# 06 - RAG Vector Classified Docs ## Objective Show that an internal RAG agent or copilot retrieves only documents and chunks authorized for the end user before sending context to the LLM. ## What This Lab Shows Before Oracle Deep Data Security, vector search can retrieve confidential HR, legal, and executive chunks. After data grants are applied, vector retrieval respects document classification and the user persona. ## Personas - `nina`: regular employee. - `heitor`: HR user. - `sofia`: legal user. - `carlos`: executive user. ## Where To Run The Commands Run SQL scripts from the repository root. On Linux/macOS/WSL: ```bash cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab ``` Connect as the lab administrator: ```bash sql admin@ddslab_tunnel ``` This scenario uses the `VECTOR` type, `TO_VECTOR`, and `VECTOR_DISTANCE`. Use a database version with Oracle AI Vector Search support. SQLcl note: when running a script with `@file.sql`, press Enter once and wait for the output. Do not type `/` afterward, because `/` reruns the last command in the SQLcl buffer. ## Step By Step - Before, Vulnerable Environment 1. Reset the scenario as `ADMIN`: ```sql @scenarios/06-rag-vector-classified-docs/sql/99_reset.sql ``` 2. Create the chunk table, seed classified documents, and create personas: ```sql @scenarios/06-rag-vector-classified-docs/sql/00_schema.sql @scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql @scenarios/06-rag-vector-classified-docs/sql/02_identities.sql ``` 3. Show all available chunks as `ADMIN`: ```sql SELECT chunk_id, document_title, department, classification, chunk_text FROM dds_rag_chunks ORDER BY chunk_id; ``` 4. Simulate the RAG question: ```text Summarize critical documents about renewals, people, and legal risks. ``` 5. Connect as `nina`, a regular employee: ```bash sql 'nina/Welcome1_DDS!@ddslab_tunnel' ``` 6. Run the vector search before DDS: ```sql @scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql ``` Expected result before protection: the retrieval may return `HR_CONFIDENTIAL`, `LEGAL_CONFIDENTIAL`, and `EXECUTIVE_CONFIDENTIAL` chunks to a regular employee because the legacy retrieval role is broad. ## Step By Step - After, With Deep Data Security 1. Reconnect as `ADMIN` and apply data grants by classification: ```sql @scenarios/06-rag-vector-classified-docs/sql/03_data_grants.sql ``` 2. Connect as `nina` and run the same vector search: ```bash sql 'nina/Welcome1_DDS!@ddslab_tunnel' ``` ```sql @scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql ``` 3. Repeat the same test as `heitor`, `sofia`, and `carlos`. Expected result after protection: - `nina` sees only `PUBLIC` and `INTERNAL` chunks. - `heitor` sees authorized HR content. - `sofia` sees authorized legal content. - `carlos` sees all documents through the executive role. - The LLM receives only authorized context. ## Optional Automated Execution Windows: ```powershell powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 06-rag-vector-classified-docs -ConnectString "" ``` Linux/macOS: ```bash ./scripts/run-scenario.sh 06-rag-vector-classified-docs "" ``` ## Demo Details See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md). For a LiveLabs-style guided workshop, use [WORKSHOP.md](WORKSHOP.md).