Normalize lab docs and keep reusable TNS alias
Some checks failed
Repo Quality / structure (push) Has been cancelled
Some checks failed
Repo Quality / structure (push) Has been cancelled
This commit is contained in:
@@ -23,7 +23,7 @@ After Oracle Deep Data Security is enabled, the database enforces data grants on
|
|||||||
Run shell commands from the repository root:
|
Run shell commands from the repository root:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
```
|
```
|
||||||
|
|
||||||
Connect with SQLcl:
|
Connect with SQLcl:
|
||||||
@@ -171,3 +171,6 @@ Oracle Deep Data Security reduces the risk of AI prompt injection and overprivil
|
|||||||
See [RUNBOOK.md](RUNBOOK.md) for deeper technical notes, expected evidence, and official Oracle documentation references.
|
See [RUNBOOK.md](RUNBOOK.md) for deeper technical notes, expected evidence, and official Oracle documentation references.
|
||||||
|
|
||||||
For a LiveLabs-style guided workshop, use [WORKSHOP.md](WORKSHOP.md).
|
For a LiveLabs-style guided workshop, use [WORKSHOP.md](WORKSHOP.md).
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|||||||
@@ -89,3 +89,6 @@ Show that an AI agent or dynamic SQL path may allow a business user to query sen
|
|||||||
- Fine-Grained Data Authorization: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html
|
- Fine-Grained Data Authorization: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html
|
||||||
- Create Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/create-data-grants.html
|
- Create Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/create-data-grants.html
|
||||||
- CREATE DATA GRANT SQL Reference: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/create-data-grant.html
|
- CREATE DATA GRANT SQL Reference: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/create-data-grant.html
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|||||||
@@ -43,13 +43,16 @@ Only authorized rows and columns are returned
|
|||||||
## Before You Begin
|
## Before You Begin
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
export TNS_ADMIN=<wallet-directory>
|
||||||
sql admin@ddslab_tunnel
|
sql admin@ddslab_tunnel
|
||||||
```
|
```
|
||||||
|
|
||||||
SQLcl note: after running `@file.sql`, do not type `/`; it reruns the previous command.
|
SQLcl note: after running `@file.sql`, do not type `/`; it reruns the previous command.
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|
||||||
## Lab 1 - Prepare The Environment
|
## Lab 1 - Prepare The Environment
|
||||||
|
|
||||||
### Task 1.1 - Reset The Scenario
|
### Task 1.1 - Reset The Scenario
|
||||||
|
|||||||
@@ -19,8 +19,8 @@ Before Oracle Deep Data Security, a technical account or connection pool can que
|
|||||||
Run SQL scripts from the repository root. On Linux/macOS/WSL:
|
Run SQL scripts from the repository root. On Linux/macOS/WSL:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
export TNS_ADMIN=<wallet-directory>
|
||||||
```
|
```
|
||||||
|
|
||||||
Connect as the lab administrator:
|
Connect as the lab administrator:
|
||||||
@@ -31,10 +31,13 @@ sql admin@ddslab_tunnel
|
|||||||
|
|
||||||
SQLcl note: when running a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward, because `/` reruns the last command in the SQLcl buffer.
|
SQLcl note: when running a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward, because `/` reruns the last command in the SQLcl buffer.
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|
||||||
On Windows PowerShell:
|
On Windows PowerShell:
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
sql admin@ddslab_tunnel
|
sql admin@ddslab_tunnel
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|||||||
@@ -21,8 +21,8 @@ Show that a shared technical application account should not be the real data aut
|
|||||||
1. From the repository root, connect as `ADMIN`:
|
1. From the repository root, connect as `ADMIN`:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
export TNS_ADMIN=<wallet-directory>
|
||||||
sql admin@ddslab_tunnel
|
sql admin@ddslab_tunnel
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -30,6 +30,9 @@ Show that a shared technical application account should not be the real data aut
|
|||||||
|
|
||||||
SQLcl note: after running a script with `@file.sql`, do not type `/`. The slash reruns the last command in the SQLcl buffer and can make a successful command look like an error.
|
SQLcl note: after running a script with `@file.sql`, do not type `/`. The slash reruns the last command in the SQLcl buffer and can make a successful command look like an error.
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|
||||||
2. Reset the scenario:
|
2. Reset the scenario:
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
|
|||||||
@@ -39,13 +39,16 @@ End user -> application connection pool -> DDS_APP database session
|
|||||||
## Before You Begin
|
## Before You Begin
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
export TNS_ADMIN=<wallet-directory>
|
||||||
sql admin@ddslab_tunnel
|
sql admin@ddslab_tunnel
|
||||||
```
|
```
|
||||||
|
|
||||||
SQLcl note: after running `@file.sql`, do not type `/`; it reruns the previous command.
|
SQLcl note: after running `@file.sql`, do not type `/`; it reruns the previous command.
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|
||||||
## Lab 1 - Prepare The Environment
|
## Lab 1 - Prepare The Environment
|
||||||
|
|
||||||
### Task 1.1 - Reset The Scenario
|
### Task 1.1 - Reset The Scenario
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ Before Oracle Deep Data Security, a broad query can expose employee records, SSN
|
|||||||
Run commands from the repository root:
|
Run commands from the repository root:
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
```
|
```
|
||||||
|
|
||||||
Connect to the database with SQLcl or SQL*Plus:
|
Connect to the database with SQLcl or SQL*Plus:
|
||||||
|
|||||||
@@ -25,13 +25,16 @@ This workshop demonstrates fine-grained access to employee PII. Before DDS, broa
|
|||||||
## Before You Begin
|
## Before You Begin
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
export TNS_ADMIN=<wallet-directory>
|
||||||
sql admin@ddslab_tunnel
|
sql admin@ddslab_tunnel
|
||||||
```
|
```
|
||||||
|
|
||||||
SQLcl note: after running `@file.sql`, do not type `/`.
|
SQLcl note: after running `@file.sql`, do not type `/`.
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|
||||||
## Lab 1 - Prepare The Environment
|
## Lab 1 - Prepare The Environment
|
||||||
|
|
||||||
### Task 1.1 - Reset The Scenario
|
### Task 1.1 - Reset The Scenario
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ Before Oracle Deep Data Security, a legacy view can expose rows that should be p
|
|||||||
Run commands from the repository root:
|
Run commands from the repository root:
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
```
|
```
|
||||||
|
|
||||||
Connect to the database with SQLcl or SQL*Plus:
|
Connect to the database with SQLcl or SQL*Plus:
|
||||||
|
|||||||
@@ -25,13 +25,16 @@ This workshop demonstrates why access rules should be enforced on the protected
|
|||||||
## Before You Begin
|
## Before You Begin
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
export TNS_ADMIN=<wallet-directory>
|
||||||
sql admin@ddslab_tunnel
|
sql admin@ddslab_tunnel
|
||||||
```
|
```
|
||||||
|
|
||||||
SQLcl note: after running `@file.sql`, do not type `/`.
|
SQLcl note: after running `@file.sql`, do not type `/`.
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|
||||||
## Lab 1 - Prepare The Environment
|
## Lab 1 - Prepare The Environment
|
||||||
|
|
||||||
### Task 1.1 - Reset The Scenario
|
### Task 1.1 - Reset The Scenario
|
||||||
|
|||||||
@@ -22,7 +22,7 @@ Before Oracle Deep Data Security, an AI agent connected to the same legacy schem
|
|||||||
Run commands from the repository root:
|
Run commands from the repository root:
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
```
|
```
|
||||||
|
|
||||||
Connect to the database with SQLcl or SQL*Plus:
|
Connect to the database with SQLcl or SQL*Plus:
|
||||||
|
|||||||
@@ -29,13 +29,16 @@ Before DDS, the AI agent can reuse broad legacy privileges and combine customer,
|
|||||||
## Before You Begin
|
## Before You Begin
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
export TNS_ADMIN=<wallet-directory>
|
||||||
sql admin@ddslab_tunnel
|
sql admin@ddslab_tunnel
|
||||||
```
|
```
|
||||||
|
|
||||||
SQLcl note: after running `@file.sql`, do not type `/`.
|
SQLcl note: after running `@file.sql`, do not type `/`.
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|
||||||
## Lab 1 - Prepare The Environment
|
## Lab 1 - Prepare The Environment
|
||||||
|
|
||||||
### Task 1.1 - Reset The Scenario
|
### Task 1.1 - Reset The Scenario
|
||||||
|
|||||||
@@ -20,8 +20,8 @@ Before Oracle Deep Data Security, vector search can retrieve confidential HR, le
|
|||||||
Run SQL scripts from the repository root. On Linux/macOS/WSL:
|
Run SQL scripts from the repository root. On Linux/macOS/WSL:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
export TNS_ADMIN=<wallet-directory>
|
||||||
```
|
```
|
||||||
|
|
||||||
Connect as the lab administrator:
|
Connect as the lab administrator:
|
||||||
@@ -34,6 +34,9 @@ This scenario uses the `VECTOR` type, `TO_VECTOR`, and `VECTOR_DISTANCE`. Use a
|
|||||||
|
|
||||||
SQLcl note: when running a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward, because `/` reruns the last command in the SQLcl buffer.
|
SQLcl note: when running a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward, because `/` reruns the last command in the SQLcl buffer.
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|
||||||
## Step By Step - Before, Vulnerable Environment
|
## Step By Step - Before, Vulnerable Environment
|
||||||
|
|
||||||
1. Reset the scenario as `ADMIN`:
|
1. Reset the scenario as `ADMIN`:
|
||||||
|
|||||||
@@ -21,8 +21,8 @@ Show that a RAG agent retrieves only authorized chunks/documents before sending
|
|||||||
1. From the repository root, connect as `ADMIN`:
|
1. From the repository root, connect as `ADMIN`:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
export TNS_ADMIN=<wallet-directory>
|
||||||
sql admin@ddslab_tunnel
|
sql admin@ddslab_tunnel
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -30,6 +30,9 @@ Show that a RAG agent retrieves only authorized chunks/documents before sending
|
|||||||
|
|
||||||
SQLcl note: after running a script with `@file.sql`, do not type `/`. The slash reruns the last command in the SQLcl buffer and can make a successful command look like an error.
|
SQLcl note: after running a script with `@file.sql`, do not type `/`. The slash reruns the last command in the SQLcl buffer and can make a successful command look like an error.
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|
||||||
2. Reset the scenario:
|
2. Reset the scenario:
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
|
|||||||
@@ -81,8 +81,8 @@ Only authorized chunks are sent to the LLM
|
|||||||
Run all commands from the repository root:
|
Run all commands from the repository root:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
export TNS_ADMIN=<wallet-directory>
|
||||||
```
|
```
|
||||||
|
|
||||||
Connect as the lab administrator:
|
Connect as the lab administrator:
|
||||||
@@ -93,6 +93,9 @@ sql admin@ddslab_tunnel
|
|||||||
|
|
||||||
SQLcl note: when you run a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward; `/` reruns the last command in the SQLcl buffer.
|
SQLcl note: when you run a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward; `/` reruns the last command in the SQLcl buffer.
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|
||||||
## Lab 1 - Prepare The Environment
|
## Lab 1 - Prepare The Environment
|
||||||
|
|
||||||
### Task 1.1 - Reset The Scenario
|
### Task 1.1 - Reset The Scenario
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ Before the controls are applied, a payments table can be queried without a clear
|
|||||||
Run SQL commands from the repository root:
|
Run SQL commands from the repository root:
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
```
|
```
|
||||||
|
|
||||||
Connect to the database with SQLcl or SQL*Plus:
|
Connect to the database with SQLcl or SQL*Plus:
|
||||||
|
|||||||
@@ -30,13 +30,16 @@ Before controls, a payment operator can query payment tokens through broad acces
|
|||||||
## Before You Begin
|
## Before You Begin
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
cd <repo-root>
|
||||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
export TNS_ADMIN=<wallet-directory>
|
||||||
sql admin@ddslab_tunnel
|
sql admin@ddslab_tunnel
|
||||||
```
|
```
|
||||||
|
|
||||||
SQLcl note: after running `@file.sql`, do not type `/`.
|
SQLcl note: after running `@file.sql`, do not type `/`.
|
||||||
|
|
||||||
|
|
||||||
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
||||||
|
|
||||||
## Lab 1 - Prepare The Environment
|
## Lab 1 - Prepare The Environment
|
||||||
|
|
||||||
### Task 1.1 - Reset The Scenario
|
### Task 1.1 - Reset The Scenario
|
||||||
|
|||||||
Reference in New Issue
Block a user