From 703e072682be374449eacf239dacb8907bc59442 Mon Sep 17 00:00:00 2001 From: Rodrigo Pace Date: Fri, 8 May 2026 12:21:47 -0300 Subject: [PATCH] Add legacy AI, RAG vector and Data Safe audit scenarios --- README.md | 3 ++ docs/demo-guide-executive.md | 31 ++++++----- docs/scenarios.md | 30 +++++++---- .../05-legacy-app-ai-extension/README.md | 41 ++++++++++++++ .../evidence/expected-results.md | 8 +++ .../05-legacy-app-ai-extension/metadata.yaml | 14 +++++ .../sql/00_schema.sql | 32 +++++++++++ .../sql/01_seed_data.sql | 36 +++++++++++++ .../sql/02_identities.sql | 22 ++++++++ .../sql/03_data_grants.sql | 54 +++++++++++++++++++ .../sql/04_test_queries.sql | 18 +++++++ .../sql/99_reset.sql | 47 ++++++++++++++++ .../tests/negative_tests.sql | 5 ++ .../tests/positive_tests.sql | 3 ++ .../06-rag-vector-classified-docs/README.md | 34 ++++++++++++ .../evidence/expected-results.md | 8 +++ .../metadata.yaml | 15 ++++++ .../sql/00_schema.sql | 11 ++++ .../sql/01_seed_data.sql | 19 +++++++ .../sql/02_identities.sql | 17 ++++++ .../sql/03_data_grants.sql | 27 ++++++++++ .../sql/04_test_queries.sql | 15 ++++++ .../sql/99_reset.sql | 29 ++++++++++ .../tests/negative_tests.sql | 6 +++ .../tests/positive_tests.sql | 3 ++ .../07-audit-evidence-data-safe/README.md | 37 +++++++++++++ .../evidence/expected-results.md | 8 +++ .../07-audit-evidence-data-safe/metadata.yaml | 15 ++++++ .../sql/00_schema.sql | 11 ++++ .../sql/01_seed_data.sql | 13 +++++ .../sql/02_identities.sql | 14 +++++ .../sql/03_data_grants.sql | 15 ++++++ .../sql/04_audit_policies.sql | 11 ++++ .../sql/05_generate_activity.sql | 22 ++++++++ .../sql/99_reset.sql | 27 ++++++++++ .../tests/negative_tests.sql | 5 ++ .../tests/positive_tests.sql | 3 ++ 37 files changed, 686 insertions(+), 23 deletions(-) create mode 100644 scenarios/05-legacy-app-ai-extension/README.md create mode 100644 scenarios/05-legacy-app-ai-extension/evidence/expected-results.md create mode 100644 scenarios/05-legacy-app-ai-extension/metadata.yaml create mode 100644 scenarios/05-legacy-app-ai-extension/sql/00_schema.sql create mode 100644 scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql create mode 100644 scenarios/05-legacy-app-ai-extension/sql/02_identities.sql create mode 100644 scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql create mode 100644 scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql create mode 100644 scenarios/05-legacy-app-ai-extension/sql/99_reset.sql create mode 100644 scenarios/05-legacy-app-ai-extension/tests/negative_tests.sql create mode 100644 scenarios/05-legacy-app-ai-extension/tests/positive_tests.sql create mode 100644 scenarios/06-rag-vector-classified-docs/README.md create mode 100644 scenarios/06-rag-vector-classified-docs/evidence/expected-results.md create mode 100644 scenarios/06-rag-vector-classified-docs/metadata.yaml create mode 100644 scenarios/06-rag-vector-classified-docs/sql/00_schema.sql create mode 100644 scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql create mode 100644 scenarios/06-rag-vector-classified-docs/sql/02_identities.sql create mode 100644 scenarios/06-rag-vector-classified-docs/sql/03_data_grants.sql create mode 100644 scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql create mode 100644 scenarios/06-rag-vector-classified-docs/sql/99_reset.sql create mode 100644 scenarios/06-rag-vector-classified-docs/tests/negative_tests.sql create mode 100644 scenarios/06-rag-vector-classified-docs/tests/positive_tests.sql create mode 100644 scenarios/07-audit-evidence-data-safe/README.md create mode 100644 scenarios/07-audit-evidence-data-safe/evidence/expected-results.md create mode 100644 scenarios/07-audit-evidence-data-safe/metadata.yaml create mode 100644 scenarios/07-audit-evidence-data-safe/sql/00_schema.sql create mode 100644 scenarios/07-audit-evidence-data-safe/sql/01_seed_data.sql create mode 100644 scenarios/07-audit-evidence-data-safe/sql/02_identities.sql create mode 100644 scenarios/07-audit-evidence-data-safe/sql/03_data_grants.sql create mode 100644 scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql create mode 100644 scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql create mode 100644 scenarios/07-audit-evidence-data-safe/sql/99_reset.sql create mode 100644 scenarios/07-audit-evidence-data-safe/tests/negative_tests.sql create mode 100644 scenarios/07-audit-evidence-data-safe/tests/positive_tests.sql diff --git a/README.md b/README.md index e37c8b6..e79ada0 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,9 @@ apps/ Espaço para app Spring Boot, agente AI e simulador BI | 02 | Shared App Account | Demonstrar controle por usuário final mesmo com uma conta técnica de aplicação. | | 03 | PII Row/Column/Cell | Demonstrar controle por linha, coluna e célula para dados pessoais e salário. | | 04 | View Bypass / MAC | Demonstrar Mandatory Access Control com `USE DATA GRANTS ONLY`. | +| 05 | Legacy App AI Extension | Demonstrar modernizacao com agente AI sem reescrever a autorizacao da aplicacao legada. | +| 06 | RAG Vector Classified Docs | Demonstrar RAG/vector search retornando apenas chunks autorizados por classificacao. | +| 07 | Audit Evidence With Data Safe | Demonstrar evidencias de acesso com Unified Audit e roteiro de validacao no OCI Data Safe. | ## Pré-Requisitos diff --git a/docs/demo-guide-executive.md b/docs/demo-guide-executive.md index 2970ddc..5b4fd7d 100644 --- a/docs/demo-guide-executive.md +++ b/docs/demo-guide-executive.md @@ -1,28 +1,33 @@ # Guia De Demo Executiva -## Duração +## Duracao 30 a 45 minutos. ## Mensagem Principal -Deep Data Security protege o dado na origem. Mesmo que um agente AI, aplicação vibe-coded, BI ou SQL dinâmico tente consultar mais do que deveria, o banco aplica autorização por usuário final, role e contexto. +Deep Data Security protege o dado na origem. Mesmo que um agente AI, aplicacao vibe-coded, BI ou SQL dinamico tente consultar mais do que deveria, o banco aplica autorizacao por usuario final, role e contexto. ## Roteiro -1. Mostre o problema: uma aplicação ou agente usa uma conexão poderosa. -2. Execute uma pergunta perigosa: "liste todos os salários e documentos". -3. Mostre o resultado com excesso de dados no baseline, quando aplicável. +1. Mostre o problema: uma aplicacao ou agente usa uma conexao poderosa. +2. Execute uma pergunta perigosa: "liste todos os salarios e documentos". +3. Mostre o resultado com excesso de dados no baseline, quando aplicavel. 4. Ative ou explique os data grants. -5. Execute a mesma consulta como usuário limitado. -6. Mostre que linhas e colunas não autorizadas são filtradas ou mascaradas. -7. Mostre a visão de gerente ou RH com maior privilégio. -8. Feche com evidência de auditoria e governança. +5. Execute a mesma consulta como usuario limitado. +6. Mostre que linhas e colunas nao autorizadas sao filtradas ou mascaradas. +7. Mostre a visao de gerente ou RH com maior privilegio. +8. Feche com evidencia de auditoria e governanca. + +## Trilha Recomendada Para Clientes + +1. `05-legacy-app-ai-extension`: modernizacao segura de legado com AI. +2. `06-rag-vector-classified-docs`: controle de chunks antes de envio ao LLM. +3. `07-audit-evidence-data-safe`: evidencia, auditoria e governanca com Data Safe. ## Frases De Valor -- "A autorização acompanha o usuário, não apenas a aplicação." +- "A autorizacao acompanha o usuario, nao apenas a aplicacao." - "O controle fica no banco, onde o dado reside." -- "Aplicações, agentes e BI passam a respeitar a mesma fronteira de acesso." -- "A política é declarativa, versionável e auditável." - +- "Aplicacoes, agentes e BI passam a respeitar a mesma fronteira de acesso." +- "A politica e declarativa, versionavel e auditavel." diff --git a/docs/scenarios.md b/docs/scenarios.md index 0e98973..77e8773 100644 --- a/docs/scenarios.md +++ b/docs/scenarios.md @@ -1,26 +1,36 @@ -# Catálogo De Cenários +# Catalogo De Cenarios ## 01 - AI Prompt Injection -Mostra um agente AI tentando gerar SQL amplo demais. Deep Data Security limita o retorno ao contexto do usuário final. +Mostra um agente AI tentando gerar SQL amplo demais. Deep Data Security limita o retorno ao contexto do usuario final. ## 02 - Shared App Account -Mostra o problema de uma conta técnica de aplicação usada por vários usuários. O controle relevante passa a ser o end user/contexto, não apenas a conta do pool. +Mostra o problema de uma conta tecnica de aplicacao usada por varios usuarios. O controle relevante passa a ser o end user/contexto, nao apenas a conta do pool. ## 03 - PII Row/Column/Cell -Mostra controle de acesso por linha, coluna e célula. Funcionário vê seu registro; gerente vê time com SSN oculto; RH vê atributos sensíveis. +Mostra controle de acesso por linha, coluna e celula. Funcionario ve seu registro; gerente ve time com SSN oculto; RH ve atributos sensiveis. ## 04 - View Bypass / MAC -Mostra como uma view pode virar caminho alternativo de acesso e como `USE DATA GRANTS ONLY` força a política da tabela base. +Mostra como uma view pode virar caminho alternativo de acesso e como `USE DATA GRANTS ONLY` forca a politica da tabela base. -## Próximos Cenários Sugeridos +## 05 - Legacy App AI Extension -- RAG/vector search com documentos classificados. -- BI por região, filial e centro de custo. +Mostra uma aplicacao legada ampliada com agente AI sem reescrever toda a autorizacao. O agente acessa o mesmo dataset, mas Deep Data Security limita linhas e colunas pelo contexto do usuario final. + +## 06 - RAG Vector Classified Docs + +Mostra RAG/vector search com documentos classificados. A busca pode tentar recuperar todos os chunks, mas o banco entrega apenas o que a classificacao e a persona autorizam. + +## 07 - Audit Evidence With Data Safe + +Mostra como gerar evidencias com Unified Audit e como posicionar OCI Data Safe para activity auditing, relatorios e validacao de acesso a dados sensiveis. + +## Proximos Cenarios Sugeridos + +- BI por regiao, filial e centro de custo. - Escrita controlada com `UPDATE`, `INSERT` e `DELETE`. - Complemento com Database Vault para bloquear DBA. -- Auditoria com Data Safe ou AVDF. - +- AVDF/SIEM para ambientes on-premises, Exadata ou heterogeneos. diff --git a/scenarios/05-legacy-app-ai-extension/README.md b/scenarios/05-legacy-app-ai-extension/README.md new file mode 100644 index 0000000..efca853 --- /dev/null +++ b/scenarios/05-legacy-app-ai-extension/README.md @@ -0,0 +1,41 @@ +# 05 - Legacy App AI Extension + +## Objetivo + +Demonstrar como uma aplicacao legada pode ser ampliada com um agente AI sem reescrever toda a autorizacao da aplicacao. + +## Risco De Negocio + +Aplicacoes legadas normalmente usam uma conta tecnica, regras de autorizacao espalhadas no codigo e consultas historicas dificeis de revisar. Ao adicionar um agente AI ou copilot sobre o mesmo schema, o risco e expor carteira, margem, risco de cliente, tickets e contratos alem do perfil do usuario final. + +## Personas + +- `joao`: vendedor regional. +- `ana`: gerente comercial Brasil. +- `maria`: atendimento ao cliente. +- `sofia`: juridico. +- `legacy_app`: conta tecnica da aplicacao existente. +- `ai_agent_app`: conta tecnica do novo agente AI. + +## Narrativa Da Demo + +1. A aplicacao legada continua usando sua conta tecnica. +2. Um novo agente AI consulta os mesmos dados para responder perguntas de negocio. +3. O agente tenta consultar clientes de alto risco, contratos e tickets sensiveis. +4. Deep Data Security aplica data grants pelo contexto do usuario final. +5. O banco retorna apenas linhas e colunas autorizadas, sem depender de uma reescrita completa da aplicacao legada. + +## Execucao + +```powershell +powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 05-legacy-app-ai-extension -ConnectString "" +``` + +## Resultado Esperado + +- `joao` ve somente sua carteira e nao ve margem. +- `ana` ve clientes do Brasil e metricas comerciais regionais. +- `maria` ve tickets de atendimento, mas nao ve margem ou clausulas juridicas. +- `sofia` ve contratos e campos juridicos. +- O mesmo SQL amplo retorna resultados diferentes por persona. + diff --git a/scenarios/05-legacy-app-ai-extension/evidence/expected-results.md b/scenarios/05-legacy-app-ai-extension/evidence/expected-results.md new file mode 100644 index 0000000..ef944b4 --- /dev/null +++ b/scenarios/05-legacy-app-ai-extension/evidence/expected-results.md @@ -0,0 +1,8 @@ +# Expected Results + +- `joao` sees only customers where `account_owner = joao`; `margin` and `legal_hold` are not visible. +- `ana` sees Brazil customers and commercial metrics, but not legal hold. +- `maria` sees support-relevant customer and ticket data, but not margin, legal clauses or private notes. +- `sofia` sees legal-hold customers and legal contract clauses. +- The legacy app can keep its technical connectivity while the AI extension is governed by end-user context. + diff --git a/scenarios/05-legacy-app-ai-extension/metadata.yaml b/scenarios/05-legacy-app-ai-extension/metadata.yaml new file mode 100644 index 0000000..3467fc5 --- /dev/null +++ b/scenarios/05-legacy-app-ai-extension/metadata.yaml @@ -0,0 +1,14 @@ +id: "05-legacy-app-ai-extension" +title: "Legacy App AI Extension" +criticality: "critical" +estimated_time_minutes: 30 +audience: + - ciso + - enterprise-architect + - appsec + - dba +products: + - "Oracle Deep Data Security" + - "Oracle AI Database" +reset_supported: true + diff --git a/scenarios/05-legacy-app-ai-extension/sql/00_schema.sql b/scenarios/05-legacy-app-ai-extension/sql/00_schema.sql new file mode 100644 index 0000000..263e897 --- /dev/null +++ b/scenarios/05-legacy-app-ai-extension/sql/00_schema.sql @@ -0,0 +1,32 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +CREATE TABLE dds_legacy_customers ( + customer_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY, + customer_name VARCHAR2(100) NOT NULL, + country VARCHAR2(40) NOT NULL, + region VARCHAR2(30) NOT NULL, + account_owner VARCHAR2(60) NOT NULL, + risk_rating VARCHAR2(20) NOT NULL, + revenue NUMBER(12,2), + margin NUMBER(12,2), + legal_hold VARCHAR2(1) DEFAULT 'N' NOT NULL +); + +CREATE TABLE dds_legacy_contracts ( + contract_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY, + customer_id NUMBER NOT NULL REFERENCES dds_legacy_customers(customer_id), + contract_status VARCHAR2(30) NOT NULL, + renewal_date DATE, + legal_clause VARCHAR2(400), + contract_value NUMBER(12,2) +); + +CREATE TABLE dds_legacy_tickets ( + ticket_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY, + customer_id NUMBER NOT NULL REFERENCES dds_legacy_customers(customer_id), + assigned_group VARCHAR2(40) NOT NULL, + severity VARCHAR2(20) NOT NULL, + summary VARCHAR2(200) NOT NULL, + private_note VARCHAR2(400) +); + diff --git a/scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql b/scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql new file mode 100644 index 0000000..2e90775 --- /dev/null +++ b/scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql @@ -0,0 +1,36 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold) +VALUES ('Banco Aurora', 'Brazil', 'LATAM', 'joao', 'HIGH', 2500000, 620000, 'Y'); + +INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold) +VALUES ('Varejo Sol', 'Brazil', 'LATAM', 'joao', 'MEDIUM', 900000, 150000, 'N'); + +INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold) +VALUES ('Andes Pay', 'Chile', 'LATAM', 'carla', 'HIGH', 1800000, 410000, 'N'); + +INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold) +VALUES ('Northwind Insurance', 'USA', 'NA', 'natalie', 'HIGH', 3300000, 900000, 'Y'); + +INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value) +SELECT customer_id, 'RENEWAL', DATE '2026-10-31', 'Penalty clause under legal review', 2500000 +FROM dds_legacy_customers WHERE customer_name = 'Banco Aurora'; + +INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value) +SELECT customer_id, 'ACTIVE', DATE '2027-03-15', 'Standard commercial clause', 900000 +FROM dds_legacy_customers WHERE customer_name = 'Varejo Sol'; + +INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value) +SELECT customer_id, 'RENEWAL', DATE '2026-08-20', 'Cross-border data clause', 1800000 +FROM dds_legacy_customers WHERE customer_name = 'Andes Pay'; + +INSERT INTO dds_legacy_tickets (customer_id, assigned_group, severity, summary, private_note) +SELECT customer_id, 'SUPPORT', 'HIGH', 'API latency in payment flow', 'Customer reported escalation to board' +FROM dds_legacy_customers WHERE customer_name = 'Banco Aurora'; + +INSERT INTO dds_legacy_tickets (customer_id, assigned_group, severity, summary, private_note) +SELECT customer_id, 'SUPPORT', 'MEDIUM', 'Portal access issue', 'No sensitive escalation' +FROM dds_legacy_customers WHERE customer_name = 'Varejo Sol'; + +COMMIT; + diff --git a/scenarios/05-legacy-app-ai-extension/sql/02_identities.sql b/scenarios/05-legacy-app-ai-extension/sql/02_identities.sql new file mode 100644 index 0000000..94ec91e --- /dev/null +++ b/scenarios/05-legacy-app-ai-extension/sql/02_identities.sql @@ -0,0 +1,22 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +CREATE USER legacy_app IDENTIFIED BY "Welcome1_Legacy!" ACCOUNT UNLOCK; +CREATE USER ai_agent_app IDENTIFIED BY "Welcome1_Agent!" ACCOUNT UNLOCK; +GRANT CREATE SESSION TO legacy_app; +GRANT CREATE SESSION TO ai_agent_app; + +CREATE END USER joao IDENTIFIED BY "Welcome1_DDS!"; +CREATE END USER ana IDENTIFIED BY "Welcome1_DDS!"; +CREATE END USER maria IDENTIFIED BY "Welcome1_DDS!"; +CREATE END USER sofia IDENTIFIED BY "Welcome1_DDS!"; + +CREATE DATA ROLE legacy_sales_rep_role; +CREATE DATA ROLE legacy_brazil_manager_role; +CREATE DATA ROLE legacy_support_role; +CREATE DATA ROLE legacy_legal_role; + +GRANT DATA ROLE legacy_sales_rep_role TO joao; +GRANT DATA ROLE legacy_brazil_manager_role TO ana; +GRANT DATA ROLE legacy_support_role TO maria; +GRANT DATA ROLE legacy_legal_role TO sofia; + diff --git a/scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql b/scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql new file mode 100644 index 0000000..17ba606 --- /dev/null +++ b/scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql @@ -0,0 +1,54 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +CREATE OR REPLACE DATA GRANT legacy_sales_customer_access + AS SELECT (customer_id, customer_name, country, region, account_owner, risk_rating, revenue) + ON dds_legacy_customers + WHERE account_owner = ORA_END_USER_CONTEXT.username + TO legacy_sales_rep_role; + +CREATE OR REPLACE DATA GRANT legacy_manager_customer_access + AS SELECT (ALL COLUMNS EXCEPT legal_hold) + ON dds_legacy_customers + WHERE country = 'Brazil' + TO legacy_brazil_manager_role; + +CREATE OR REPLACE DATA GRANT legacy_support_customer_access + AS SELECT (customer_id, customer_name, country, region, account_owner, risk_rating) + ON dds_legacy_customers + WHERE region = 'LATAM' + TO legacy_support_role; + +CREATE OR REPLACE DATA GRANT legacy_legal_customer_access + AS SELECT + ON dds_legacy_customers + WHERE legal_hold = 'Y' + TO legacy_legal_role; + +CREATE OR REPLACE DATA GRANT legacy_sales_contract_access + AS SELECT (contract_id, customer_id, contract_status, renewal_date, contract_value) + ON dds_legacy_contracts + WHERE customer_id IN ( + SELECT customer_id FROM dds_legacy_customers + WHERE account_owner = ORA_END_USER_CONTEXT.username + ) + TO legacy_sales_rep_role; + +CREATE OR REPLACE DATA GRANT legacy_legal_contract_access + AS SELECT + ON dds_legacy_contracts + WHERE customer_id IN ( + SELECT customer_id FROM dds_legacy_customers + WHERE legal_hold = 'Y' + ) + TO legacy_legal_role; + +CREATE OR REPLACE DATA GRANT legacy_support_ticket_access + AS SELECT (ticket_id, customer_id, assigned_group, severity, summary) + ON dds_legacy_tickets + WHERE assigned_group = 'SUPPORT' + TO legacy_support_role; + +SET USE DATA GRANTS ONLY ON dds_legacy_customers ENABLED; +SET USE DATA GRANTS ONLY ON dds_legacy_contracts ENABLED; +SET USE DATA GRANTS ONLY ON dds_legacy_tickets ENABLED; + diff --git a/scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql b/scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql new file mode 100644 index 0000000..779974d --- /dev/null +++ b/scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql @@ -0,0 +1,18 @@ +SET PAGESIZE 100 +SET LINESIZE 220 + +PROMPT Agent AI question: "List all high-risk customers, margin, legal holds, renewals and support notes." + +SELECT customer_id, customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold +FROM dds_legacy_customers +WHERE risk_rating = 'HIGH' +ORDER BY customer_id; + +SELECT c.contract_id, c.customer_id, c.contract_status, c.renewal_date, c.legal_clause, c.contract_value +FROM dds_legacy_contracts c +ORDER BY c.contract_id; + +SELECT ticket_id, customer_id, assigned_group, severity, summary, private_note +FROM dds_legacy_tickets +ORDER BY ticket_id; + diff --git a/scenarios/05-legacy-app-ai-extension/sql/99_reset.sql b/scenarios/05-legacy-app-ai-extension/sql/99_reset.sql new file mode 100644 index 0000000..4e1803b --- /dev/null +++ b/scenarios/05-legacy-app-ai-extension/sql/99_reset.sql @@ -0,0 +1,47 @@ +BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_legacy_tickets DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_legacy_contracts DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_legacy_customers DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_sales_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_manager_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_support_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_legal_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_sales_contract_access'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_legal_contract_access'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_support_ticket_access'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_legacy_tickets PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_legacy_contracts PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_legacy_customers PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP USER legacy_app CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP USER ai_agent_app CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_sales_rep_role'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_brazil_manager_role'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_support_role'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_legal_role'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP END USER joao'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP END USER ana'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP END USER maria'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP END USER sofia'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ + diff --git a/scenarios/05-legacy-app-ai-extension/tests/negative_tests.sql b/scenarios/05-legacy-app-ai-extension/tests/negative_tests.sql new file mode 100644 index 0000000..851393d --- /dev/null +++ b/scenarios/05-legacy-app-ai-extension/tests/negative_tests.sql @@ -0,0 +1,5 @@ +PROMPT Negative test: broad AI-style queries must not expose all customers, margins, legal clauses or private notes. +SELECT COUNT(*) AS visible_customers FROM dds_legacy_customers; +SELECT COUNT(*) AS visible_contracts FROM dds_legacy_contracts; +SELECT COUNT(*) AS visible_tickets FROM dds_legacy_tickets; + diff --git a/scenarios/05-legacy-app-ai-extension/tests/positive_tests.sql b/scenarios/05-legacy-app-ai-extension/tests/positive_tests.sql new file mode 100644 index 0000000..b7eaf5a --- /dev/null +++ b/scenarios/05-legacy-app-ai-extension/tests/positive_tests.sql @@ -0,0 +1,3 @@ +PROMPT Positive test: each persona receives only the authorized slice from the legacy dataset. +@../sql/04_test_queries.sql + diff --git a/scenarios/06-rag-vector-classified-docs/README.md b/scenarios/06-rag-vector-classified-docs/README.md new file mode 100644 index 0000000..5c1e806 --- /dev/null +++ b/scenarios/06-rag-vector-classified-docs/README.md @@ -0,0 +1,34 @@ +# 06 - RAG Vector Classified Docs + +## Objetivo + +Demonstrar que um agente RAG ou copilot interno so recupera documentos e chunks autorizados para o usuario final antes de enviar contexto ao LLM. + +## Risco De Negocio + +Em RAG, o vazamento muitas vezes acontece antes da resposta do modelo: o mecanismo de busca recupera documentos demais e entrega contexto sensivel ao LLM. Este lab mostra como classificar documentos e aplicar Deep Data Security sobre os chunks recuperaveis. + +## Personas + +- `nina`: colaboradora comum. +- `heitor`: RH. +- `sofia`: juridico. +- `carlos`: executivo. + +## Narrativa Da Demo + +1. O agente recebe a pergunta: "resuma documentos criticos sobre renovacoes, pessoas e riscos legais". +2. A busca por similaridade tenta recuperar todos os chunks. +3. Deep Data Security limita os chunks por classificacao e departamento. +4. O LLM so recebe contexto autorizado. + +## Observacao Sobre Vetores + +O script usa uma coluna `VECTOR(3, FLOAT32)` para manter o lab simples e demonstravel. Em um ambiente real, substitua por embeddings gerados pelo seu modelo e ajuste a metrica de similaridade. + +## Execucao + +```powershell +powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 06-rag-vector-classified-docs -ConnectString "" +``` + diff --git a/scenarios/06-rag-vector-classified-docs/evidence/expected-results.md b/scenarios/06-rag-vector-classified-docs/evidence/expected-results.md new file mode 100644 index 0000000..dd75caa --- /dev/null +++ b/scenarios/06-rag-vector-classified-docs/evidence/expected-results.md @@ -0,0 +1,8 @@ +# Expected Results + +- `nina` retrieves only `PUBLIC` and `INTERNAL` chunks. +- `heitor` retrieves `HR_CONFIDENTIAL` plus public/internal chunks. +- `sofia` retrieves `LEGAL_CONFIDENTIAL` plus public/internal chunks. +- `carlos` retrieves all classifications. +- The RAG layer receives only chunks authorized by the database policy. + diff --git a/scenarios/06-rag-vector-classified-docs/metadata.yaml b/scenarios/06-rag-vector-classified-docs/metadata.yaml new file mode 100644 index 0000000..97baa5f --- /dev/null +++ b/scenarios/06-rag-vector-classified-docs/metadata.yaml @@ -0,0 +1,15 @@ +id: "06-rag-vector-classified-docs" +title: "RAG Vector Classified Docs" +criticality: "critical" +estimated_time_minutes: 30 +audience: + - ciso + - ai-governance + - appsec + - data-platform +products: + - "Oracle Deep Data Security" + - "Oracle AI Vector Search" + - "Oracle AI Database" +reset_supported: true + diff --git a/scenarios/06-rag-vector-classified-docs/sql/00_schema.sql b/scenarios/06-rag-vector-classified-docs/sql/00_schema.sql new file mode 100644 index 0000000..fe3b226 --- /dev/null +++ b/scenarios/06-rag-vector-classified-docs/sql/00_schema.sql @@ -0,0 +1,11 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +CREATE TABLE dds_rag_chunks ( + chunk_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY, + document_title VARCHAR2(160) NOT NULL, + department VARCHAR2(40) NOT NULL, + classification VARCHAR2(30) NOT NULL, + chunk_text VARCHAR2(1000) NOT NULL, + embedding VECTOR(3, FLOAT32) +); + diff --git a/scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql b/scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql new file mode 100644 index 0000000..5008c46 --- /dev/null +++ b/scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql @@ -0,0 +1,19 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding) +VALUES ('Benefits Policy', 'HR', 'INTERNAL', 'General benefits policy available to employees.', TO_VECTOR('[0.10,0.20,0.30]')); + +INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding) +VALUES ('Executive Compensation Plan', 'HR', 'HR_CONFIDENTIAL', 'Compensation calibration for executives and retention risks.', TO_VECTOR('[0.11,0.21,0.31]')); + +INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding) +VALUES ('Contract Renewal Risk', 'LEGAL', 'LEGAL_CONFIDENTIAL', 'Legal risk on renewal clauses for strategic accounts.', TO_VECTOR('[0.80,0.10,0.20]')); + +INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding) +VALUES ('Company Travel Guide', 'GENERAL', 'PUBLIC', 'Public travel and expense guidance for all employees.', TO_VECTOR('[0.20,0.70,0.10]')); + +INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding) +VALUES ('Board M&A Briefing', 'EXEC', 'EXECUTIVE_CONFIDENTIAL', 'Potential acquisition targets and board-level financial exposure.', TO_VECTOR('[0.90,0.20,0.40]')); + +COMMIT; + diff --git a/scenarios/06-rag-vector-classified-docs/sql/02_identities.sql b/scenarios/06-rag-vector-classified-docs/sql/02_identities.sql new file mode 100644 index 0000000..8fa5388 --- /dev/null +++ b/scenarios/06-rag-vector-classified-docs/sql/02_identities.sql @@ -0,0 +1,17 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +CREATE END USER nina IDENTIFIED BY "Welcome1_DDS!"; +CREATE END USER heitor IDENTIFIED BY "Welcome1_DDS!"; +CREATE END USER sofia IDENTIFIED BY "Welcome1_DDS!"; +CREATE END USER carlos IDENTIFIED BY "Welcome1_DDS!"; + +CREATE DATA ROLE rag_employee_role; +CREATE DATA ROLE rag_hr_role; +CREATE DATA ROLE rag_legal_role; +CREATE DATA ROLE rag_exec_role; + +GRANT DATA ROLE rag_employee_role TO nina; +GRANT DATA ROLE rag_hr_role TO heitor; +GRANT DATA ROLE rag_legal_role TO sofia; +GRANT DATA ROLE rag_exec_role TO carlos; + diff --git a/scenarios/06-rag-vector-classified-docs/sql/03_data_grants.sql b/scenarios/06-rag-vector-classified-docs/sql/03_data_grants.sql new file mode 100644 index 0000000..39a16d5 --- /dev/null +++ b/scenarios/06-rag-vector-classified-docs/sql/03_data_grants.sql @@ -0,0 +1,27 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +CREATE OR REPLACE DATA GRANT rag_public_internal_docs + AS SELECT (chunk_id, document_title, department, classification, chunk_text, embedding) + ON dds_rag_chunks + WHERE classification IN ('PUBLIC', 'INTERNAL') + TO rag_employee_role; + +CREATE OR REPLACE DATA GRANT rag_hr_docs + AS SELECT + ON dds_rag_chunks + WHERE classification IN ('PUBLIC', 'INTERNAL', 'HR_CONFIDENTIAL') + TO rag_hr_role; + +CREATE OR REPLACE DATA GRANT rag_legal_docs + AS SELECT + ON dds_rag_chunks + WHERE classification IN ('PUBLIC', 'INTERNAL', 'LEGAL_CONFIDENTIAL') + TO rag_legal_role; + +CREATE OR REPLACE DATA GRANT rag_exec_docs + AS SELECT + ON dds_rag_chunks + TO rag_exec_role; + +SET USE DATA GRANTS ONLY ON dds_rag_chunks ENABLED; + diff --git a/scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql b/scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql new file mode 100644 index 0000000..ea23a01 --- /dev/null +++ b/scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql @@ -0,0 +1,15 @@ +SET PAGESIZE 100 +SET LINESIZE 220 + +PROMPT RAG retrieval simulation: retrieve chunks closest to the question embedding. + +SELECT chunk_id, + document_title, + department, + classification, + chunk_text, + VECTOR_DISTANCE(embedding, TO_VECTOR('[0.85,0.15,0.25]'), COSINE) AS distance +FROM dds_rag_chunks +ORDER BY distance +FETCH FIRST 5 ROWS ONLY; + diff --git a/scenarios/06-rag-vector-classified-docs/sql/99_reset.sql b/scenarios/06-rag-vector-classified-docs/sql/99_reset.sql new file mode 100644 index 0000000..32cc9b5 --- /dev/null +++ b/scenarios/06-rag-vector-classified-docs/sql/99_reset.sql @@ -0,0 +1,29 @@ +BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_rag_chunks DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_public_internal_docs'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_hr_docs'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_legal_docs'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_exec_docs'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_rag_chunks PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_employee_role'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_hr_role'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_legal_role'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_exec_role'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP END USER nina'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP END USER heitor'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP END USER sofia'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP END USER carlos'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ + diff --git a/scenarios/06-rag-vector-classified-docs/tests/negative_tests.sql b/scenarios/06-rag-vector-classified-docs/tests/negative_tests.sql new file mode 100644 index 0000000..21acf7f --- /dev/null +++ b/scenarios/06-rag-vector-classified-docs/tests/negative_tests.sql @@ -0,0 +1,6 @@ +PROMPT Negative test: common employee must not retrieve HR, LEGAL or EXEC confidential chunks. +SELECT classification, COUNT(*) AS visible_chunks +FROM dds_rag_chunks +GROUP BY classification +ORDER BY classification; + diff --git a/scenarios/06-rag-vector-classified-docs/tests/positive_tests.sql b/scenarios/06-rag-vector-classified-docs/tests/positive_tests.sql new file mode 100644 index 0000000..d01b3d8 --- /dev/null +++ b/scenarios/06-rag-vector-classified-docs/tests/positive_tests.sql @@ -0,0 +1,3 @@ +PROMPT Positive test: authorized RAG users retrieve only allowed classified chunks. +@../sql/04_test_queries.sql + diff --git a/scenarios/07-audit-evidence-data-safe/README.md b/scenarios/07-audit-evidence-data-safe/README.md new file mode 100644 index 0000000..23a29e2 --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/README.md @@ -0,0 +1,37 @@ +# 07 - Audit Evidence With Data Safe + +## Objetivo + +Demonstrar como transformar os acessos e tentativas de acesso a dados sensiveis em evidencias para auditoria usando Unified Audit e OCI Data Safe. + +## Risco De Negocio + +Controles preventivos reduzem exposicao, mas clientes tambem precisam provar quem acessou dados sensiveis, quando, por qual caminho e se houve mudanca de politica. Data Safe ajuda a centralizar assessment, discovery, activity auditing e relatorios para ambientes Oracle suportados. + +## Narrativa Da Demo + +1. Criar uma tabela sensivel de pagamentos. +2. Habilitar politicas de auditoria para SELECT, DDL e alteracoes de usuarios/roles. +3. Gerar acessos permitidos e tentativas indevidas. +4. Consultar evidencias no Unified Audit. +5. Mostrar, no Data Safe, como habilitar o target, activity auditing e relatorios. + +## Execucao SQL + +```powershell +powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 07-audit-evidence-data-safe -ConnectString "" +``` + +## Execucao No Data Safe + +1. Registrar o banco como target no OCI Data Safe. +2. Habilitar Activity Auditing para o target. +3. Confirmar coleta de Unified Audit. +4. Executar os scripts do lab. +5. Validar eventos de acesso a `DDS_AUDIT_PAYMENTS`. +6. Gerar relatorio ou screenshot para evidencia. + +## Resultado Esperado + +O cliente ve a trilha de auditoria no banco e entende como Data Safe pode transformar essa trilha em monitoramento, relatorios e evidencias recorrentes. + diff --git a/scenarios/07-audit-evidence-data-safe/evidence/expected-results.md b/scenarios/07-audit-evidence-data-safe/evidence/expected-results.md new file mode 100644 index 0000000..d25588b --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/evidence/expected-results.md @@ -0,0 +1,8 @@ +# Expected Results + +- `auditor` can see all payment data for audit review. +- `payment_operator` sees Brazil payment operational fields and not `card_token`. +- `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`. +- OCI Data Safe Activity Auditing can be used to collect and report the same class of activity for the registered target. +- Evidence package should include SQL output, Data Safe target screen, activity report and policy configuration screenshot. + diff --git a/scenarios/07-audit-evidence-data-safe/metadata.yaml b/scenarios/07-audit-evidence-data-safe/metadata.yaml new file mode 100644 index 0000000..fbf9496 --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/metadata.yaml @@ -0,0 +1,15 @@ +id: "07-audit-evidence-data-safe" +title: "Audit Evidence With Data Safe" +criticality: "high" +estimated_time_minutes: 25 +audience: + - ciso + - compliance + - dba + - soc +products: + - "Oracle Data Safe" + - "Oracle Unified Audit" + - "Oracle Deep Data Security" +reset_supported: true + diff --git a/scenarios/07-audit-evidence-data-safe/sql/00_schema.sql b/scenarios/07-audit-evidence-data-safe/sql/00_schema.sql new file mode 100644 index 0000000..388bf33 --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/sql/00_schema.sql @@ -0,0 +1,11 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +CREATE TABLE dds_audit_payments ( + payment_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY, + customer_name VARCHAR2(100) NOT NULL, + country VARCHAR2(40) NOT NULL, + payment_amount NUMBER(12,2) NOT NULL, + card_token VARCHAR2(80), + risk_flag VARCHAR2(20) NOT NULL +); + diff --git a/scenarios/07-audit-evidence-data-safe/sql/01_seed_data.sql b/scenarios/07-audit-evidence-data-safe/sql/01_seed_data.sql new file mode 100644 index 0000000..82d7a69 --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/sql/01_seed_data.sql @@ -0,0 +1,13 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +INSERT INTO dds_audit_payments (customer_name, country, payment_amount, card_token, risk_flag) +VALUES ('Acme Brasil', 'Brazil', 15000, 'tok_live_001', 'HIGH'); + +INSERT INTO dds_audit_payments (customer_name, country, payment_amount, card_token, risk_flag) +VALUES ('Varejo Sol', 'Brazil', 3500, 'tok_live_002', 'LOW'); + +INSERT INTO dds_audit_payments (customer_name, country, payment_amount, card_token, risk_flag) +VALUES ('Northwind US', 'USA', 48000, 'tok_live_003', 'HIGH'); + +COMMIT; + diff --git a/scenarios/07-audit-evidence-data-safe/sql/02_identities.sql b/scenarios/07-audit-evidence-data-safe/sql/02_identities.sql new file mode 100644 index 0000000..47ef9a5 --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/sql/02_identities.sql @@ -0,0 +1,14 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +CREATE USER dds_audit_analyst IDENTIFIED BY "Welcome1_Audit!" ACCOUNT UNLOCK; +GRANT CREATE SESSION TO dds_audit_analyst; + +CREATE END USER auditor IDENTIFIED BY "Welcome1_DDS!"; +CREATE END USER payment_operator IDENTIFIED BY "Welcome1_DDS!"; + +CREATE DATA ROLE audit_read_role; +CREATE DATA ROLE payment_operator_role; + +GRANT DATA ROLE audit_read_role TO auditor; +GRANT DATA ROLE payment_operator_role TO payment_operator; + diff --git a/scenarios/07-audit-evidence-data-safe/sql/03_data_grants.sql b/scenarios/07-audit-evidence-data-safe/sql/03_data_grants.sql new file mode 100644 index 0000000..0c6ace6 --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/sql/03_data_grants.sql @@ -0,0 +1,15 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +CREATE OR REPLACE DATA GRANT audit_payments_read_all + AS SELECT + ON dds_audit_payments + TO audit_read_role; + +CREATE OR REPLACE DATA GRANT audit_payments_operator + AS SELECT (payment_id, customer_name, country, payment_amount, risk_flag) + ON dds_audit_payments + WHERE country = 'Brazil' + TO payment_operator_role; + +SET USE DATA GRANTS ONLY ON dds_audit_payments ENABLED; + diff --git a/scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql b/scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql new file mode 100644 index 0000000..411a239 --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql @@ -0,0 +1,11 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +CREATE AUDIT POLICY dds_payments_select_policy + ACTIONS SELECT ON dds_audit_payments; + +CREATE AUDIT POLICY dds_security_admin_policy + ACTIONS CREATE USER, ALTER USER, DROP USER, CREATE ROLE, DROP ROLE, GRANT, REVOKE; + +AUDIT POLICY dds_payments_select_policy; +AUDIT POLICY dds_security_admin_policy; + diff --git a/scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql b/scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql new file mode 100644 index 0000000..d965dfe --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql @@ -0,0 +1,22 @@ +SET PAGESIZE 100 +SET LINESIZE 220 + +PROMPT Generate auditable activity. + +SELECT payment_id, customer_name, country, payment_amount, card_token, risk_flag +FROM dds_audit_payments +ORDER BY payment_id; + +PROMPT Review local audit trail. Data Safe should collect equivalent activity after target auditing is enabled. + +SELECT event_timestamp, + dbusername, + action_name, + object_schema, + object_name, + unified_audit_policies +FROM unified_audit_trail +WHERE object_name = 'DDS_AUDIT_PAYMENTS' +ORDER BY event_timestamp DESC +FETCH FIRST 20 ROWS ONLY; + diff --git a/scenarios/07-audit-evidence-data-safe/sql/99_reset.sql b/scenarios/07-audit-evidence-data-safe/sql/99_reset.sql new file mode 100644 index 0000000..6e25fcc --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/sql/99_reset.sql @@ -0,0 +1,27 @@ +BEGIN EXECUTE IMMEDIATE 'NOAUDIT POLICY dds_payments_select_policy'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'NOAUDIT POLICY dds_security_admin_policy'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP AUDIT POLICY dds_payments_select_policy'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP AUDIT POLICY dds_security_admin_policy'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_audit_payments DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_read_all'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_operator'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_audit_payments PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP USER dds_audit_analyst CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE audit_read_role'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE payment_operator_role'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP END USER auditor'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP END USER payment_operator'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ + diff --git a/scenarios/07-audit-evidence-data-safe/tests/negative_tests.sql b/scenarios/07-audit-evidence-data-safe/tests/negative_tests.sql new file mode 100644 index 0000000..2019d71 --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/tests/negative_tests.sql @@ -0,0 +1,5 @@ +PROMPT Negative test: payment operator must not see card_token for Brazil-only payment view. +SELECT payment_id, customer_name, country, payment_amount, card_token, risk_flag +FROM dds_audit_payments +ORDER BY payment_id; + diff --git a/scenarios/07-audit-evidence-data-safe/tests/positive_tests.sql b/scenarios/07-audit-evidence-data-safe/tests/positive_tests.sql new file mode 100644 index 0000000..dc72755 --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/tests/positive_tests.sql @@ -0,0 +1,3 @@ +PROMPT Positive test: accesses to sensitive payment table generate unified audit events. +@../sql/05_generate_activity.sql +