WHENEVER SQLERROR EXIT SQL.SQLCODE CREATE USER legacy_app IDENTIFIED BY "Welcome1_Legacy!" ACCOUNT UNLOCK; CREATE USER ai_agent_app IDENTIFIED BY "Welcome1_Agent!" ACCOUNT UNLOCK; GRANT CREATE SESSION TO legacy_app; GRANT CREATE SESSION TO ai_agent_app; CREATE END USER joao IDENTIFIED BY "Welcome1_DDS!"; CREATE END USER ana IDENTIFIED BY "Welcome1_DDS!"; CREATE END USER maria IDENTIFIED BY "Welcome1_DDS!"; CREATE END USER sofia IDENTIFIED BY "Welcome1_DDS!"; CREATE DATA ROLE legacy_sales_rep_role; CREATE DATA ROLE legacy_brazil_manager_role; CREATE DATA ROLE legacy_support_role; CREATE DATA ROLE legacy_legal_role; CREATE ROLE legacy_ai_session_role; GRANT CREATE SESSION TO legacy_ai_session_role; GRANT legacy_ai_session_role TO legacy_sales_rep_role; GRANT legacy_ai_session_role TO legacy_brazil_manager_role; GRANT legacy_ai_session_role TO legacy_support_role; GRANT legacy_ai_session_role TO legacy_legal_role; -- Vulnerable baseline: this broad legacy role simulates an AI agent attached to -- a legacy application that reuses direct table privileges before DDS is enforced. CREATE ROLE legacy_ai_broad_access_role; GRANT SELECT ON dds_legacy_customers TO legacy_ai_broad_access_role; GRANT SELECT ON dds_legacy_contracts TO legacy_ai_broad_access_role; GRANT SELECT ON dds_legacy_tickets TO legacy_ai_broad_access_role; GRANT legacy_ai_broad_access_role TO legacy_sales_rep_role; GRANT legacy_ai_broad_access_role TO legacy_brazil_manager_role; GRANT legacy_ai_broad_access_role TO legacy_support_role; GRANT legacy_ai_broad_access_role TO legacy_legal_role; GRANT DATA ROLE legacy_sales_rep_role TO joao; GRANT DATA ROLE legacy_brazil_manager_role TO ana; GRANT DATA ROLE legacy_support_role TO maria; GRANT DATA ROLE legacy_legal_role TO sofia;