Add legacy AI, RAG vector and Data Safe audit scenarios
Some checks failed
Repo Quality / structure (push) Has been cancelled
Some checks failed
Repo Quality / structure (push) Has been cancelled
This commit is contained in:
41
scenarios/05-legacy-app-ai-extension/README.md
Normal file
41
scenarios/05-legacy-app-ai-extension/README.md
Normal file
@@ -0,0 +1,41 @@
|
||||
# 05 - Legacy App AI Extension
|
||||
|
||||
## Objetivo
|
||||
|
||||
Demonstrar como uma aplicacao legada pode ser ampliada com um agente AI sem reescrever toda a autorizacao da aplicacao.
|
||||
|
||||
## Risco De Negocio
|
||||
|
||||
Aplicacoes legadas normalmente usam uma conta tecnica, regras de autorizacao espalhadas no codigo e consultas historicas dificeis de revisar. Ao adicionar um agente AI ou copilot sobre o mesmo schema, o risco e expor carteira, margem, risco de cliente, tickets e contratos alem do perfil do usuario final.
|
||||
|
||||
## Personas
|
||||
|
||||
- `joao`: vendedor regional.
|
||||
- `ana`: gerente comercial Brasil.
|
||||
- `maria`: atendimento ao cliente.
|
||||
- `sofia`: juridico.
|
||||
- `legacy_app`: conta tecnica da aplicacao existente.
|
||||
- `ai_agent_app`: conta tecnica do novo agente AI.
|
||||
|
||||
## Narrativa Da Demo
|
||||
|
||||
1. A aplicacao legada continua usando sua conta tecnica.
|
||||
2. Um novo agente AI consulta os mesmos dados para responder perguntas de negocio.
|
||||
3. O agente tenta consultar clientes de alto risco, contratos e tickets sensiveis.
|
||||
4. Deep Data Security aplica data grants pelo contexto do usuario final.
|
||||
5. O banco retorna apenas linhas e colunas autorizadas, sem depender de uma reescrita completa da aplicacao legada.
|
||||
|
||||
## Execucao
|
||||
|
||||
```powershell
|
||||
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 05-legacy-app-ai-extension -ConnectString "<connect_string>"
|
||||
```
|
||||
|
||||
## Resultado Esperado
|
||||
|
||||
- `joao` ve somente sua carteira e nao ve margem.
|
||||
- `ana` ve clientes do Brasil e metricas comerciais regionais.
|
||||
- `maria` ve tickets de atendimento, mas nao ve margem ou clausulas juridicas.
|
||||
- `sofia` ve contratos e campos juridicos.
|
||||
- O mesmo SQL amplo retorna resultados diferentes por persona.
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
# Expected Results
|
||||
|
||||
- `joao` sees only customers where `account_owner = joao`; `margin` and `legal_hold` are not visible.
|
||||
- `ana` sees Brazil customers and commercial metrics, but not legal hold.
|
||||
- `maria` sees support-relevant customer and ticket data, but not margin, legal clauses or private notes.
|
||||
- `sofia` sees legal-hold customers and legal contract clauses.
|
||||
- The legacy app can keep its technical connectivity while the AI extension is governed by end-user context.
|
||||
|
||||
14
scenarios/05-legacy-app-ai-extension/metadata.yaml
Normal file
14
scenarios/05-legacy-app-ai-extension/metadata.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
id: "05-legacy-app-ai-extension"
|
||||
title: "Legacy App AI Extension"
|
||||
criticality: "critical"
|
||||
estimated_time_minutes: 30
|
||||
audience:
|
||||
- ciso
|
||||
- enterprise-architect
|
||||
- appsec
|
||||
- dba
|
||||
products:
|
||||
- "Oracle Deep Data Security"
|
||||
- "Oracle AI Database"
|
||||
reset_supported: true
|
||||
|
||||
32
scenarios/05-legacy-app-ai-extension/sql/00_schema.sql
Normal file
32
scenarios/05-legacy-app-ai-extension/sql/00_schema.sql
Normal file
@@ -0,0 +1,32 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE TABLE dds_legacy_customers (
|
||||
customer_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
|
||||
customer_name VARCHAR2(100) NOT NULL,
|
||||
country VARCHAR2(40) NOT NULL,
|
||||
region VARCHAR2(30) NOT NULL,
|
||||
account_owner VARCHAR2(60) NOT NULL,
|
||||
risk_rating VARCHAR2(20) NOT NULL,
|
||||
revenue NUMBER(12,2),
|
||||
margin NUMBER(12,2),
|
||||
legal_hold VARCHAR2(1) DEFAULT 'N' NOT NULL
|
||||
);
|
||||
|
||||
CREATE TABLE dds_legacy_contracts (
|
||||
contract_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
|
||||
customer_id NUMBER NOT NULL REFERENCES dds_legacy_customers(customer_id),
|
||||
contract_status VARCHAR2(30) NOT NULL,
|
||||
renewal_date DATE,
|
||||
legal_clause VARCHAR2(400),
|
||||
contract_value NUMBER(12,2)
|
||||
);
|
||||
|
||||
CREATE TABLE dds_legacy_tickets (
|
||||
ticket_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
|
||||
customer_id NUMBER NOT NULL REFERENCES dds_legacy_customers(customer_id),
|
||||
assigned_group VARCHAR2(40) NOT NULL,
|
||||
severity VARCHAR2(20) NOT NULL,
|
||||
summary VARCHAR2(200) NOT NULL,
|
||||
private_note VARCHAR2(400)
|
||||
);
|
||||
|
||||
36
scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql
Normal file
36
scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql
Normal file
@@ -0,0 +1,36 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold)
|
||||
VALUES ('Banco Aurora', 'Brazil', 'LATAM', 'joao', 'HIGH', 2500000, 620000, 'Y');
|
||||
|
||||
INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold)
|
||||
VALUES ('Varejo Sol', 'Brazil', 'LATAM', 'joao', 'MEDIUM', 900000, 150000, 'N');
|
||||
|
||||
INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold)
|
||||
VALUES ('Andes Pay', 'Chile', 'LATAM', 'carla', 'HIGH', 1800000, 410000, 'N');
|
||||
|
||||
INSERT INTO dds_legacy_customers (customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold)
|
||||
VALUES ('Northwind Insurance', 'USA', 'NA', 'natalie', 'HIGH', 3300000, 900000, 'Y');
|
||||
|
||||
INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value)
|
||||
SELECT customer_id, 'RENEWAL', DATE '2026-10-31', 'Penalty clause under legal review', 2500000
|
||||
FROM dds_legacy_customers WHERE customer_name = 'Banco Aurora';
|
||||
|
||||
INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value)
|
||||
SELECT customer_id, 'ACTIVE', DATE '2027-03-15', 'Standard commercial clause', 900000
|
||||
FROM dds_legacy_customers WHERE customer_name = 'Varejo Sol';
|
||||
|
||||
INSERT INTO dds_legacy_contracts (customer_id, contract_status, renewal_date, legal_clause, contract_value)
|
||||
SELECT customer_id, 'RENEWAL', DATE '2026-08-20', 'Cross-border data clause', 1800000
|
||||
FROM dds_legacy_customers WHERE customer_name = 'Andes Pay';
|
||||
|
||||
INSERT INTO dds_legacy_tickets (customer_id, assigned_group, severity, summary, private_note)
|
||||
SELECT customer_id, 'SUPPORT', 'HIGH', 'API latency in payment flow', 'Customer reported escalation to board'
|
||||
FROM dds_legacy_customers WHERE customer_name = 'Banco Aurora';
|
||||
|
||||
INSERT INTO dds_legacy_tickets (customer_id, assigned_group, severity, summary, private_note)
|
||||
SELECT customer_id, 'SUPPORT', 'MEDIUM', 'Portal access issue', 'No sensitive escalation'
|
||||
FROM dds_legacy_customers WHERE customer_name = 'Varejo Sol';
|
||||
|
||||
COMMIT;
|
||||
|
||||
22
scenarios/05-legacy-app-ai-extension/sql/02_identities.sql
Normal file
22
scenarios/05-legacy-app-ai-extension/sql/02_identities.sql
Normal file
@@ -0,0 +1,22 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE USER legacy_app IDENTIFIED BY "Welcome1_Legacy!" ACCOUNT UNLOCK;
|
||||
CREATE USER ai_agent_app IDENTIFIED BY "Welcome1_Agent!" ACCOUNT UNLOCK;
|
||||
GRANT CREATE SESSION TO legacy_app;
|
||||
GRANT CREATE SESSION TO ai_agent_app;
|
||||
|
||||
CREATE END USER joao IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER ana IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER maria IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER sofia IDENTIFIED BY "Welcome1_DDS!";
|
||||
|
||||
CREATE DATA ROLE legacy_sales_rep_role;
|
||||
CREATE DATA ROLE legacy_brazil_manager_role;
|
||||
CREATE DATA ROLE legacy_support_role;
|
||||
CREATE DATA ROLE legacy_legal_role;
|
||||
|
||||
GRANT DATA ROLE legacy_sales_rep_role TO joao;
|
||||
GRANT DATA ROLE legacy_brazil_manager_role TO ana;
|
||||
GRANT DATA ROLE legacy_support_role TO maria;
|
||||
GRANT DATA ROLE legacy_legal_role TO sofia;
|
||||
|
||||
54
scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql
Normal file
54
scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql
Normal file
@@ -0,0 +1,54 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE OR REPLACE DATA GRANT legacy_sales_customer_access
|
||||
AS SELECT (customer_id, customer_name, country, region, account_owner, risk_rating, revenue)
|
||||
ON dds_legacy_customers
|
||||
WHERE account_owner = ORA_END_USER_CONTEXT.username
|
||||
TO legacy_sales_rep_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT legacy_manager_customer_access
|
||||
AS SELECT (ALL COLUMNS EXCEPT legal_hold)
|
||||
ON dds_legacy_customers
|
||||
WHERE country = 'Brazil'
|
||||
TO legacy_brazil_manager_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT legacy_support_customer_access
|
||||
AS SELECT (customer_id, customer_name, country, region, account_owner, risk_rating)
|
||||
ON dds_legacy_customers
|
||||
WHERE region = 'LATAM'
|
||||
TO legacy_support_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT legacy_legal_customer_access
|
||||
AS SELECT
|
||||
ON dds_legacy_customers
|
||||
WHERE legal_hold = 'Y'
|
||||
TO legacy_legal_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT legacy_sales_contract_access
|
||||
AS SELECT (contract_id, customer_id, contract_status, renewal_date, contract_value)
|
||||
ON dds_legacy_contracts
|
||||
WHERE customer_id IN (
|
||||
SELECT customer_id FROM dds_legacy_customers
|
||||
WHERE account_owner = ORA_END_USER_CONTEXT.username
|
||||
)
|
||||
TO legacy_sales_rep_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT legacy_legal_contract_access
|
||||
AS SELECT
|
||||
ON dds_legacy_contracts
|
||||
WHERE customer_id IN (
|
||||
SELECT customer_id FROM dds_legacy_customers
|
||||
WHERE legal_hold = 'Y'
|
||||
)
|
||||
TO legacy_legal_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT legacy_support_ticket_access
|
||||
AS SELECT (ticket_id, customer_id, assigned_group, severity, summary)
|
||||
ON dds_legacy_tickets
|
||||
WHERE assigned_group = 'SUPPORT'
|
||||
TO legacy_support_role;
|
||||
|
||||
SET USE DATA GRANTS ONLY ON dds_legacy_customers ENABLED;
|
||||
SET USE DATA GRANTS ONLY ON dds_legacy_contracts ENABLED;
|
||||
SET USE DATA GRANTS ONLY ON dds_legacy_tickets ENABLED;
|
||||
|
||||
18
scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
Normal file
18
scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
Normal file
@@ -0,0 +1,18 @@
|
||||
SET PAGESIZE 100
|
||||
SET LINESIZE 220
|
||||
|
||||
PROMPT Agent AI question: "List all high-risk customers, margin, legal holds, renewals and support notes."
|
||||
|
||||
SELECT customer_id, customer_name, country, region, account_owner, risk_rating, revenue, margin, legal_hold
|
||||
FROM dds_legacy_customers
|
||||
WHERE risk_rating = 'HIGH'
|
||||
ORDER BY customer_id;
|
||||
|
||||
SELECT c.contract_id, c.customer_id, c.contract_status, c.renewal_date, c.legal_clause, c.contract_value
|
||||
FROM dds_legacy_contracts c
|
||||
ORDER BY c.contract_id;
|
||||
|
||||
SELECT ticket_id, customer_id, assigned_group, severity, summary, private_note
|
||||
FROM dds_legacy_tickets
|
||||
ORDER BY ticket_id;
|
||||
|
||||
47
scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
Normal file
47
scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
Normal file
@@ -0,0 +1,47 @@
|
||||
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_legacy_tickets DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_legacy_contracts DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_legacy_customers DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_sales_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_manager_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_support_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_legal_customer_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_sales_contract_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_legal_contract_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT legacy_support_ticket_access'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_legacy_tickets PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_legacy_contracts PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_legacy_customers PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP USER legacy_app CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP USER ai_agent_app CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_sales_rep_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_brazil_manager_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_support_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE legacy_legal_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER joao'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER ana'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER maria'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER sofia'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
PROMPT Negative test: broad AI-style queries must not expose all customers, margins, legal clauses or private notes.
|
||||
SELECT COUNT(*) AS visible_customers FROM dds_legacy_customers;
|
||||
SELECT COUNT(*) AS visible_contracts FROM dds_legacy_contracts;
|
||||
SELECT COUNT(*) AS visible_tickets FROM dds_legacy_tickets;
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
PROMPT Positive test: each persona receives only the authorized slice from the legacy dataset.
|
||||
@../sql/04_test_queries.sql
|
||||
|
||||
34
scenarios/06-rag-vector-classified-docs/README.md
Normal file
34
scenarios/06-rag-vector-classified-docs/README.md
Normal file
@@ -0,0 +1,34 @@
|
||||
# 06 - RAG Vector Classified Docs
|
||||
|
||||
## Objetivo
|
||||
|
||||
Demonstrar que um agente RAG ou copilot interno so recupera documentos e chunks autorizados para o usuario final antes de enviar contexto ao LLM.
|
||||
|
||||
## Risco De Negocio
|
||||
|
||||
Em RAG, o vazamento muitas vezes acontece antes da resposta do modelo: o mecanismo de busca recupera documentos demais e entrega contexto sensivel ao LLM. Este lab mostra como classificar documentos e aplicar Deep Data Security sobre os chunks recuperaveis.
|
||||
|
||||
## Personas
|
||||
|
||||
- `nina`: colaboradora comum.
|
||||
- `heitor`: RH.
|
||||
- `sofia`: juridico.
|
||||
- `carlos`: executivo.
|
||||
|
||||
## Narrativa Da Demo
|
||||
|
||||
1. O agente recebe a pergunta: "resuma documentos criticos sobre renovacoes, pessoas e riscos legais".
|
||||
2. A busca por similaridade tenta recuperar todos os chunks.
|
||||
3. Deep Data Security limita os chunks por classificacao e departamento.
|
||||
4. O LLM so recebe contexto autorizado.
|
||||
|
||||
## Observacao Sobre Vetores
|
||||
|
||||
O script usa uma coluna `VECTOR(3, FLOAT32)` para manter o lab simples e demonstravel. Em um ambiente real, substitua por embeddings gerados pelo seu modelo e ajuste a metrica de similaridade.
|
||||
|
||||
## Execucao
|
||||
|
||||
```powershell
|
||||
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 06-rag-vector-classified-docs -ConnectString "<connect_string>"
|
||||
```
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
# Expected Results
|
||||
|
||||
- `nina` retrieves only `PUBLIC` and `INTERNAL` chunks.
|
||||
- `heitor` retrieves `HR_CONFIDENTIAL` plus public/internal chunks.
|
||||
- `sofia` retrieves `LEGAL_CONFIDENTIAL` plus public/internal chunks.
|
||||
- `carlos` retrieves all classifications.
|
||||
- The RAG layer receives only chunks authorized by the database policy.
|
||||
|
||||
15
scenarios/06-rag-vector-classified-docs/metadata.yaml
Normal file
15
scenarios/06-rag-vector-classified-docs/metadata.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
id: "06-rag-vector-classified-docs"
|
||||
title: "RAG Vector Classified Docs"
|
||||
criticality: "critical"
|
||||
estimated_time_minutes: 30
|
||||
audience:
|
||||
- ciso
|
||||
- ai-governance
|
||||
- appsec
|
||||
- data-platform
|
||||
products:
|
||||
- "Oracle Deep Data Security"
|
||||
- "Oracle AI Vector Search"
|
||||
- "Oracle AI Database"
|
||||
reset_supported: true
|
||||
|
||||
11
scenarios/06-rag-vector-classified-docs/sql/00_schema.sql
Normal file
11
scenarios/06-rag-vector-classified-docs/sql/00_schema.sql
Normal file
@@ -0,0 +1,11 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE TABLE dds_rag_chunks (
|
||||
chunk_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
|
||||
document_title VARCHAR2(160) NOT NULL,
|
||||
department VARCHAR2(40) NOT NULL,
|
||||
classification VARCHAR2(30) NOT NULL,
|
||||
chunk_text VARCHAR2(1000) NOT NULL,
|
||||
embedding VECTOR(3, FLOAT32)
|
||||
);
|
||||
|
||||
19
scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql
Normal file
19
scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql
Normal file
@@ -0,0 +1,19 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding)
|
||||
VALUES ('Benefits Policy', 'HR', 'INTERNAL', 'General benefits policy available to employees.', TO_VECTOR('[0.10,0.20,0.30]'));
|
||||
|
||||
INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding)
|
||||
VALUES ('Executive Compensation Plan', 'HR', 'HR_CONFIDENTIAL', 'Compensation calibration for executives and retention risks.', TO_VECTOR('[0.11,0.21,0.31]'));
|
||||
|
||||
INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding)
|
||||
VALUES ('Contract Renewal Risk', 'LEGAL', 'LEGAL_CONFIDENTIAL', 'Legal risk on renewal clauses for strategic accounts.', TO_VECTOR('[0.80,0.10,0.20]'));
|
||||
|
||||
INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding)
|
||||
VALUES ('Company Travel Guide', 'GENERAL', 'PUBLIC', 'Public travel and expense guidance for all employees.', TO_VECTOR('[0.20,0.70,0.10]'));
|
||||
|
||||
INSERT INTO dds_rag_chunks (document_title, department, classification, chunk_text, embedding)
|
||||
VALUES ('Board M&A Briefing', 'EXEC', 'EXECUTIVE_CONFIDENTIAL', 'Potential acquisition targets and board-level financial exposure.', TO_VECTOR('[0.90,0.20,0.40]'));
|
||||
|
||||
COMMIT;
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE END USER nina IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER heitor IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER sofia IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER carlos IDENTIFIED BY "Welcome1_DDS!";
|
||||
|
||||
CREATE DATA ROLE rag_employee_role;
|
||||
CREATE DATA ROLE rag_hr_role;
|
||||
CREATE DATA ROLE rag_legal_role;
|
||||
CREATE DATA ROLE rag_exec_role;
|
||||
|
||||
GRANT DATA ROLE rag_employee_role TO nina;
|
||||
GRANT DATA ROLE rag_hr_role TO heitor;
|
||||
GRANT DATA ROLE rag_legal_role TO sofia;
|
||||
GRANT DATA ROLE rag_exec_role TO carlos;
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE OR REPLACE DATA GRANT rag_public_internal_docs
|
||||
AS SELECT (chunk_id, document_title, department, classification, chunk_text, embedding)
|
||||
ON dds_rag_chunks
|
||||
WHERE classification IN ('PUBLIC', 'INTERNAL')
|
||||
TO rag_employee_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT rag_hr_docs
|
||||
AS SELECT
|
||||
ON dds_rag_chunks
|
||||
WHERE classification IN ('PUBLIC', 'INTERNAL', 'HR_CONFIDENTIAL')
|
||||
TO rag_hr_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT rag_legal_docs
|
||||
AS SELECT
|
||||
ON dds_rag_chunks
|
||||
WHERE classification IN ('PUBLIC', 'INTERNAL', 'LEGAL_CONFIDENTIAL')
|
||||
TO rag_legal_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT rag_exec_docs
|
||||
AS SELECT
|
||||
ON dds_rag_chunks
|
||||
TO rag_exec_role;
|
||||
|
||||
SET USE DATA GRANTS ONLY ON dds_rag_chunks ENABLED;
|
||||
|
||||
@@ -0,0 +1,15 @@
|
||||
SET PAGESIZE 100
|
||||
SET LINESIZE 220
|
||||
|
||||
PROMPT RAG retrieval simulation: retrieve chunks closest to the question embedding.
|
||||
|
||||
SELECT chunk_id,
|
||||
document_title,
|
||||
department,
|
||||
classification,
|
||||
chunk_text,
|
||||
VECTOR_DISTANCE(embedding, TO_VECTOR('[0.85,0.15,0.25]'), COSINE) AS distance
|
||||
FROM dds_rag_chunks
|
||||
ORDER BY distance
|
||||
FETCH FIRST 5 ROWS ONLY;
|
||||
|
||||
29
scenarios/06-rag-vector-classified-docs/sql/99_reset.sql
Normal file
29
scenarios/06-rag-vector-classified-docs/sql/99_reset.sql
Normal file
@@ -0,0 +1,29 @@
|
||||
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_rag_chunks DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_public_internal_docs'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_hr_docs'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_legal_docs'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT rag_exec_docs'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_rag_chunks PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_employee_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_hr_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_legal_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE rag_exec_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER nina'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER heitor'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER sofia'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER carlos'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
PROMPT Negative test: common employee must not retrieve HR, LEGAL or EXEC confidential chunks.
|
||||
SELECT classification, COUNT(*) AS visible_chunks
|
||||
FROM dds_rag_chunks
|
||||
GROUP BY classification
|
||||
ORDER BY classification;
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
PROMPT Positive test: authorized RAG users retrieve only allowed classified chunks.
|
||||
@../sql/04_test_queries.sql
|
||||
|
||||
37
scenarios/07-audit-evidence-data-safe/README.md
Normal file
37
scenarios/07-audit-evidence-data-safe/README.md
Normal file
@@ -0,0 +1,37 @@
|
||||
# 07 - Audit Evidence With Data Safe
|
||||
|
||||
## Objetivo
|
||||
|
||||
Demonstrar como transformar os acessos e tentativas de acesso a dados sensiveis em evidencias para auditoria usando Unified Audit e OCI Data Safe.
|
||||
|
||||
## Risco De Negocio
|
||||
|
||||
Controles preventivos reduzem exposicao, mas clientes tambem precisam provar quem acessou dados sensiveis, quando, por qual caminho e se houve mudanca de politica. Data Safe ajuda a centralizar assessment, discovery, activity auditing e relatorios para ambientes Oracle suportados.
|
||||
|
||||
## Narrativa Da Demo
|
||||
|
||||
1. Criar uma tabela sensivel de pagamentos.
|
||||
2. Habilitar politicas de auditoria para SELECT, DDL e alteracoes de usuarios/roles.
|
||||
3. Gerar acessos permitidos e tentativas indevidas.
|
||||
4. Consultar evidencias no Unified Audit.
|
||||
5. Mostrar, no Data Safe, como habilitar o target, activity auditing e relatorios.
|
||||
|
||||
## Execucao SQL
|
||||
|
||||
```powershell
|
||||
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 07-audit-evidence-data-safe -ConnectString "<connect_string>"
|
||||
```
|
||||
|
||||
## Execucao No Data Safe
|
||||
|
||||
1. Registrar o banco como target no OCI Data Safe.
|
||||
2. Habilitar Activity Auditing para o target.
|
||||
3. Confirmar coleta de Unified Audit.
|
||||
4. Executar os scripts do lab.
|
||||
5. Validar eventos de acesso a `DDS_AUDIT_PAYMENTS`.
|
||||
6. Gerar relatorio ou screenshot para evidencia.
|
||||
|
||||
## Resultado Esperado
|
||||
|
||||
O cliente ve a trilha de auditoria no banco e entende como Data Safe pode transformar essa trilha em monitoramento, relatorios e evidencias recorrentes.
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
# Expected Results
|
||||
|
||||
- `auditor` can see all payment data for audit review.
|
||||
- `payment_operator` sees Brazil payment operational fields and not `card_token`.
|
||||
- `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`.
|
||||
- OCI Data Safe Activity Auditing can be used to collect and report the same class of activity for the registered target.
|
||||
- Evidence package should include SQL output, Data Safe target screen, activity report and policy configuration screenshot.
|
||||
|
||||
15
scenarios/07-audit-evidence-data-safe/metadata.yaml
Normal file
15
scenarios/07-audit-evidence-data-safe/metadata.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
id: "07-audit-evidence-data-safe"
|
||||
title: "Audit Evidence With Data Safe"
|
||||
criticality: "high"
|
||||
estimated_time_minutes: 25
|
||||
audience:
|
||||
- ciso
|
||||
- compliance
|
||||
- dba
|
||||
- soc
|
||||
products:
|
||||
- "Oracle Data Safe"
|
||||
- "Oracle Unified Audit"
|
||||
- "Oracle Deep Data Security"
|
||||
reset_supported: true
|
||||
|
||||
11
scenarios/07-audit-evidence-data-safe/sql/00_schema.sql
Normal file
11
scenarios/07-audit-evidence-data-safe/sql/00_schema.sql
Normal file
@@ -0,0 +1,11 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE TABLE dds_audit_payments (
|
||||
payment_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
|
||||
customer_name VARCHAR2(100) NOT NULL,
|
||||
country VARCHAR2(40) NOT NULL,
|
||||
payment_amount NUMBER(12,2) NOT NULL,
|
||||
card_token VARCHAR2(80),
|
||||
risk_flag VARCHAR2(20) NOT NULL
|
||||
);
|
||||
|
||||
13
scenarios/07-audit-evidence-data-safe/sql/01_seed_data.sql
Normal file
13
scenarios/07-audit-evidence-data-safe/sql/01_seed_data.sql
Normal file
@@ -0,0 +1,13 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
INSERT INTO dds_audit_payments (customer_name, country, payment_amount, card_token, risk_flag)
|
||||
VALUES ('Acme Brasil', 'Brazil', 15000, 'tok_live_001', 'HIGH');
|
||||
|
||||
INSERT INTO dds_audit_payments (customer_name, country, payment_amount, card_token, risk_flag)
|
||||
VALUES ('Varejo Sol', 'Brazil', 3500, 'tok_live_002', 'LOW');
|
||||
|
||||
INSERT INTO dds_audit_payments (customer_name, country, payment_amount, card_token, risk_flag)
|
||||
VALUES ('Northwind US', 'USA', 48000, 'tok_live_003', 'HIGH');
|
||||
|
||||
COMMIT;
|
||||
|
||||
14
scenarios/07-audit-evidence-data-safe/sql/02_identities.sql
Normal file
14
scenarios/07-audit-evidence-data-safe/sql/02_identities.sql
Normal file
@@ -0,0 +1,14 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE USER dds_audit_analyst IDENTIFIED BY "Welcome1_Audit!" ACCOUNT UNLOCK;
|
||||
GRANT CREATE SESSION TO dds_audit_analyst;
|
||||
|
||||
CREATE END USER auditor IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER payment_operator IDENTIFIED BY "Welcome1_DDS!";
|
||||
|
||||
CREATE DATA ROLE audit_read_role;
|
||||
CREATE DATA ROLE payment_operator_role;
|
||||
|
||||
GRANT DATA ROLE audit_read_role TO auditor;
|
||||
GRANT DATA ROLE payment_operator_role TO payment_operator;
|
||||
|
||||
15
scenarios/07-audit-evidence-data-safe/sql/03_data_grants.sql
Normal file
15
scenarios/07-audit-evidence-data-safe/sql/03_data_grants.sql
Normal file
@@ -0,0 +1,15 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE OR REPLACE DATA GRANT audit_payments_read_all
|
||||
AS SELECT
|
||||
ON dds_audit_payments
|
||||
TO audit_read_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT audit_payments_operator
|
||||
AS SELECT (payment_id, customer_name, country, payment_amount, risk_flag)
|
||||
ON dds_audit_payments
|
||||
WHERE country = 'Brazil'
|
||||
TO payment_operator_role;
|
||||
|
||||
SET USE DATA GRANTS ONLY ON dds_audit_payments ENABLED;
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE AUDIT POLICY dds_payments_select_policy
|
||||
ACTIONS SELECT ON dds_audit_payments;
|
||||
|
||||
CREATE AUDIT POLICY dds_security_admin_policy
|
||||
ACTIONS CREATE USER, ALTER USER, DROP USER, CREATE ROLE, DROP ROLE, GRANT, REVOKE;
|
||||
|
||||
AUDIT POLICY dds_payments_select_policy;
|
||||
AUDIT POLICY dds_security_admin_policy;
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
SET PAGESIZE 100
|
||||
SET LINESIZE 220
|
||||
|
||||
PROMPT Generate auditable activity.
|
||||
|
||||
SELECT payment_id, customer_name, country, payment_amount, card_token, risk_flag
|
||||
FROM dds_audit_payments
|
||||
ORDER BY payment_id;
|
||||
|
||||
PROMPT Review local audit trail. Data Safe should collect equivalent activity after target auditing is enabled.
|
||||
|
||||
SELECT event_timestamp,
|
||||
dbusername,
|
||||
action_name,
|
||||
object_schema,
|
||||
object_name,
|
||||
unified_audit_policies
|
||||
FROM unified_audit_trail
|
||||
WHERE object_name = 'DDS_AUDIT_PAYMENTS'
|
||||
ORDER BY event_timestamp DESC
|
||||
FETCH FIRST 20 ROWS ONLY;
|
||||
|
||||
27
scenarios/07-audit-evidence-data-safe/sql/99_reset.sql
Normal file
27
scenarios/07-audit-evidence-data-safe/sql/99_reset.sql
Normal file
@@ -0,0 +1,27 @@
|
||||
BEGIN EXECUTE IMMEDIATE 'NOAUDIT POLICY dds_payments_select_policy'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'NOAUDIT POLICY dds_security_admin_policy'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP AUDIT POLICY dds_payments_select_policy'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP AUDIT POLICY dds_security_admin_policy'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_audit_payments DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_read_all'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_audit_payments PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP USER dds_audit_analyst CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE audit_read_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE payment_operator_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER auditor'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER payment_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
PROMPT Negative test: payment operator must not see card_token for Brazil-only payment view.
|
||||
SELECT payment_id, customer_name, country, payment_amount, card_token, risk_flag
|
||||
FROM dds_audit_payments
|
||||
ORDER BY payment_id;
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
PROMPT Positive test: accesses to sensitive payment table generate unified audit events.
|
||||
@../sql/05_generate_activity.sql
|
||||
|
||||
Reference in New Issue
Block a user