Document RAG workshop role creation
Some checks failed
Repo Quality / structure (push) Has been cancelled

This commit is contained in:
2026-05-14 13:53:20 -03:00
parent 31bb4b0b86
commit 192bf5de0d

View File

@@ -160,6 +160,67 @@ Run:
This creates the end users, data roles, and a broad legacy retrieval role used only to demonstrate the vulnerable "before" state.
The personas and roles are created in `02_identities.sql`.
First, the lab creates four DDS end users:
```sql
CREATE END USER nina IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER heitor IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER sofia IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER carlos IDENTIFIED BY "Welcome1_DDS!";
```
These are lightweight end-user identities used by DDS to evaluate who is asking the RAG question.
Next, the lab creates one data role for each business profile:
```sql
CREATE DATA ROLE rag_employee_role;
CREATE DATA ROLE rag_hr_role;
CREATE DATA ROLE rag_legal_role;
CREATE DATA ROLE rag_exec_role;
```
These data roles are the authorization profiles used later by the Data Grants.
The lab also creates a normal database role that allows the DDS end users to open SQLcl sessions during the demo:
```sql
CREATE ROLE rag_session_role;
GRANT CREATE SESSION TO rag_session_role;
GRANT rag_session_role TO rag_employee_role;
GRANT rag_session_role TO rag_hr_role;
GRANT rag_session_role TO rag_legal_role;
GRANT rag_session_role TO rag_exec_role;
```
This is a lab convenience. In a real application, the connection pool would usually be maintained by a technical application account while the application propagates the end-user security context.
To demonstrate the vulnerable state before DDS, the lab creates a broad legacy retrieval role:
```sql
CREATE ROLE rag_legacy_retrieval_role;
GRANT SELECT ON dds_rag_chunks TO rag_legacy_retrieval_role;
GRANT rag_legacy_retrieval_role TO rag_employee_role;
GRANT rag_legacy_retrieval_role TO rag_hr_role;
GRANT rag_legacy_retrieval_role TO rag_legal_role;
GRANT rag_legacy_retrieval_role TO rag_exec_role;
```
This role simulates an initial RAG implementation where the retrieval service can query the entire vector table. It is intentionally broad so the "before" demo can show over-retrieval.
Finally, each end user receives the appropriate data role:
```sql
GRANT DATA ROLE rag_employee_role TO nina;
GRANT DATA ROLE rag_hr_role TO heitor;
GRANT DATA ROLE rag_legal_role TO sofia;
GRANT DATA ROLE rag_exec_role TO carlos;
```
At this point, the identities exist, but DDS enforcement is not enabled yet. That means the broad legacy retrieval role still allows confidential chunks to appear in Nina's vector search results.
### Task 1.5 - Review The Classified Corpus
Run: