From 192bf5de0d4d743d3081fa408614dfb0b39f21b6 Mon Sep 17 00:00:00 2001 From: Rodrigo Date: Thu, 14 May 2026 13:53:20 -0300 Subject: [PATCH] Document RAG workshop role creation --- .../06-rag-vector-classified-docs/WORKSHOP.md | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/scenarios/06-rag-vector-classified-docs/WORKSHOP.md b/scenarios/06-rag-vector-classified-docs/WORKSHOP.md index 02821a2..e752d08 100755 --- a/scenarios/06-rag-vector-classified-docs/WORKSHOP.md +++ b/scenarios/06-rag-vector-classified-docs/WORKSHOP.md @@ -160,6 +160,67 @@ Run: This creates the end users, data roles, and a broad legacy retrieval role used only to demonstrate the vulnerable "before" state. +The personas and roles are created in `02_identities.sql`. + +First, the lab creates four DDS end users: + +```sql +CREATE END USER nina IDENTIFIED BY "Welcome1_DDS!"; +CREATE END USER heitor IDENTIFIED BY "Welcome1_DDS!"; +CREATE END USER sofia IDENTIFIED BY "Welcome1_DDS!"; +CREATE END USER carlos IDENTIFIED BY "Welcome1_DDS!"; +``` + +These are lightweight end-user identities used by DDS to evaluate who is asking the RAG question. + +Next, the lab creates one data role for each business profile: + +```sql +CREATE DATA ROLE rag_employee_role; +CREATE DATA ROLE rag_hr_role; +CREATE DATA ROLE rag_legal_role; +CREATE DATA ROLE rag_exec_role; +``` + +These data roles are the authorization profiles used later by the Data Grants. + +The lab also creates a normal database role that allows the DDS end users to open SQLcl sessions during the demo: + +```sql +CREATE ROLE rag_session_role; +GRANT CREATE SESSION TO rag_session_role; +GRANT rag_session_role TO rag_employee_role; +GRANT rag_session_role TO rag_hr_role; +GRANT rag_session_role TO rag_legal_role; +GRANT rag_session_role TO rag_exec_role; +``` + +This is a lab convenience. In a real application, the connection pool would usually be maintained by a technical application account while the application propagates the end-user security context. + +To demonstrate the vulnerable state before DDS, the lab creates a broad legacy retrieval role: + +```sql +CREATE ROLE rag_legacy_retrieval_role; +GRANT SELECT ON dds_rag_chunks TO rag_legacy_retrieval_role; +GRANT rag_legacy_retrieval_role TO rag_employee_role; +GRANT rag_legacy_retrieval_role TO rag_hr_role; +GRANT rag_legacy_retrieval_role TO rag_legal_role; +GRANT rag_legacy_retrieval_role TO rag_exec_role; +``` + +This role simulates an initial RAG implementation where the retrieval service can query the entire vector table. It is intentionally broad so the "before" demo can show over-retrieval. + +Finally, each end user receives the appropriate data role: + +```sql +GRANT DATA ROLE rag_employee_role TO nina; +GRANT DATA ROLE rag_hr_role TO heitor; +GRANT DATA ROLE rag_legal_role TO sofia; +GRANT DATA ROLE rag_exec_role TO carlos; +``` + +At this point, the identities exist, but DDS enforcement is not enabled yet. That means the broad legacy retrieval role still allows confidential chunks to appear in Nina's vector search results. + ### Task 1.5 - Review The Classified Corpus Run: