacted columns ===
 COL object_name   FORMAT a20
 COL column_name   FORMAT a15
 COL function_type FORMAT a15
@@ -55,17 +57,27 @@ WHERE  object_owner = USER
 ORDER  BY object_name, column_name;
 PROMPT
-PROMPT === Permission summary (who can see what) ===
+PROMPT === 4-user access matrix (from permission table) ===
 PROMPT === Expected:                                                        ===
 PROMPT ===   VPDUSER_MY    -> V_CUSTOMERS_MY   '*'                          ===
 PROMPT ===   VPDUSER_PG    -> V_CUSTOMERS_PG   '*'                          ===
 PROMPT ===   VPDUSER_BOTH  -> V_CUSTOMERS_PG   '*'  +  V_CUSTOMERS_MY  '*'  ===
 PROMPT ===   VPDUSER_NONE  -> (no rows — fail-closed by absence)            ===
 COL db_username     FORMAT a14
 COL group_name      FORMAT a14
 COL source_name     FORMAT a14
 COL object_name     FORMAT a16
 COL allowed_regions FORMAT a16
 SELECT u.db_username,
       g.group_name,
       s.source_name,
       p.object_name,
       p.allowed_regions
 FROM   app_user u
-JOIN   user_group ug ON ug.user_id  = u.user_id
+LEFT JOIN user_group ug ON ug.user_id  = u.user_id
-JOIN   app_group g  ON g.group_id   = ug.group_id
+LEFT JOIN app_group g   ON g.group_id   = ug.group_id
-JOIN   permission p ON p.group_id   = g.group_id
+LEFT JOIN permission p  ON p.group_id   = g.group_id
-JOIN   db_source s  ON s.source_id  = p.source_id
+LEFT JOIN db_source s   ON s.source_id  = p.source_id
-ORDER BY u.db_username, p.object_name;
+ORDER BY u.db_username, p.object_name NULLS LAST;
 EXIT;