Add legacy AI, RAG vector and Data Safe audit scenarios
Some checks failed
Repo Quality / structure (push) Has been cancelled

This commit is contained in:
Rodrigo Pace
2026-05-08 12:21:47 -03:00
parent 5cd8752a90
commit 703e072682
37 changed files with 686 additions and 23 deletions

View File

@@ -0,0 +1,41 @@
# 05 - Legacy App AI Extension
## Objetivo
Demonstrar como uma aplicacao legada pode ser ampliada com um agente AI sem reescrever toda a autorizacao da aplicacao.
## Risco De Negocio
Aplicacoes legadas normalmente usam uma conta tecnica, regras de autorizacao espalhadas no codigo e consultas historicas dificeis de revisar. Ao adicionar um agente AI ou copilot sobre o mesmo schema, o risco e expor carteira, margem, risco de cliente, tickets e contratos alem do perfil do usuario final.
## Personas
- `joao`: vendedor regional.
- `ana`: gerente comercial Brasil.
- `maria`: atendimento ao cliente.
- `sofia`: juridico.
- `legacy_app`: conta tecnica da aplicacao existente.
- `ai_agent_app`: conta tecnica do novo agente AI.
## Narrativa Da Demo
1. A aplicacao legada continua usando sua conta tecnica.
2. Um novo agente AI consulta os mesmos dados para responder perguntas de negocio.
3. O agente tenta consultar clientes de alto risco, contratos e tickets sensiveis.
4. Deep Data Security aplica data grants pelo contexto do usuario final.
5. O banco retorna apenas linhas e colunas autorizadas, sem depender de uma reescrita completa da aplicacao legada.
## Execucao
```powershell
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 05-legacy-app-ai-extension -ConnectString "<connect_string>"
```
## Resultado Esperado
- `joao` ve somente sua carteira e nao ve margem.
- `ana` ve clientes do Brasil e metricas comerciais regionais.
- `maria` ve tickets de atendimento, mas nao ve margem ou clausulas juridicas.
- `sofia` ve contratos e campos juridicos.
- O mesmo SQL amplo retorna resultados diferentes por persona.

View File

@@ -0,0 +1,8 @@
# Expected Results
- `joao` sees only customers where `account_owner = joao`; `margin` and `legal_hold` are not visible.
- `ana` sees Brazil customers and commercial metrics, but not legal hold.
- `maria` sees support-relevant customer and ticket data, but not margin, legal clauses or private notes.
- `sofia` sees legal-hold customers and legal contract clauses.
- The legacy app can keep its technical connectivity while the AI extension is governed by end-user context.

View File

@@ -0,0 +1,14 @@
id: "05-legacy-app-ai-extension"
title: "Legacy App AI Extension"
criticality: "critical"
estimated_time_minutes: 30
audience:
- ciso
- enterprise-architect
- appsec
- dba
products:
- "Oracle Deep Data Security"
- "Oracle AI Database"
reset_supported: true

View File

@@ -0,0 +1,32 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE TABLE dds_legacy_customers (
customer_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
customer_name VARCHAR2(100) NOT NULL,
country VARCHAR2(40) NOT NULL,
region VARCHAR2(30) NOT NULL,
account_owner VARCHAR2(60) NOT NULL,
risk_rating VARCHAR2(20) NOT NULL,
revenue NUMBER(12,2),
margin NUMBER(12,2),
legal_hold VARCHAR2(1) DEFAULT 'N' NOT NULL
);
CREATE TABLE dds_legacy_contracts (
contract_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
customer_id NUMBER NOT NULL REFERENCES dds_legacy_customers(customer_id),
contract_status VARCHAR2(30) NOT NULL,
renewal_date DATE,
legal_clause VARCHAR2(400),
contract_value NUMBER(12,2)
);
CREATE TABLE dds_legacy_tickets (
ticket_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
customer_id NUMBER NOT NULL REFERENCES dds_legacy_customers(customer_id),
assigned_group VARCHAR2(40) NOT NULL,
severity VARCHAR2(20) NOT NULL,
summary VARCHAR2(200) NOT NULL,
private_note VARCHAR2(400)
);

View File

@@ -0,0 +1,36 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold)
VALUES ('Banco Aurora', 'Brazil', 'LATAM', 'joao', 'HIGH', 2500000, 620000, 'Y');
INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold)
VALUES ('Varejo Sol', 'Brazil', 'LATAM', 'joao', 'MEDIUM', 900000, 150000, 'N');
INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold)
VALUES ('Andes Pay', 'Chile', 'LATAM', 'carla', 'HIGH', 1800000, 410000, 'N');
INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold)
VALUES ('Northwind Insurance', 'USA', 'NA', 'natalie', 'HIGH', 3300000, 900000, 'Y');
INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value)
SELECT customer_id, 'RENEWAL', DATE '2026-10-31', 'Penalty clause under legal review', 2500000
FROM dds_legacy_customers WHERE customer_name = 'Banco Aurora';
INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value)
SELECT customer_id, 'ACTIVE', DATE '2027-03-15', 'Standard commercial clause', 900000
FROM dds_legacy_customers WHERE customer_name = 'Varejo Sol';
INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value)
SELECT customer_id, 'RENEWAL', DATE '2026-08-20', 'Cross-border data clause', 1800000
FROM dds_legacy_customers WHERE customer_name = 'Andes Pay';
INSERT INTO dds_legacy_tickets (customer_id, assigned_group, severity, summary, private_note)
SELECT customer_id, 'SUPPORT', 'HIGH', 'API latency in payment flow', 'Customer reported escalation to board'
FROM dds_legacy_customers WHERE customer_name = 'Banco Aurora';
INSERT INTO dds_legacy_tickets (customer_id, assigned_group, severity, summary, private_note)
SELECT customer_id, 'SUPPORT', 'MEDIUM', 'Portal access issue', 'No sensitive escalation'
FROM dds_legacy_customers WHERE customer_name = 'Varejo Sol';
COMMIT;

View File

@@ -0,0 +1,22 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE USER legacy_app IDENTIFIED BY "Welcome1_Legacy!" ACCOUNT UNLOCK;
CREATE USER ai_agent_app IDENTIFIED BY "Welcome1_Agent!" ACCOUNT UNLOCK;
GRANT CREATE SESSION TO legacy_app;
GRANT CREATE SESSION TO ai_agent_app;
CREATE END USER joao IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER ana IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER maria IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER sofia IDENTIFIED BY "Welcome1_DDS!";
CREATE DATA ROLE legacy_sales_rep_role;
CREATE DATA ROLE legacy_brazil_manager_role;
CREATE DATA ROLE legacy_support_role;
CREATE DATA ROLE legacy_legal_role;
GRANT DATA ROLE legacy_sales_rep_role TO joao;
GRANT DATA ROLE legacy_brazil_manager_role TO ana;
GRANT DATA ROLE legacy_support_role TO maria;
GRANT DATA ROLE legacy_legal_role TO sofia;

View File

@@ -0,0 +1,54 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE OR REPLACE DATA GRANT legacy_sales_customer_access
AS SELECT (customer_id, customer_name, country, region, account_owner, risk_rating, revenue)
ON dds_legacy_customers
WHERE account_owner = ORA_END_USER_CONTEXT.username
TO legacy_sales_rep_role;
CREATE OR REPLACE DATA GRANT legacy_manager_customer_access
AS SELECT (ALL COLUMNS EXCEPT legal_hold)
ON dds_legacy_customers
WHERE country = 'Brazil'
TO legacy_brazil_manager_role;
CREATE OR REPLACE DATA GRANT legacy_support_customer_access
AS SELECT (customer_id, customer_name, country, region, account_owner, risk_rating)
ON dds_legacy_customers
WHERE region = 'LATAM'
TO legacy_support_role;
CREATE OR REPLACE DATA GRANT legacy_legal_customer_access
AS SELECT
ON dds_legacy_customers
WHERE legal_hold = 'Y'
TO legacy_legal_role;
CREATE OR REPLACE DATA GRANT legacy_sales_contract_access
AS SELECT (contract_id, customer_id, contract_status, renewal_date, contract_value)
ON dds_legacy_contracts
WHERE customer_id IN (
SELECT customer_id FROM dds_legacy_customers
WHERE account_owner = ORA_END_USER_CONTEXT.username
)
TO legacy_sales_rep_role;
CREATE OR REPLACE DATA GRANT legacy_legal_contract_access
AS SELECT
ON dds_legacy_contracts
WHERE customer_id IN (
SELECT customer_id FROM dds_legacy_customers
WHERE legal_hold = 'Y'
)
TO legacy_legal_role;
CREATE OR REPLACE DATA GRANT legacy_support_ticket_access
AS SELECT (ticket_id, customer_id, assigned_group, severity, summary)
ON dds_legacy_tickets
WHERE assigned_group = 'SUPPORT'
TO legacy_support_role;
SET USE DATA GRANTS ONLY ON dds_legacy_customers ENABLED;
SET USE DATA GRANTS ONLY ON dds_legacy_contracts ENABLED;
SET USE DATA GRANTS ONLY ON dds_legacy_tickets ENABLED;

View File

@@ -0,0 +1,18 @@
SET PAGESIZE 100
SET LINESIZE 220
PROMPT Agent AI question: "List all high-risk customers, margin, legal holds, renewals and support notes."
SELECT customer_id, customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold
FROM dds_legacy_customers
WHERE risk_rating = 'HIGH'
ORDER BY customer_id;
SELECT c.contract_id, c.customer_id, c.contract_status, c.renewal_date, c.legal_clause, c.contract_value
FROM dds_legacy_contracts c
ORDER BY c.contract_id;
SELECT ticket_id, customer_id, assigned_group, severity, summary, private_note
FROM dds_legacy_tickets
ORDER BY ticket_id;

View File

@@ -0,0 +1,47 @@
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_legacy_tickets DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_legacy_contracts DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_legacy_customers DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_sales_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_manager_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_support_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_legal_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_sales_contract_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_legal_contract_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_support_ticket_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_legacy_tickets PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_legacy_contracts PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_legacy_customers PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP USER legacy_app CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP USER ai_agent_app CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_sales_rep_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_brazil_manager_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_support_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_legal_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER joao'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER ana'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER maria'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER sofia'; EXCEPTION WHEN OTHERS THEN NULL; END;
/

View File

@@ -0,0 +1,5 @@
PROMPT Negative test: broad AI-style queries must not expose all customers, margins, legal clauses or private notes.
SELECT COUNT(*) AS visible_customers FROM dds_legacy_customers;
SELECT COUNT(*) AS visible_contracts FROM dds_legacy_contracts;
SELECT COUNT(*) AS visible_tickets FROM dds_legacy_tickets;

View File

@@ -0,0 +1,3 @@
PROMPT Positive test: each persona receives only the authorized slice from the legacy dataset.
@../sql/04_test_queries.sql

View File

@@ -0,0 +1,34 @@
# 06 - RAG Vector Classified Docs
## Objetivo
Demonstrar que um agente RAG ou copilot interno so recupera documentos e chunks autorizados para o usuario final antes de enviar contexto ao LLM.
## Risco De Negocio
Em RAG, o vazamento muitas vezes acontece antes da resposta do modelo: o mecanismo de busca recupera documentos demais e entrega contexto sensivel ao LLM. Este lab mostra como classificar documentos e aplicar Deep Data Security sobre os chunks recuperaveis.
## Personas
- `nina`: colaboradora comum.
- `heitor`: RH.
- `sofia`: juridico.
- `carlos`: executivo.
## Narrativa Da Demo
1. O agente recebe a pergunta: "resuma documentos criticos sobre renovacoes, pessoas e riscos legais".
2. A busca por similaridade tenta recuperar todos os chunks.
3. Deep Data Security limita os chunks por classificacao e departamento.
4. O LLM so recebe contexto autorizado.
## Observacao Sobre Vetores
O script usa uma coluna `VECTOR(3, FLOAT32)` para manter o lab simples e demonstravel. Em um ambiente real, substitua por embeddings gerados pelo seu modelo e ajuste a metrica de similaridade.
## Execucao
```powershell
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 06-rag-vector-classified-docs -ConnectString "<connect_string>"
```

View File

@@ -0,0 +1,8 @@
# Expected Results
- `nina` retrieves only `PUBLIC` and `INTERNAL` chunks.
- `heitor` retrieves `HR_CONFIDENTIAL` plus public/internal chunks.
- `sofia` retrieves `LEGAL_CONFIDENTIAL` plus public/internal chunks.
- `carlos` retrieves all classifications.
- The RAG layer receives only chunks authorized by the database policy.

View File

@@ -0,0 +1,15 @@
id: "06-rag-vector-classified-docs"
title: "RAG Vector Classified Docs"
criticality: "critical"
estimated_time_minutes: 30
audience:
- ciso
- ai-governance
- appsec
- data-platform
products:
- "Oracle Deep Data Security"
- "Oracle AI Vector Search"
- "Oracle AI Database"
reset_supported: true

View File

@@ -0,0 +1,11 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE TABLE dds_rag_chunks (
chunk_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
document_title VARCHAR2(160) NOT NULL,
department VARCHAR2(40) NOT NULL,
classification VARCHAR2(30) NOT NULL,
chunk_text VARCHAR2(1000) NOT NULL,
embedding VECTOR(3, FLOAT32)
);

View File

@@ -0,0 +1,19 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding)
VALUES ('Benefits Policy', 'HR', 'INTERNAL', 'General benefits policy available to employees.', TO_VECTOR('[0.10,0.20,0.30]'));
INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding)
VALUES ('Executive Compensation Plan', 'HR', 'HR_CONFIDENTIAL', 'Compensation calibration for executives and retention risks.', TO_VECTOR('[0.11,0.21,0.31]'));
INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding)
VALUES ('Contract Renewal Risk', 'LEGAL', 'LEGAL_CONFIDENTIAL', 'Legal risk on renewal clauses for strategic accounts.', TO_VECTOR('[0.80,0.10,0.20]'));
INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding)
VALUES ('Company Travel Guide', 'GENERAL', 'PUBLIC', 'Public travel and expense guidance for all employees.', TO_VECTOR('[0.20,0.70,0.10]'));
INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding)
VALUES ('Board M&A Briefing', 'EXEC', 'EXECUTIVE_CONFIDENTIAL', 'Potential acquisition targets and board-level financial exposure.', TO_VECTOR('[0.90,0.20,0.40]'));
COMMIT;

View File

@@ -0,0 +1,17 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE END USER nina IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER heitor IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER sofia IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER carlos IDENTIFIED BY "Welcome1_DDS!";
CREATE DATA ROLE rag_employee_role;
CREATE DATA ROLE rag_hr_role;
CREATE DATA ROLE rag_legal_role;
CREATE DATA ROLE rag_exec_role;
GRANT DATA ROLE rag_employee_role TO nina;
GRANT DATA ROLE rag_hr_role TO heitor;
GRANT DATA ROLE rag_legal_role TO sofia;
GRANT DATA ROLE rag_exec_role TO carlos;

View File

@@ -0,0 +1,27 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE OR REPLACE DATA GRANT rag_public_internal_docs
AS SELECT (chunk_id, document_title, department, classification, chunk_text, embedding)
ON dds_rag_chunks
WHERE classification IN ('PUBLIC', 'INTERNAL')
TO rag_employee_role;
CREATE OR REPLACE DATA GRANT rag_hr_docs
AS SELECT
ON dds_rag_chunks
WHERE classification IN ('PUBLIC', 'INTERNAL', 'HR_CONFIDENTIAL')
TO rag_hr_role;
CREATE OR REPLACE DATA GRANT rag_legal_docs
AS SELECT
ON dds_rag_chunks
WHERE classification IN ('PUBLIC', 'INTERNAL', 'LEGAL_CONFIDENTIAL')
TO rag_legal_role;
CREATE OR REPLACE DATA GRANT rag_exec_docs
AS SELECT
ON dds_rag_chunks
TO rag_exec_role;
SET USE DATA GRANTS ONLY ON dds_rag_chunks ENABLED;

View File

@@ -0,0 +1,15 @@
SET PAGESIZE 100
SET LINESIZE 220
PROMPT RAG retrieval simulation: retrieve chunks closest to the question embedding.
SELECT chunk_id,
document_title,
department,
classification,
chunk_text,
VECTOR_DISTANCE(embedding, TO_VECTOR('[0.85,0.15,0.25]'), COSINE) AS distance
FROM dds_rag_chunks
ORDER BY distance
FETCH FIRST 5 ROWS ONLY;

View File

@@ -0,0 +1,29 @@
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_rag_chunks DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_public_internal_docs'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_hr_docs'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_legal_docs'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_exec_docs'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_rag_chunks PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_employee_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_hr_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_legal_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_exec_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER nina'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER heitor'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER sofia'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER carlos'; EXCEPTION WHEN OTHERS THEN NULL; END;
/

View File

@@ -0,0 +1,6 @@
PROMPT Negative test: common employee must not retrieve HR, LEGAL or EXEC confidential chunks.
SELECT classification, COUNT(*) AS visible_chunks
FROM dds_rag_chunks
GROUP BY classification
ORDER BY classification;

View File

@@ -0,0 +1,3 @@
PROMPT Positive test: authorized RAG users retrieve only allowed classified chunks.
@../sql/04_test_queries.sql

View File

@@ -0,0 +1,37 @@
# 07 - Audit Evidence With Data Safe
## Objetivo
Demonstrar como transformar os acessos e tentativas de acesso a dados sensiveis em evidencias para auditoria usando Unified Audit e OCI Data Safe.
## Risco De Negocio
Controles preventivos reduzem exposicao, mas clientes tambem precisam provar quem acessou dados sensiveis, quando, por qual caminho e se houve mudanca de politica. Data Safe ajuda a centralizar assessment, discovery, activity auditing e relatorios para ambientes Oracle suportados.
## Narrativa Da Demo
1. Criar uma tabela sensivel de pagamentos.
2. Habilitar politicas de auditoria para SELECT, DDL e alteracoes de usuarios/roles.
3. Gerar acessos permitidos e tentativas indevidas.
4. Consultar evidencias no Unified Audit.
5. Mostrar, no Data Safe, como habilitar o target, activity auditing e relatorios.
## Execucao SQL
```powershell
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 07-audit-evidence-data-safe -ConnectString "<connect_string>"
```
## Execucao No Data Safe
1. Registrar o banco como target no OCI Data Safe.
2. Habilitar Activity Auditing para o target.
3. Confirmar coleta de Unified Audit.
4. Executar os scripts do lab.
5. Validar eventos de acesso a `DDS_AUDIT_PAYMENTS`.
6. Gerar relatorio ou screenshot para evidencia.
## Resultado Esperado
O cliente ve a trilha de auditoria no banco e entende como Data Safe pode transformar essa trilha em monitoramento, relatorios e evidencias recorrentes.

View File

@@ -0,0 +1,8 @@
# Expected Results
- `auditor` can see all payment data for audit review.
- `payment_operator` sees Brazil payment operational fields and not `card_token`.
- `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`.
- OCI Data Safe Activity Auditing can be used to collect and report the same class of activity for the registered target.
- Evidence package should include SQL output, Data Safe target screen, activity report and policy configuration screenshot.

View File

@@ -0,0 +1,15 @@
id: "07-audit-evidence-data-safe"
title: "Audit Evidence With Data Safe"
criticality: "high"
estimated_time_minutes: 25
audience:
- ciso
- compliance
- dba
- soc
products:
- "Oracle Data Safe"
- "Oracle Unified Audit"
- "Oracle Deep Data Security"
reset_supported: true

View File

@@ -0,0 +1,11 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE TABLE dds_audit_payments (
payment_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
customer_name VARCHAR2(100) NOT NULL,
country VARCHAR2(40) NOT NULL,
payment_amount NUMBER(12,2) NOT NULL,
card_token VARCHAR2(80),
risk_flag VARCHAR2(20) NOT NULL
);

View File

@@ -0,0 +1,13 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
INSERT INTO dds_audit_payments (customer_name, country, payment_amount, card_token, risk_flag)
VALUES ('Acme Brasil', 'Brazil', 15000, 'tok_live_001', 'HIGH');
INSERT INTO dds_audit_payments (customer_name, country, payment_amount, card_token, risk_flag)
VALUES ('Varejo Sol', 'Brazil', 3500, 'tok_live_002', 'LOW');
INSERT INTO dds_audit_payments (customer_name, country, payment_amount, card_token, risk_flag)
VALUES ('Northwind US', 'USA', 48000, 'tok_live_003', 'HIGH');
COMMIT;

View File

@@ -0,0 +1,14 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE USER dds_audit_analyst IDENTIFIED BY "Welcome1_Audit!" ACCOUNT UNLOCK;
GRANT CREATE SESSION TO dds_audit_analyst;
CREATE END USER auditor IDENTIFIED BY "Welcome1_DDS!";
CREATE END USER payment_operator IDENTIFIED BY "Welcome1_DDS!";
CREATE DATA ROLE audit_read_role;
CREATE DATA ROLE payment_operator_role;
GRANT DATA ROLE audit_read_role TO auditor;
GRANT DATA ROLE payment_operator_role TO payment_operator;

View File

@@ -0,0 +1,15 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE OR REPLACE DATA GRANT audit_payments_read_all
AS SELECT
ON dds_audit_payments
TO audit_read_role;
CREATE OR REPLACE DATA GRANT audit_payments_operator
AS SELECT (payment_id, customer_name, country, payment_amount, risk_flag)
ON dds_audit_payments
WHERE country = 'Brazil'
TO payment_operator_role;
SET USE DATA GRANTS ONLY ON dds_audit_payments ENABLED;

View File

@@ -0,0 +1,11 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
CREATE AUDIT POLICY dds_payments_select_policy
ACTIONS SELECT ON dds_audit_payments;
CREATE AUDIT POLICY dds_security_admin_policy
ACTIONS CREATE USER, ALTER USER, DROP USER, CREATE ROLE, DROP ROLE, GRANT, REVOKE;
AUDIT POLICY dds_payments_select_policy;
AUDIT POLICY dds_security_admin_policy;

View File

@@ -0,0 +1,22 @@
SET PAGESIZE 100
SET LINESIZE 220
PROMPT Generate auditable activity.
SELECT payment_id, customer_name, country, payment_amount, card_token, risk_flag
FROM dds_audit_payments
ORDER BY payment_id;
PROMPT Review local audit trail. Data Safe should collect equivalent activity after target auditing is enabled.
SELECT event_timestamp,
dbusername,
action_name,
object_schema,
object_name,
unified_audit_policies
FROM unified_audit_trail
WHERE object_name = 'DDS_AUDIT_PAYMENTS'
ORDER BY event_timestamp DESC
FETCH FIRST 20 ROWS ONLY;

View File

@@ -0,0 +1,27 @@
BEGIN EXECUTE IMMEDIATE 'NOAUDIT POLICY dds_payments_select_policy'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'NOAUDIT POLICY dds_security_admin_policy'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP AUDIT POLICY dds_payments_select_policy'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP AUDIT POLICY dds_security_admin_policy'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_audit_payments DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_read_all'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_audit_payments PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP USER dds_audit_analyst CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE audit_read_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE payment_operator_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER auditor'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER payment_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;
/

View File

@@ -0,0 +1,5 @@
PROMPT Negative test: payment operator must not see card_token for Brazil-only payment view.
SELECT payment_id, customer_name, country, payment_amount, card_token, risk_flag
FROM dds_audit_payments
ORDER BY payment_id;

View File

@@ -0,0 +1,3 @@
PROMPT Positive test: accesses to sensitive payment table generate unified audit events.
@../sql/05_generate_activity.sql