Add workshop guides for all lab scenarios
Some checks failed
Repo Quality / structure (push) Has been cancelled
Some checks failed
Repo Quality / structure (push) Has been cancelled
This commit is contained in:
@@ -117,3 +117,4 @@ Linux/macOS:
|
||||
|
||||
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).
|
||||
|
||||
For a LiveLabs-style guided workshop, use [WORKSHOP.md](WORKSHOP.md).
|
||||
|
||||
199
scenarios/05-legacy-app-ai-extension/WORKSHOP.md
Executable file
199
scenarios/05-legacy-app-ai-extension/WORKSHOP.md
Executable file
@@ -0,0 +1,199 @@
|
||||
# Workshop - Extend A Legacy Application With AI Safely
|
||||
|
||||
## About This Workshop
|
||||
|
||||
This workshop demonstrates how Oracle Deep Data Security protects a legacy application when a new AI agent is added without rewriting the entire authorization model.
|
||||
|
||||
Before DDS, the AI agent can reuse broad legacy privileges and combine customer, commercial, legal, and support data. After DDS, the database filters results according to the end-user persona.
|
||||
|
||||
## Workshop Goals
|
||||
|
||||
- Create a legacy customer, contract, and support dataset.
|
||||
- Demonstrate overexposure through an AI extension.
|
||||
- Apply DDS grants across multiple tables.
|
||||
- Validate role-based results for sales, manager, support, and legal users.
|
||||
|
||||
## Estimated Time
|
||||
|
||||
35 to 50 minutes.
|
||||
|
||||
## Scenario Summary
|
||||
|
||||
| Persona | Business Role | Expected Access After DDS |
|
||||
| --- | --- | --- |
|
||||
| `joao` | Sales representative | Own portfolio and approved contract fields. |
|
||||
| `ana` | Brazil manager | Brazil customer metrics without legal hold. |
|
||||
| `maria` | Support user | Support-relevant customer and ticket fields. |
|
||||
| `sofia` | Legal user | Legal-hold customers and legal contract clauses. |
|
||||
|
||||
## Before You Begin
|
||||
|
||||
```bash
|
||||
cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
|
||||
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab
|
||||
sql admin@ddslab_tunnel
|
||||
```
|
||||
|
||||
SQLcl note: after running `@file.sql`, do not type `/`.
|
||||
|
||||
## Lab 1 - Prepare The Environment
|
||||
|
||||
### Task 1.1 - Reset The Scenario
|
||||
|
||||
```sql
|
||||
@scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
|
||||
```
|
||||
|
||||
### Task 1.2 - Create Legacy Tables
|
||||
|
||||
```sql
|
||||
@scenarios/05-legacy-app-ai-extension/sql/00_schema.sql
|
||||
```
|
||||
|
||||
| Table | Purpose |
|
||||
| --- | --- |
|
||||
| `DDS_LEGACY_CUSTOMERS` | Customer, risk, revenue, margin, and legal hold. |
|
||||
| `DDS_LEGACY_CONTRACTS` | Contract status, renewal dates, legal clauses, and value. |
|
||||
| `DDS_LEGACY_TICKETS` | Support tickets and private notes. |
|
||||
|
||||
### Task 1.3 - Load Sample Data
|
||||
|
||||
```sql
|
||||
@scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql
|
||||
```
|
||||
|
||||
The data intentionally mixes commercial, legal, and support fields to show what an AI extension might over-combine.
|
||||
|
||||
### Task 1.4 - Create Personas And Baseline Access
|
||||
|
||||
```sql
|
||||
@scenarios/05-legacy-app-ai-extension/sql/02_identities.sql
|
||||
```
|
||||
|
||||
The script creates technical users, end users, data roles, and `legacy_ai_broad_access_role`, which simulates the vulnerable before state.
|
||||
|
||||
## Lab 2 - Demonstrate The Vulnerable AI Extension
|
||||
|
||||
### Task 2.1 - Connect As Maria
|
||||
|
||||
```sql
|
||||
exit
|
||||
```
|
||||
|
||||
```bash
|
||||
sql 'maria/Welcome1_DDS!@ddslab_tunnel'
|
||||
```
|
||||
|
||||
Maria represents support using the AI extension.
|
||||
|
||||
### Task 2.2 - Run The Broad AI Query Before DDS
|
||||
|
||||
```sql
|
||||
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
|
||||
```
|
||||
|
||||
The simulated AI question is:
|
||||
|
||||
```text
|
||||
List all high-risk customers, margin, legal holds, renewals and support notes.
|
||||
```
|
||||
|
||||
Expected result before DDS: Maria can see too much, including commercial margin, legal clauses, and private support notes.
|
||||
|
||||
## Lab 3 - Apply Oracle Deep Data Security
|
||||
|
||||
### Task 3.1 - Reconnect As ADMIN
|
||||
|
||||
```sql
|
||||
exit
|
||||
```
|
||||
|
||||
```bash
|
||||
sql admin@ddslab_tunnel
|
||||
```
|
||||
|
||||
### Task 3.2 - Apply Data Grants
|
||||
|
||||
```sql
|
||||
@scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql
|
||||
```
|
||||
|
||||
Key grants:
|
||||
|
||||
| Data Grant | What It Allows |
|
||||
| --- | --- |
|
||||
| `legacy_sales_customer_access` | Sales reps see their customer portfolio and approved columns. |
|
||||
| `legacy_manager_customer_access` | Brazil managers see Brazil customer data except `LEGAL_HOLD`. |
|
||||
| `legacy_support_customer_access` | Support sees LATAM operational customer fields. |
|
||||
| `legacy_legal_customer_access` | Legal sees customers under legal hold. |
|
||||
| `legacy_sales_contract_access` | Sales sees allowed contract fields for owned customers. |
|
||||
| `legacy_legal_contract_access` | Legal sees legal contract records for legal-hold customers. |
|
||||
| `legacy_support_ticket_access` | Support sees ticket fields without private notes. |
|
||||
|
||||
DDS is enabled on customers, contracts, and tickets.
|
||||
|
||||
## Lab 4 - Validate Protected AI Retrieval
|
||||
|
||||
### Task 4.1 - Test Maria After DDS
|
||||
|
||||
```sql
|
||||
exit
|
||||
```
|
||||
|
||||
```bash
|
||||
sql 'maria/Welcome1_DDS!@ddslab_tunnel'
|
||||
```
|
||||
|
||||
```sql
|
||||
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
|
||||
```
|
||||
|
||||
Expected result: Maria receives only support-authorized information.
|
||||
|
||||
### Task 4.2 - Optional Persona Tests
|
||||
|
||||
Repeat the same script as:
|
||||
|
||||
```bash
|
||||
sql 'joao/Welcome1_DDS!@ddslab_tunnel'
|
||||
sql 'ana/Welcome1_DDS!@ddslab_tunnel'
|
||||
sql 'sofia/Welcome1_DDS!@ddslab_tunnel'
|
||||
```
|
||||
|
||||
Expected result: each user sees a different authorized subset.
|
||||
|
||||
## Lab 5 - Clean Up
|
||||
|
||||
```sql
|
||||
exit
|
||||
```
|
||||
|
||||
```bash
|
||||
sql admin@ddslab_tunnel
|
||||
```
|
||||
|
||||
```sql
|
||||
@scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
|
||||
exit
|
||||
```
|
||||
|
||||
## What You Built
|
||||
|
||||
| Component | Purpose |
|
||||
| --- | --- |
|
||||
| Legacy tables | Customers, contracts, and tickets used by the AI extension. |
|
||||
| `legacy_app` | Existing application technical account. |
|
||||
| `ai_agent_app` | New AI agent technical account. |
|
||||
| `END USER` | `joao`, `ana`, `maria`, `sofia`; business personas. |
|
||||
| `DATA ROLE` | Sales, manager, support, and legal authorization profiles. |
|
||||
| `DATA GRANT` | Cross-table rules that limit rows and columns by role. |
|
||||
| `legacy_ai_broad_access_role` | Broad role used only for the vulnerable before state. |
|
||||
|
||||
The trust chain is: **legacy/AI access path -> end-user persona -> DATA ROLE -> DATA GRANT enforcement**.
|
||||
|
||||
## Product Manager Talking Points
|
||||
|
||||
- DDS lets customers modernize legacy apps with AI without exposing the full schema.
|
||||
- The database applies consistent rules across customer, contract, and ticket data.
|
||||
- AI output becomes safer because unauthorized context is filtered before it is returned.
|
||||
|
||||
Reference in New Issue
Block a user