Add workshop guides for all lab scenarios
Some checks failed
Repo Quality / structure (push) Has been cancelled

This commit is contained in:
2026-05-14 14:50:21 -03:00
parent dd3424ab11
commit b8d6de0fb5
12 changed files with 1290 additions and 0 deletions

View File

@@ -117,3 +117,4 @@ Linux/macOS:
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).
For a LiveLabs-style guided workshop, use [WORKSHOP.md](WORKSHOP.md).

View File

@@ -0,0 +1,199 @@
# Workshop - Extend A Legacy Application With AI Safely
## About This Workshop
This workshop demonstrates how Oracle Deep Data Security protects a legacy application when a new AI agent is added without rewriting the entire authorization model.
Before DDS, the AI agent can reuse broad legacy privileges and combine customer, commercial, legal, and support data. After DDS, the database filters results according to the end-user persona.
## Workshop Goals
- Create a legacy customer, contract, and support dataset.
- Demonstrate overexposure through an AI extension.
- Apply DDS grants across multiple tables.
- Validate role-based results for sales, manager, support, and legal users.
## Estimated Time
35 to 50 minutes.
## Scenario Summary
| Persona | Business Role | Expected Access After DDS |
| --- | --- | --- |
| `joao` | Sales representative | Own portfolio and approved contract fields. |
| `ana` | Brazil manager | Brazil customer metrics without legal hold. |
| `maria` | Support user | Support-relevant customer and ticket fields. |
| `sofia` | Legal user | Legal-hold customers and legal contract clauses. |
## Before You Begin
```bash
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
sql admin@ddslab_tunnel
```
SQLcl note: after running `@file.sql`, do not type `/`.
## Lab 1 - Prepare The Environment
### Task 1.1 - Reset The Scenario
```sql
@scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
```
### Task 1.2 - Create Legacy Tables
```sql
@scenarios/05-legacy-app-ai-extension/sql/00_schema.sql
```
| Table | Purpose |
| --- | --- |
| `DDS_LEGACY_CUSTOMERS` | Customer, risk, revenue, margin, and legal hold. |
| `DDS_LEGACY_CONTRACTS` | Contract status, renewal dates, legal clauses, and value. |
| `DDS_LEGACY_TICKETS` | Support tickets and private notes. |
### Task 1.3 - Load Sample Data
```sql
@scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql
```
The data intentionally mixes commercial, legal, and support fields to show what an AI extension might over-combine.
### Task 1.4 - Create Personas And Baseline Access
```sql
@scenarios/05-legacy-app-ai-extension/sql/02_identities.sql
```
The script creates technical users, end users, data roles, and `legacy_ai_broad_access_role`, which simulates the vulnerable before state.
## Lab 2 - Demonstrate The Vulnerable AI Extension
### Task 2.1 - Connect As Maria
```sql
exit
```
```bash
sql 'maria/Welcome1_DDS!@ddslab_tunnel'
```
Maria represents support using the AI extension.
### Task 2.2 - Run The Broad AI Query Before DDS
```sql
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
```
The simulated AI question is:
```text
List all high-risk customers, margin, legal holds, renewals and support notes.
```
Expected result before DDS: Maria can see too much, including commercial margin, legal clauses, and private support notes.
## Lab 3 - Apply Oracle Deep Data Security
### Task 3.1 - Reconnect As ADMIN
```sql
exit
```
```bash
sql admin@ddslab_tunnel
```
### Task 3.2 - Apply Data Grants
```sql
@scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql
```
Key grants:
| Data Grant | What It Allows |
| --- | --- |
| `legacy_sales_customer_access` | Sales reps see their customer portfolio and approved columns. |
| `legacy_manager_customer_access` | Brazil managers see Brazil customer data except `LEGAL_HOLD`. |
| `legacy_support_customer_access` | Support sees LATAM operational customer fields. |
| `legacy_legal_customer_access` | Legal sees customers under legal hold. |
| `legacy_sales_contract_access` | Sales sees allowed contract fields for owned customers. |
| `legacy_legal_contract_access` | Legal sees legal contract records for legal-hold customers. |
| `legacy_support_ticket_access` | Support sees ticket fields without private notes. |
DDS is enabled on customers, contracts, and tickets.
## Lab 4 - Validate Protected AI Retrieval
### Task 4.1 - Test Maria After DDS
```sql
exit
```
```bash
sql 'maria/Welcome1_DDS!@ddslab_tunnel'
```
```sql
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
```
Expected result: Maria receives only support-authorized information.
### Task 4.2 - Optional Persona Tests
Repeat the same script as:
```bash
sql 'joao/Welcome1_DDS!@ddslab_tunnel'
sql 'ana/Welcome1_DDS!@ddslab_tunnel'
sql 'sofia/Welcome1_DDS!@ddslab_tunnel'
```
Expected result: each user sees a different authorized subset.
## Lab 5 - Clean Up
```sql
exit
```
```bash
sql admin@ddslab_tunnel
```
```sql
@scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
exit
```
## What You Built
| Component | Purpose |
| --- | --- |
| Legacy tables | Customers, contracts, and tickets used by the AI extension. |
| `legacy_app` | Existing application technical account. |
| `ai_agent_app` | New AI agent technical account. |
| `END USER` | `joao`, `ana`, `maria`, `sofia`; business personas. |
| `DATA ROLE` | Sales, manager, support, and legal authorization profiles. |
| `DATA GRANT` | Cross-table rules that limit rows and columns by role. |
| `legacy_ai_broad_access_role` | Broad role used only for the vulnerable before state. |
The trust chain is: **legacy/AI access path -> end-user persona -> DATA ROLE -> DATA GRANT enforcement**.
## Product Manager Talking Points
- DDS lets customers modernize legacy apps with AI without exposing the full schema.
- The database applies consistent rules across customer, contract, and ticket data.
- AI output becomes safer because unauthorized context is filtered before it is returned.