diff --git a/scenarios/01-ai-prompt-injection/README.md b/scenarios/01-ai-prompt-injection/README.md index 44d3978..7efe610 100755 --- a/scenarios/01-ai-prompt-injection/README.md +++ b/scenarios/01-ai-prompt-injection/README.md @@ -23,7 +23,7 @@ After Oracle Deep Data Security is enabled, the database enforces data grants on Run shell commands from the repository root: ```bash -cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab +cd ``` Connect with SQLcl: @@ -171,3 +171,6 @@ Oracle Deep Data Security reduces the risk of AI prompt injection and overprivil See [RUNBOOK.md](RUNBOOK.md) for deeper technical notes, expected evidence, and official Oracle documentation references. For a LiveLabs-style guided workshop, use [WORKSHOP.md](WORKSHOP.md). + + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. diff --git a/scenarios/01-ai-prompt-injection/RUNBOOK.md b/scenarios/01-ai-prompt-injection/RUNBOOK.md index 3e77f77..ac442fc 100755 --- a/scenarios/01-ai-prompt-injection/RUNBOOK.md +++ b/scenarios/01-ai-prompt-injection/RUNBOOK.md @@ -89,3 +89,6 @@ Show that an AI agent or dynamic SQL path may allow a business user to query sen - Fine-Grained Data Authorization: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html - Create Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/create-data-grants.html - CREATE DATA GRANT SQL Reference: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/create-data-grant.html + + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. diff --git a/scenarios/01-ai-prompt-injection/WORKSHOP.md b/scenarios/01-ai-prompt-injection/WORKSHOP.md index ebed68b..af3e009 100755 --- a/scenarios/01-ai-prompt-injection/WORKSHOP.md +++ b/scenarios/01-ai-prompt-injection/WORKSHOP.md @@ -43,13 +43,16 @@ Only authorized rows and columns are returned ## Before You Begin ```bash -cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab -export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab +cd +export TNS_ADMIN= sql admin@ddslab_tunnel ``` SQLcl note: after running `@file.sql`, do not type `/`; it reruns the previous command. + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. + ## Lab 1 - Prepare The Environment ### Task 1.1 - Reset The Scenario diff --git a/scenarios/02-shared-app-account/README.md b/scenarios/02-shared-app-account/README.md index 24ab4be..5daaae5 100755 --- a/scenarios/02-shared-app-account/README.md +++ b/scenarios/02-shared-app-account/README.md @@ -19,8 +19,8 @@ Before Oracle Deep Data Security, a technical account or connection pool can que Run SQL scripts from the repository root. On Linux/macOS/WSL: ```bash -cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab -export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab +cd +export TNS_ADMIN= ``` Connect as the lab administrator: @@ -31,10 +31,13 @@ sql admin@ddslab_tunnel SQLcl note: when running a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward, because `/` reruns the last command in the SQLcl buffer. + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. + On Windows PowerShell: ```powershell -cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab +cd sql admin@ddslab_tunnel ``` diff --git a/scenarios/02-shared-app-account/RUNBOOK.md b/scenarios/02-shared-app-account/RUNBOOK.md index bfbeeb4..2527932 100755 --- a/scenarios/02-shared-app-account/RUNBOOK.md +++ b/scenarios/02-shared-app-account/RUNBOOK.md @@ -21,8 +21,8 @@ Show that a shared technical application account should not be the real data aut 1. From the repository root, connect as `ADMIN`: ```bash - cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab - export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab + cd + export TNS_ADMIN= sql admin@ddslab_tunnel ``` @@ -30,6 +30,9 @@ Show that a shared technical application account should not be the real data aut SQLcl note: after running a script with `@file.sql`, do not type `/`. The slash reruns the last command in the SQLcl buffer and can make a successful command look like an error. + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. + 2. Reset the scenario: ```sql diff --git a/scenarios/02-shared-app-account/WORKSHOP.md b/scenarios/02-shared-app-account/WORKSHOP.md index 36e91b2..d3b5128 100755 --- a/scenarios/02-shared-app-account/WORKSHOP.md +++ b/scenarios/02-shared-app-account/WORKSHOP.md @@ -39,13 +39,16 @@ End user -> application connection pool -> DDS_APP database session ## Before You Begin ```bash -cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab -export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab +cd +export TNS_ADMIN= sql admin@ddslab_tunnel ``` SQLcl note: after running `@file.sql`, do not type `/`; it reruns the previous command. + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. + ## Lab 1 - Prepare The Environment ### Task 1.1 - Reset The Scenario diff --git a/scenarios/03-pii-row-column-cell/README.md b/scenarios/03-pii-row-column-cell/README.md index b2aa3b4..47cf994 100755 --- a/scenarios/03-pii-row-column-cell/README.md +++ b/scenarios/03-pii-row-column-cell/README.md @@ -19,7 +19,7 @@ Before Oracle Deep Data Security, a broad query can expose employee records, SSN Run commands from the repository root: ```powershell -cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab +cd ``` Connect to the database with SQLcl or SQL*Plus: diff --git a/scenarios/03-pii-row-column-cell/WORKSHOP.md b/scenarios/03-pii-row-column-cell/WORKSHOP.md index da718c8..195e211 100755 --- a/scenarios/03-pii-row-column-cell/WORKSHOP.md +++ b/scenarios/03-pii-row-column-cell/WORKSHOP.md @@ -25,13 +25,16 @@ This workshop demonstrates fine-grained access to employee PII. Before DDS, broa ## Before You Begin ```bash -cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab -export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab +cd +export TNS_ADMIN= sql admin@ddslab_tunnel ``` SQLcl note: after running `@file.sql`, do not type `/`. + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. + ## Lab 1 - Prepare The Environment ### Task 1.1 - Reset The Scenario diff --git a/scenarios/04-view-bypass-mac/README.md b/scenarios/04-view-bypass-mac/README.md index 88712a5..77ac5e3 100755 --- a/scenarios/04-view-bypass-mac/README.md +++ b/scenarios/04-view-bypass-mac/README.md @@ -18,7 +18,7 @@ Before Oracle Deep Data Security, a legacy view can expose rows that should be p Run commands from the repository root: ```powershell -cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab +cd ``` Connect to the database with SQLcl or SQL*Plus: diff --git a/scenarios/04-view-bypass-mac/WORKSHOP.md b/scenarios/04-view-bypass-mac/WORKSHOP.md index 30d2134..dfac80d 100755 --- a/scenarios/04-view-bypass-mac/WORKSHOP.md +++ b/scenarios/04-view-bypass-mac/WORKSHOP.md @@ -25,13 +25,16 @@ This workshop demonstrates why access rules should be enforced on the protected ## Before You Begin ```bash -cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab -export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab +cd +export TNS_ADMIN= sql admin@ddslab_tunnel ``` SQLcl note: after running `@file.sql`, do not type `/`. + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. + ## Lab 1 - Prepare The Environment ### Task 1.1 - Reset The Scenario diff --git a/scenarios/05-legacy-app-ai-extension/README.md b/scenarios/05-legacy-app-ai-extension/README.md index a55f31e..6291a3f 100755 --- a/scenarios/05-legacy-app-ai-extension/README.md +++ b/scenarios/05-legacy-app-ai-extension/README.md @@ -22,7 +22,7 @@ Before Oracle Deep Data Security, an AI agent connected to the same legacy schem Run commands from the repository root: ```powershell -cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab +cd ``` Connect to the database with SQLcl or SQL*Plus: diff --git a/scenarios/05-legacy-app-ai-extension/WORKSHOP.md b/scenarios/05-legacy-app-ai-extension/WORKSHOP.md index f1c2f40..5fc6075 100755 --- a/scenarios/05-legacy-app-ai-extension/WORKSHOP.md +++ b/scenarios/05-legacy-app-ai-extension/WORKSHOP.md @@ -29,13 +29,16 @@ Before DDS, the AI agent can reuse broad legacy privileges and combine customer, ## Before You Begin ```bash -cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab -export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab +cd +export TNS_ADMIN= sql admin@ddslab_tunnel ``` SQLcl note: after running `@file.sql`, do not type `/`. + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. + ## Lab 1 - Prepare The Environment ### Task 1.1 - Reset The Scenario diff --git a/scenarios/06-rag-vector-classified-docs/README.md b/scenarios/06-rag-vector-classified-docs/README.md index 1ce9d48..ec414c6 100755 --- a/scenarios/06-rag-vector-classified-docs/README.md +++ b/scenarios/06-rag-vector-classified-docs/README.md @@ -20,8 +20,8 @@ Before Oracle Deep Data Security, vector search can retrieve confidential HR, le Run SQL scripts from the repository root. On Linux/macOS/WSL: ```bash -cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab -export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab +cd +export TNS_ADMIN= ``` Connect as the lab administrator: @@ -34,6 +34,9 @@ This scenario uses the `VECTOR` type, `TO_VECTOR`, and `VECTOR_DISTANCE`. Use a SQLcl note: when running a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward, because `/` reruns the last command in the SQLcl buffer. + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. + ## Step By Step - Before, Vulnerable Environment 1. Reset the scenario as `ADMIN`: diff --git a/scenarios/06-rag-vector-classified-docs/RUNBOOK.md b/scenarios/06-rag-vector-classified-docs/RUNBOOK.md index 33b128a..df8211f 100755 --- a/scenarios/06-rag-vector-classified-docs/RUNBOOK.md +++ b/scenarios/06-rag-vector-classified-docs/RUNBOOK.md @@ -21,8 +21,8 @@ Show that a RAG agent retrieves only authorized chunks/documents before sending 1. From the repository root, connect as `ADMIN`: ```bash - cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab - export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab + cd + export TNS_ADMIN= sql admin@ddslab_tunnel ``` @@ -30,6 +30,9 @@ Show that a RAG agent retrieves only authorized chunks/documents before sending SQLcl note: after running a script with `@file.sql`, do not type `/`. The slash reruns the last command in the SQLcl buffer and can make a successful command look like an error. + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. + 2. Reset the scenario: ```sql diff --git a/scenarios/06-rag-vector-classified-docs/WORKSHOP.md b/scenarios/06-rag-vector-classified-docs/WORKSHOP.md index 1a97320..f98c3f7 100755 --- a/scenarios/06-rag-vector-classified-docs/WORKSHOP.md +++ b/scenarios/06-rag-vector-classified-docs/WORKSHOP.md @@ -81,8 +81,8 @@ Only authorized chunks are sent to the LLM Run all commands from the repository root: ```bash -cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab -export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab +cd +export TNS_ADMIN= ``` Connect as the lab administrator: @@ -93,6 +93,9 @@ sql admin@ddslab_tunnel SQLcl note: when you run a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward; `/` reruns the last command in the SQLcl buffer. + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. + ## Lab 1 - Prepare The Environment ### Task 1.1 - Reset The Scenario diff --git a/scenarios/07-audit-evidence-data-safe/README.md b/scenarios/07-audit-evidence-data-safe/README.md index 70302be..c096655 100755 --- a/scenarios/07-audit-evidence-data-safe/README.md +++ b/scenarios/07-audit-evidence-data-safe/README.md @@ -19,7 +19,7 @@ Before the controls are applied, a payments table can be queried without a clear Run SQL commands from the repository root: ```powershell -cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab +cd ``` Connect to the database with SQLcl or SQL*Plus: diff --git a/scenarios/07-audit-evidence-data-safe/WORKSHOP.md b/scenarios/07-audit-evidence-data-safe/WORKSHOP.md index 4e4d881..ad70aa4 100755 --- a/scenarios/07-audit-evidence-data-safe/WORKSHOP.md +++ b/scenarios/07-audit-evidence-data-safe/WORKSHOP.md @@ -30,13 +30,16 @@ Before controls, a payment operator can query payment tokens through broad acces ## Before You Begin ```bash -cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab -export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab +cd +export TNS_ADMIN= sql admin@ddslab_tunnel ``` SQLcl note: after running `@file.sql`, do not type `/`. + +Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias. + ## Lab 1 - Prepare The Environment ### Task 1.1 - Reset The Scenario