Document RAG workshop role creation
Some checks failed
Repo Quality / structure (push) Has been cancelled
Some checks failed
Repo Quality / structure (push) Has been cancelled
This commit is contained in:
@@ -160,6 +160,67 @@ Run:
|
||||
|
||||
This creates the end users, data roles, and a broad legacy retrieval role used only to demonstrate the vulnerable "before" state.
|
||||
|
||||
The personas and roles are created in `02_identities.sql`.
|
||||
|
||||
First, the lab creates four DDS end users:
|
||||
|
||||
```sql
|
||||
CREATE END USER nina IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER heitor IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER sofia IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER carlos IDENTIFIED BY "Welcome1_DDS!";
|
||||
```
|
||||
|
||||
These are lightweight end-user identities used by DDS to evaluate who is asking the RAG question.
|
||||
|
||||
Next, the lab creates one data role for each business profile:
|
||||
|
||||
```sql
|
||||
CREATE DATA ROLE rag_employee_role;
|
||||
CREATE DATA ROLE rag_hr_role;
|
||||
CREATE DATA ROLE rag_legal_role;
|
||||
CREATE DATA ROLE rag_exec_role;
|
||||
```
|
||||
|
||||
These data roles are the authorization profiles used later by the Data Grants.
|
||||
|
||||
The lab also creates a normal database role that allows the DDS end users to open SQLcl sessions during the demo:
|
||||
|
||||
```sql
|
||||
CREATE ROLE rag_session_role;
|
||||
GRANT CREATE SESSION TO rag_session_role;
|
||||
GRANT rag_session_role TO rag_employee_role;
|
||||
GRANT rag_session_role TO rag_hr_role;
|
||||
GRANT rag_session_role TO rag_legal_role;
|
||||
GRANT rag_session_role TO rag_exec_role;
|
||||
```
|
||||
|
||||
This is a lab convenience. In a real application, the connection pool would usually be maintained by a technical application account while the application propagates the end-user security context.
|
||||
|
||||
To demonstrate the vulnerable state before DDS, the lab creates a broad legacy retrieval role:
|
||||
|
||||
```sql
|
||||
CREATE ROLE rag_legacy_retrieval_role;
|
||||
GRANT SELECT ON dds_rag_chunks TO rag_legacy_retrieval_role;
|
||||
GRANT rag_legacy_retrieval_role TO rag_employee_role;
|
||||
GRANT rag_legacy_retrieval_role TO rag_hr_role;
|
||||
GRANT rag_legacy_retrieval_role TO rag_legal_role;
|
||||
GRANT rag_legacy_retrieval_role TO rag_exec_role;
|
||||
```
|
||||
|
||||
This role simulates an initial RAG implementation where the retrieval service can query the entire vector table. It is intentionally broad so the "before" demo can show over-retrieval.
|
||||
|
||||
Finally, each end user receives the appropriate data role:
|
||||
|
||||
```sql
|
||||
GRANT DATA ROLE rag_employee_role TO nina;
|
||||
GRANT DATA ROLE rag_hr_role TO heitor;
|
||||
GRANT DATA ROLE rag_legal_role TO sofia;
|
||||
GRANT DATA ROLE rag_exec_role TO carlos;
|
||||
```
|
||||
|
||||
At this point, the identities exist, but DDS enforcement is not enabled yet. That means the broad legacy retrieval role still allows confidential chunks to appear in Nina's vector search results.
|
||||
|
||||
### Task 1.5 - Review The Classified Corpus
|
||||
|
||||
Run:
|
||||
|
||||
Reference in New Issue
Block a user