joungmin/vpd-permission-poc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3045271ffb230cbea2548a3ad85179eaddf8d1bf
vpd-permission-poc/sql/adb/06a_redaction.sql
devmrko ed91306ee3 Pivot scenario from region-based 2 users to source-based 4 users 
Replaces the original APAC-vs-all 2-user demo (vpduser_a/b on
KR_ANALYSTS/GLOBAL_ADMINS groups) with a 2x2 source-access matrix:

  vpduser_my    -> MY_ONLY      group  -> MySQL view only
  vpduser_pg    -> PG_ONLY      group  -> Postgres view only
  vpduser_both  -> BOTH_SOURCES group  -> both views
  vpduser_none  -> (no group)          -> nothing (default deny)

Why: source-level segmentation is the more common production
permission story than region-level filtering. Region filtering
remains available as an opt-in variant via commented UPDATE in
sql/adb/03_seed.sql.

Key changes:
- 03_seed.sql, 07_end_users.sql, 00_cleanup.sql, .env.example,
  run.sh updated for the new 4-user model. All 4 users get
  identical view GRANTs; the only differentiator is the
  permission table (proves the model is "data-driven, not
  GRANT-driven").
- 08-11 split into one file per user: my (+ 5 bypass attempts),
  pg, both, none (default-deny verification).
- 12_tests_admin_audit.sql uses LEFT JOIN so vpduser_none shows
  up as NULL permissions, and filters by object_owner=USER to
  exclude cross-schema policies.
- Removed inline "-- comment" after ";" lines in 03_seed.sql:
  SQL*Plus silently skipped the inserts (documented gotcha).
- README.md + docs/01,02 updated for the 4-user matrix. docs/03
  detailed guide keeps the region-filter example but now has a
  preface explaining it's a variant of the default 4-user model.
- docs/04: db_type='mysql_community' note added (RDS MySQL).

E2E verified: PG=0/MY=17, PG=12/MY=0, PG=12/MY=17, PG=0/MY=0
plus all 5 bypass attempts blocked.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-26 14:42:11 +09:00

88 lines
3.1 KiB
SQL
Raw Blame History

-- ============================================================
-- 05a_redaction.sql
-- Column-level masking with Oracle Data Redaction (DBMS_REDACT).
--
-- Policy:
-- PII columns (email, full_name) are MASKED unless the session
-- has full-region access ('*') on the corresponding view.
--
-- - VPDUSER_MY -> PG view masked, MY view unmasked (allowed '*')
-- - VPDUSER_PG -> PG view unmasked, MY view masked
-- - VPDUSER_BOTH -> both views unmasked
-- - VPDUSER_NONE -> both masked (but rows filtered to 0 anyway)
--
-- Reuses the secure VPD_CTX populated at logon — no new context.
-- Data Redaction and VPD compose: VPD filters rows first, Redaction
-- then transforms columns on the surviving rows.
--
-- NOTE: ADMIN has the EXEMPT REDACTION POLICY system privilege
-- implicitly via DBA, so ADMIN sessions still see real values.
-- End-users do not have it, so they see the masked output.
-- ============================================================
SET ECHO OFF
SET FEEDBACK ON
SET DEFINE OFF
PROMPT === Creating PII redaction policy on v_customers_pg ===
BEGIN
DBMS_REDACT.ADD_POLICY(
object_schema => USER,
object_name => 'V_CUSTOMERS_PG',
column_name => 'EMAIL',
policy_name => 'PII_REDACT_PG',
function_type => DBMS_REDACT.REGEXP,
regexp_pattern => '^(.)(.*)(@.*)$',
regexp_replace_string => '\1****\3',
regexp_position => 1,
regexp_occurrence => 1,
expression => 'SYS_CONTEXT(''VPD_CTX'',''V_CUSTOMERS_PG'') IS NULL OR SYS_CONTEXT(''VPD_CTX'',''V_CUSTOMERS_PG'') != ''*'''
);
DBMS_REDACT.ALTER_POLICY(
object_schema => USER,
object_name => 'V_CUSTOMERS_PG',
policy_name => 'PII_REDACT_PG',
action => DBMS_REDACT.ADD_COLUMN,
column_name => 'FULL_NAME',
function_type => DBMS_REDACT.REGEXP,
regexp_pattern => '^(.)(.*)$',
regexp_replace_string => '\1****',
regexp_position => 1,
regexp_occurrence => 1
);
END;
/
PROMPT === Creating PII redaction policy on v_customers_my ===
BEGIN
DBMS_REDACT.ADD_POLICY(
object_schema => USER,
object_name => 'V_CUSTOMERS_MY',
column_name => 'EMAIL',
policy_name => 'PII_REDACT_MY',
function_type => DBMS_REDACT.REGEXP,
regexp_pattern => '^(.)(.*)(@.*)$',
regexp_replace_string => '\1****\3',
regexp_position => 1,
regexp_occurrence => 1,
expression => 'SYS_CONTEXT(''VPD_CTX'',''V_CUSTOMERS_MY'') IS NULL OR SYS_CONTEXT(''VPD_CTX'',''V_CUSTOMERS_MY'') != ''*'''
);
DBMS_REDACT.ALTER_POLICY(
object_schema => USER,
object_name => 'V_CUSTOMERS_MY',
policy_name => 'PII_REDACT_MY',
action => DBMS_REDACT.ADD_COLUMN,
column_name => 'FULL_NAME',
function_type => DBMS_REDACT.REGEXP,
regexp_pattern => '^(.)(.*)$',
regexp_replace_string => '\1****',
regexp_position => 1,
regexp_occurrence => 1
);
END;
/
PROMPT === Redaction policies attached ===
EXIT;
Reference in New Issue View Git Blame Copy Permalink