Translate lab documentation to English
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled

This commit is contained in:
Rodrigo Pace
2026-05-08 14:50:52 -03:00
parent cde150b705
commit 52bf971b8b
33 changed files with 939 additions and 702 deletions

View File

@@ -1,59 +1,59 @@
# 05 - Legacy App AI Extension
## Objetivo
## Objective
Demonstrar como uma aplicacao legada pode ser ampliada com um agente AI sem reescrever toda a autorizacao da aplicacao.
Show how a legacy application can be extended with an AI agent without rewriting all application authorization logic.
## O Que Este Lab Mostra
## What This Lab Shows
Antes do Oracle Deep Data Security, um agente AI conectado ao mesmo schema do legado pode consultar clientes, margem, contratos, clausulas legais e tickets privados. Depois dos data grants, o agente recebe apenas os dados permitidos para a persona propagada.
Before Oracle Deep Data Security, an AI agent connected to the same legacy schema can query customers, margin, contracts, legal clauses, and private support tickets. After data grants are applied, the agent receives only the data allowed for the propagated persona.
## Personas
- `joao`: vendedor regional.
- `ana`: gerente comercial Brasil.
- `maria`: atendimento ao cliente.
- `sofia`: juridico.
- `legacy_app`: conta tecnica da aplicacao existente.
- `ai_agent_app`: conta tecnica do novo agente AI.
- `joao`: regional sales representative.
- `ana`: Brazil sales manager.
- `maria`: customer support.
- `sofia`: legal user.
- `legacy_app`: technical account for the existing application.
- `ai_agent_app`: technical account for the new AI agent.
## Onde Executar Os Comandos
## Where To Run The Commands
Execute os comandos a partir da raiz do repositorio:
Run commands from the repository root:
```powershell
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
```
Conecte no banco com SQLcl ou SQL*Plus:
Connect to the database with SQLcl or SQL*Plus:
```bash
sql "<connect_string>"
```
Exemplo:
Example:
```text
ADMIN/<senha>@ddslab_high
ADMIN/<password>@ddslab_high
```
Se estiver usando Autonomous Database com wallet, configure `TNS_ADMIN` apontando para o diretorio da wallet antes de conectar.
If you use Autonomous Database with a wallet, configure `TNS_ADMIN` to point to the wallet directory before connecting.
## Passo A Passo - Antes, Ambiente Vulneravel
## Step By Step - Before, Vulnerable Environment
1. Acesse o banco:
1. Connect to the database:
```bash
sql "<connect_string>"
```
2. Limpe qualquer execucao anterior:
2. Clean up any previous run:
```sql
@scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
```
3. Crie o dataset legado, contratos, tickets e personas:
3. Create the legacy dataset, contracts, tickets, and personas:
```sql
@scenarios/05-legacy-app-ai-extension/sql/00_schema.sql
@@ -61,45 +61,45 @@ Se estiver usando Autonomous Database com wallet, configure `TNS_ADMIN` apontand
@scenarios/05-legacy-app-ai-extension/sql/02_identities.sql
```
4. Simule a pergunta do agente AI:
4. Simulate the AI agent question:
```text
Liste todos os clientes de alto risco, margem, renovacoes, clausulas legais e notas privadas de atendimento.
List all high-risk customers, margin, renewals, legal clauses, and private support notes.
```
5. Execute as queries amplas que representam a resposta do agente:
5. Run the broad queries that represent the agent response:
```sql
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
```
Resultado esperado antes: o agente consegue juntar dados comerciais, juridicos e de atendimento alem do necessario.
Expected result before protection: the agent can combine commercial, legal, and support data beyond what is needed.
## Passo A Passo - Depois, Com Deep Data Security
## Step By Step - After, With Deep Data Security
1. Aplique os data grants:
1. Apply the data grants:
```sql
@scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql
```
2. Execute novamente as mesmas queries:
2. Run the same queries again:
```sql
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
```
3. Repita a demonstracao simulando as personas `joao`, `ana`, `maria` e `sofia`.
3. Repeat the demo by simulating the `joao`, `ana`, `maria`, and `sofia` personas.
Resultado esperado depois:
Expected result after protection:
- `joao` ve sua carteira sem margem nem legal hold.
- `ana` ve clientes Brasil e metricas comerciais regionais.
- `maria` ve tickets operacionais, sem clausulas juridicas ou notas privadas.
- `sofia` ve contratos e clausulas juridicas autorizadas.
- A modernizacao com AI acontece sem expor o schema inteiro.
- `joao` sees his portfolio without margin or legal hold.
- `ana` sees Brazil customers and regional commercial metrics.
- `maria` sees operational tickets without legal clauses or private notes.
- `sofia` sees authorized contracts and legal clauses.
- AI modernization is possible without exposing the whole schema.
## Execucao Automatizada Opcional
## Optional Automated Execution
Windows:
@@ -113,7 +113,7 @@ Linux/macOS:
./scripts/run-scenario.sh 05-legacy-app-ai-extension "<connect_string>"
```
## Detalhes Da Demo
## Demo Details
Veja o passo a passo completo, evidencias e referencias oficiais em [RUNBOOK.md](RUNBOOK.md).
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).

View File

@@ -1,30 +1,30 @@
# Runbook - 05 Legacy App AI Extension
## Objetivo
## Objective
Demonstrar como ampliar uma aplicacao legada com um agente AI sem reescrever toda a autorizacao da aplicacao.
Show how to extend a legacy application with an AI agent without rewriting all application authorization logic.
## Valor De Seguranca
## Security Value
- Permite modernizacao com AI sem abrir o schema inteiro.
- Reduz risco de conta tecnica legada com privilegio amplo.
- Mostra que o agente AI recebe somente dados autorizados para a persona.
- Enables AI modernization without opening the whole schema.
- Reduces risk from overprivileged legacy technical accounts.
- Shows that the AI agent receives only the data authorized for the persona.
## Pre-Requisitos
## Prerequisites
- Banco Oracle AI Database compativel com Oracle Deep Data Security.
- SQLcl ou SQL*Plus.
- Uma narrativa de aplicacao legada, por exemplo CRM, billing, atendimento ou contratos.
- Oracle AI Database compatible with Oracle Deep Data Security.
- SQLcl or SQL*Plus.
- A legacy application narrative, such as CRM, billing, support, or contracts.
## Antes - Ambiente Vulneravel
## Before - Vulnerable Environment
1. Limpe o cenario:
1. Reset the scenario:
```sql
@scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
```
2. Crie o dataset legado e as contas:
2. Create the legacy dataset and accounts:
```sql
@scenarios/05-legacy-app-ai-extension/sql/00_schema.sql
@@ -32,53 +32,53 @@ Demonstrar como ampliar uma aplicacao legada com um agente AI sem reescrever tod
@scenarios/05-legacy-app-ai-extension/sql/02_identities.sql
```
3. Simule o agente AI perguntando:
3. Simulate the AI agent question:
```text
Liste todos os clientes de alto risco, margem, renovacoes, clausulas legais e notas privadas de atendimento.
List all high-risk customers, margin, renewals, legal clauses, and private support notes.
```
4. Execute as queries amplas:
4. Run the broad queries:
```sql
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
```
## Resultado Esperado Antes
## Expected Result Before
- Dados comerciais, margem, legal hold, clausulas legais e notas privadas podem aparecer juntos.
- A conta tecnica ou agente AI consegue acessar dados demais se a aplicacao nao filtrar corretamente.
- O cliente percebe o risco de plugar AI em cima do legado sem controle no dado.
- Commercial data, margin, legal hold, legal clauses, and private support notes may appear together.
- The technical account or AI agent can access too much data if the application does not filter correctly.
- The customer sees the risk of adding AI on top of legacy data without database-level controls.
## Depois - Aplicando Deep Data Security
## After - Applying Deep Data Security
1. Aplique data grants por persona:
1. Apply data grants by persona:
```sql
@scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql
```
2. Execute a mesma consulta como `joao`, `ana`, `maria` e `sofia`, ou propague essas identidades via agente:
2. Run the same query as `joao`, `ana`, `maria`, and `sofia`, or propagate those identities through the agent:
```sql
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
```
## Resultado Esperado Depois
## Expected Result After
- `joao` ve sua carteira sem margem nem legal hold.
- `ana` ve clientes Brasil e metricas comerciais regionais.
- `maria` ve tickets operacionais, sem margem, clausulas juridicas ou notas privadas.
- `sofia` ve contratos e clausulas juridicas de clientes em legal hold.
- O agente AI deixa de conseguir consolidar tudo em uma unica resposta abusiva.
- `joao` sees his portfolio without margin or legal hold.
- `ana` sees Brazil customers and regional commercial metrics.
- `maria` sees support-relevant data without margin, legal clauses, or private notes.
- `sofia` sees contracts and legal clauses for legal-hold customers.
- The AI agent can no longer consolidate everything into one abusive answer.
## Evidencias Para Demo
## Demo Evidence
- Comparacao da resposta do agente antes/depois.
- Output SQL por persona.
- Explicacao de "sem reescrever toda a autorizacao": o banco vira ponto comum de enforcement.
- AI agent response before and after protection.
- SQL output by persona.
- Explanation of "no full authorization rewrite": the database becomes the common enforcement point.
## Referencias Oficiais
## Official References
- Oracle Deep Data Security Guide: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/index.html
- Fine-Grained Data Authorization: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html

View File

@@ -1,10 +1,10 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold)
VALUES ('Banco Aurora', 'Brazil', 'LATAM', 'joao', 'HIGH', 2500000, 620000, 'Y');
VALUES ('Aurora Bank', 'Brazil', 'LATAM', 'joao', 'HIGH', 2500000, 620000, 'Y');
INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold)
VALUES ('Varejo Sol', 'Brazil', 'LATAM', 'joao', 'MEDIUM', 900000, 150000, 'N');
VALUES ('Sun Retail', 'Brazil', 'LATAM', 'joao', 'MEDIUM', 900000, 150000, 'N');
INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold)
VALUES ('Andes Pay', 'Chile', 'LATAM', 'carla', 'HIGH', 1800000, 410000, 'N');
@@ -14,11 +14,11 @@ VALUES ('Northwind Insurance', 'USA', 'NA', 'natalie', 'HIGH', 3300000, 900000,
INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value)
SELECT customer_id, 'RENEWAL', DATE '2026-10-31', 'Penalty clause under legal review', 2500000
FROM dds_legacy_customers WHERE customer_name = 'Banco Aurora';
FROM dds_legacy_customers WHERE customer_name = 'Aurora Bank';
INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value)
SELECT customer_id, 'ACTIVE', DATE '2027-03-15', 'Standard commercial clause', 900000
FROM dds_legacy_customers WHERE customer_name = 'Varejo Sol';
FROM dds_legacy_customers WHERE customer_name = 'Sun Retail';
INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value)
SELECT customer_id, 'RENEWAL', DATE '2026-08-20', 'Cross-border data clause', 1800000
@@ -26,11 +26,10 @@ FROM dds_legacy_customers WHERE customer_name = 'Andes Pay';
INSERT INTO dds_legacy_tickets (customer_id, assigned_group, severity, summary, private_note)
SELECT customer_id, 'SUPPORT', 'HIGH', 'API latency in payment flow', 'Customer reported escalation to board'
FROM dds_legacy_customers WHERE customer_name = 'Banco Aurora';
FROM dds_legacy_customers WHERE customer_name = 'Aurora Bank';
INSERT INTO dds_legacy_tickets (customer_id, assigned_group, severity, summary, private_note)
SELECT customer_id, 'SUPPORT', 'MEDIUM', 'Portal access issue', 'No sensitive escalation'
FROM dds_legacy_customers WHERE customer_name = 'Varejo Sol';
FROM dds_legacy_customers WHERE customer_name = 'Sun Retail';
COMMIT;