161 lines
4.6 KiB
Markdown
Executable File
161 lines
4.6 KiB
Markdown
Executable File
# Runbook - 06 RAG Vector Classified Docs
|
|
|
|
## Objective
|
|
|
|
Show that a RAG agent retrieves only authorized chunks/documents before sending context to the LLM.
|
|
|
|
## Security Value
|
|
|
|
- Reduces over-retrieval in RAG.
|
|
- Prevents confidential chunks from being sent to the model.
|
|
- Combines vector search with data grants by classification.
|
|
|
|
## Prerequisites
|
|
|
|
- Oracle AI Database with support for `VECTOR`, `TO_VECTOR`, and `VECTOR_DISTANCE`.
|
|
- Database compatible with Oracle Deep Data Security.
|
|
- SQLcl or SQL*Plus.
|
|
|
|
## Before - Vulnerable Environment
|
|
|
|
1. From the repository root, connect as `ADMIN`:
|
|
|
|
```bash
|
|
cd <repo-root>
|
|
export TNS_ADMIN=<wallet-directory>
|
|
sql admin@ddslab_tunnel
|
|
```
|
|
|
|
Presenter note: `ADMIN` prepares the classified chunks and security personas.
|
|
|
|
SQLcl note: after running a script with `@file.sql`, do not type `/`. The slash reruns the last command in the SQLcl buffer and can make a successful command look like an error.
|
|
|
|
|
|
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet `tnsnames.ora` for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
|
|
|
|
2. Reset the scenario:
|
|
|
|
```sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/99_reset.sql
|
|
```
|
|
|
|
Presenter note: this removes prior Data Grants, roles, users, and test data.
|
|
|
|
3. Create chunks and personas without applying data grants:
|
|
|
|
```sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/00_schema.sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/02_identities.sql
|
|
```
|
|
|
|
Presenter note: `rag_legacy_retrieval_role` simulates a broad RAG retrieval layer before DDS is enforced.
|
|
|
|
4. Show every chunk and its classification:
|
|
|
|
```sql
|
|
SELECT chunk_id, document_title, department, classification, chunk_text
|
|
FROM dds_rag_chunks
|
|
ORDER BY chunk_id;
|
|
```
|
|
|
|
Presenter note: explain that confidential chunks should not be sent to the LLM for every user.
|
|
|
|
5. Simulate the RAG question:
|
|
|
|
```text
|
|
Summarize critical documents about renewals, people, and legal risks.
|
|
```
|
|
|
|
6. Exit and connect as Nina, a regular employee:
|
|
|
|
```sql
|
|
exit
|
|
```
|
|
|
|
```bash
|
|
sql 'nina/Welcome1_DDS!@ddslab_tunnel'
|
|
```
|
|
|
|
Presenter note: Nina represents a regular employee using an internal copilot.
|
|
|
|
7. Run the vector search before DDS:
|
|
|
|
```sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
|
|
```
|
|
|
|
Presenter note: before DDS, a broad retrieval path can place HR, legal, or executive confidential chunks in the LLM context.
|
|
|
|
## Expected Result Before
|
|
|
|
- The search may retrieve `HR_CONFIDENTIAL`, `LEGAL_CONFIDENTIAL`, and `EXECUTIVE_CONFIDENTIAL` chunks.
|
|
- The LLM could receive sensitive context before it even generates an answer.
|
|
|
|
## After - Applying Deep Data Security
|
|
|
|
1. Exit and reconnect as `ADMIN`:
|
|
|
|
```sql
|
|
exit
|
|
```
|
|
|
|
```bash
|
|
sql admin@ddslab_tunnel
|
|
```
|
|
|
|
2. Apply data grants by classification:
|
|
|
|
```sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/03_data_grants.sql
|
|
```
|
|
|
|
Presenter note: the database now filters chunks before the LLM receives any context.
|
|
|
|
3. Test Nina after DDS:
|
|
|
|
```sql
|
|
exit
|
|
```
|
|
|
|
```bash
|
|
sql 'nina/Welcome1_DDS!@ddslab_tunnel'
|
|
```
|
|
|
|
```sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
|
|
```
|
|
|
|
Presenter note: Nina should retrieve only `PUBLIC` and `INTERNAL` chunks.
|
|
|
|
4. Repeat the same search as HR, legal, and executive personas:
|
|
|
|
```bash
|
|
sql 'heitor/Welcome1_DDS!@ddslab_tunnel'
|
|
sql 'sofia/Welcome1_DDS!@ddslab_tunnel'
|
|
sql 'carlos/Welcome1_DDS!@ddslab_tunnel'
|
|
```
|
|
|
|
Presenter note: each persona receives only the chunk classifications authorized for that business role.
|
|
|
|
## Expected Result After
|
|
|
|
- `nina` retrieves only `PUBLIC` and `INTERNAL` chunks.
|
|
- `heitor` retrieves authorized HR content.
|
|
- `sofia` retrieves authorized legal content.
|
|
- `carlos` retrieves all chunks through the executive role.
|
|
- The RAG layer sends only authorized context to the LLM.
|
|
|
|
## Demo Evidence
|
|
|
|
- Retrieved chunk list before and after protection.
|
|
- Visible classifications by persona.
|
|
- Explanation that enforcement happens before the LLM call.
|
|
|
|
## Official References
|
|
|
|
- Oracle Deep Data Security Guide: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/index.html
|
|
- Create Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/create-data-grants.html
|
|
- TO_VECTOR SQL Reference: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/to_vector.html
|
|
- VECTOR operations in PL/SQL: https://docs.oracle.com/en/database/oracle/oracle-database/26/lnpls/sql-data-types.html
|