87 lines
2.8 KiB
Markdown
Executable File
87 lines
2.8 KiB
Markdown
Executable File
# Runbook - 05 Legacy App AI Extension
|
|
|
|
## Objective
|
|
|
|
Show how to extend a legacy application with an AI agent without rewriting all application authorization logic.
|
|
|
|
## Security Value
|
|
|
|
- Enables AI modernization without opening the whole schema.
|
|
- Reduces risk from overprivileged legacy technical accounts.
|
|
- Shows that the AI agent receives only the data authorized for the persona.
|
|
|
|
## Prerequisites
|
|
|
|
- Oracle AI Database compatible with Oracle Deep Data Security.
|
|
- SQLcl or SQL*Plus.
|
|
- A legacy application narrative, such as CRM, billing, support, or contracts.
|
|
|
|
## Before - Vulnerable Environment
|
|
|
|
1. Reset the scenario:
|
|
|
|
```sql
|
|
@scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
|
|
```
|
|
|
|
2. Create the legacy dataset and accounts:
|
|
|
|
```sql
|
|
@scenarios/05-legacy-app-ai-extension/sql/00_schema.sql
|
|
@scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql
|
|
@scenarios/05-legacy-app-ai-extension/sql/02_identities.sql
|
|
```
|
|
|
|
3. Simulate the AI agent question:
|
|
|
|
```text
|
|
List all high-risk customers, margin, renewals, legal clauses, and private support notes.
|
|
```
|
|
|
|
4. Run the broad queries:
|
|
|
|
```sql
|
|
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
|
|
```
|
|
|
|
## Expected Result Before
|
|
|
|
- Commercial data, margin, legal hold, legal clauses, and private support notes may appear together.
|
|
- The technical account or AI agent can access too much data if the application does not filter correctly.
|
|
- The customer sees the risk of adding AI on top of legacy data without database-level controls.
|
|
|
|
## After - Applying Deep Data Security
|
|
|
|
1. Apply data grants by persona:
|
|
|
|
```sql
|
|
@scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql
|
|
```
|
|
|
|
2. Run the same query as `joao`, `ana`, `maria`, and `sofia`, or propagate those identities through the agent:
|
|
|
|
```sql
|
|
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
|
|
```
|
|
|
|
## Expected Result After
|
|
|
|
- `joao` sees his portfolio without margin or legal hold.
|
|
- `ana` sees Brazil customers and regional commercial metrics.
|
|
- `maria` sees support-relevant data without margin, legal clauses, or private notes.
|
|
- `sofia` sees contracts and legal clauses for legal-hold customers.
|
|
- The AI agent can no longer consolidate everything into one abusive answer.
|
|
|
|
## Demo Evidence
|
|
|
|
- AI agent response before and after protection.
|
|
- SQL output by persona.
|
|
- Explanation of "no full authorization rewrite": the database becomes the common enforcement point.
|
|
|
|
## Official References
|
|
|
|
- Oracle Deep Data Security Guide: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/index.html
|
|
- Fine-Grained Data Authorization: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html
|
|
- Create Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/create-data-grants.html
|
|
|