68d53dc5a9
ADB-centered row-level access control across heterogeneous DB sources
(AWS RDS Postgres + MySQL) using Oracle VPD + Data Redaction +
Secure Application Context, packaged as a one-click demo.
Mechanism:
- LOGON trigger calls ctx_pkg.init once per session to load the user's
allowed regions from the permission mapping tables into a Secure App
Context (VPD_CTX, USING ctx_pkg).
- VPD policy function vpd_region_filter reads SYS_CONTEXT and returns
an IN-list predicate (or '1=0' for fail-closed, NULL for '*'),
which Oracle injects into every SELECT on the protected views.
- Data Redaction reuses the same context to mask PII (email, full_name)
when the allowed-regions value is not '*'.
- 5 documented bypass attempts (direct DB link SELECT, SET_CONTEXT
spoof, DBMS_RLS drop, mapping table SELECT) all blocked by GRANT
scoping + DEFINER rights on ctx_pkg.
One-click entrypoint:
- ./run.sh {prereq|source|adb|tests|audit|all|teardown}
- Source DDL (Postgres + MySQL customers + 12-row seed each) is
applied via local psql/mysql; ADB-side setup via sqlplus with .env
values injected as SQL*Plus DEFINE substitutions.
Verified E2E on ADB 26ai + AWS RDS PG + RDS MySQL (mysql_community
gateway) on 2026-05-26: VPDUSER_A sees only APAC rows (PG 2 / MySQL 6,
PII masked), VPDUSER_B sees all (PG 12 / MySQL 17, PII unmasked).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
57 lines
2.0 KiB
SQL
57 lines
2.0 KiB
SQL
-- ============================================================
|
|
-- 01_perm_tables.sql
|
|
-- Permission model (the "policy plane"). All tables live in ADMIN.
|
|
-- Run as ADMIN.
|
|
-- ============================================================
|
|
SET ECHO OFF
|
|
SET FEEDBACK ON
|
|
|
|
PROMPT === Creating permission-model tables ===
|
|
|
|
CREATE TABLE app_customer (
|
|
customer_id NUMBER PRIMARY KEY,
|
|
customer_name VARCHAR2(80) NOT NULL UNIQUE
|
|
);
|
|
|
|
CREATE TABLE app_user (
|
|
user_id NUMBER PRIMARY KEY,
|
|
db_username VARCHAR2(30) NOT NULL UNIQUE, -- matches Oracle SESSION_USER (UPPER)
|
|
customer_id NUMBER NOT NULL REFERENCES app_customer(customer_id),
|
|
active CHAR(1) DEFAULT 'Y' CHECK (active IN ('Y','N'))
|
|
);
|
|
|
|
CREATE TABLE app_group (
|
|
group_id NUMBER PRIMARY KEY,
|
|
customer_id NUMBER NOT NULL REFERENCES app_customer(customer_id),
|
|
group_name VARCHAR2(60) NOT NULL,
|
|
UNIQUE (customer_id, group_name)
|
|
);
|
|
|
|
CREATE TABLE user_group (
|
|
user_id NUMBER NOT NULL REFERENCES app_user(user_id),
|
|
group_id NUMBER NOT NULL REFERENCES app_group(group_id),
|
|
PRIMARY KEY (user_id, group_id)
|
|
);
|
|
|
|
CREATE TABLE db_source (
|
|
source_id NUMBER PRIMARY KEY,
|
|
source_name VARCHAR2(60) NOT NULL UNIQUE, -- e.g. RDS_POSTGRES, RDS_MYSQL
|
|
source_type VARCHAR2(30) NOT NULL, -- 'DBLINK_PG','DBLINK_MY','EXTERNAL_TABLE',...
|
|
dblink_name VARCHAR2(128)
|
|
);
|
|
|
|
-- Each permission row says: this group, on this object of this source,
|
|
-- is allowed to see rows where region is in `allowed_regions`.
|
|
-- Convention: '*' means no restriction (full access).
|
|
CREATE TABLE permission (
|
|
perm_id NUMBER PRIMARY KEY,
|
|
group_id NUMBER NOT NULL REFERENCES app_group(group_id),
|
|
source_id NUMBER NOT NULL REFERENCES db_source(source_id),
|
|
object_name VARCHAR2(60) NOT NULL, -- the local view name, e.g. 'V_CUSTOMERS_PG'
|
|
allowed_regions VARCHAR2(200) NOT NULL, -- CSV: 'KR,APAC' or '*'
|
|
UNIQUE (group_id, source_id, object_name)
|
|
);
|
|
|
|
PROMPT === Permission tables created ===
|
|
EXIT;
|