Files
oracle-deep-data-security-lab/scenarios/05-legacy-app-ai-extension/WORKSHOP.md
Rodrigo 2188ea8e58
Some checks failed
Repo Quality / structure (push) Has been cancelled
Normalize lab docs and keep reusable TNS alias
2026-05-18 11:34:27 -03:00

5.6 KiB
Executable File

Workshop - Extend A Legacy Application With AI Safely

About This Workshop

This workshop demonstrates how Oracle Deep Data Security protects a legacy application when a new AI agent is added without rewriting the entire authorization model.

Before DDS, the AI agent can reuse broad legacy privileges and combine customer, commercial, legal, and support data. After DDS, the database filters results according to the end-user persona.

Workshop Goals

  • Create a legacy customer, contract, and support dataset.
  • Demonstrate overexposure through an AI extension.
  • Apply DDS grants across multiple tables.
  • Validate role-based results for sales, manager, support, and legal users.

Estimated Time

35 to 50 minutes.

Scenario Summary

Persona Business Role Expected Access After DDS
joao Sales representative Own portfolio and approved contract fields.
ana Brazil manager Brazil customer metrics without legal hold.
maria Support user Support-relevant customer and ticket fields.
sofia Legal user Legal-hold customers and legal contract clauses.

Before You Begin

cd <repo-root>
export TNS_ADMIN=<wallet-directory>
sql admin@ddslab_tunnel

SQLcl note: after running @file.sql, do not type /.

Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet tnsnames.ora for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.

Lab 1 - Prepare The Environment

Task 1.1 - Reset The Scenario

@scenarios/05-legacy-app-ai-extension/sql/99_reset.sql

Task 1.2 - Create Legacy Tables

@scenarios/05-legacy-app-ai-extension/sql/00_schema.sql
Table Purpose
DDS_LEGACY_CUSTOMERS Customer, risk, revenue, margin, and legal hold.
DDS_LEGACY_CONTRACTS Contract status, renewal dates, legal clauses, and value.
DDS_LEGACY_TICKETS Support tickets and private notes.

Task 1.3 - Load Sample Data

@scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql

The data intentionally mixes commercial, legal, and support fields to show what an AI extension might over-combine.

Task 1.4 - Create Personas And Baseline Access

@scenarios/05-legacy-app-ai-extension/sql/02_identities.sql

The script creates technical users, end users, data roles, and legacy_ai_broad_access_role, which simulates the vulnerable before state.

Lab 2 - Demonstrate The Vulnerable AI Extension

Task 2.1 - Connect As Maria

exit
sql 'maria/Welcome1_DDS!@ddslab_tunnel'

Maria represents support using the AI extension.

Task 2.2 - Run The Broad AI Query Before DDS

@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql

The simulated AI question is:

List all high-risk customers, margin, legal holds, renewals and support notes.

Expected result before DDS: Maria can see too much, including commercial margin, legal clauses, and private support notes.

Lab 3 - Apply Oracle Deep Data Security

Task 3.1 - Reconnect As ADMIN

exit
sql admin@ddslab_tunnel

Task 3.2 - Apply Data Grants

@scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql

Key grants:

Data Grant What It Allows
legacy_sales_customer_access Sales reps see their customer portfolio and approved columns.
legacy_manager_customer_access Brazil managers see Brazil customer data except LEGAL_HOLD.
legacy_support_customer_access Support sees LATAM operational customer fields.
legacy_legal_customer_access Legal sees customers under legal hold.
legacy_sales_contract_access Sales sees allowed contract fields for owned customers.
legacy_legal_contract_access Legal sees legal contract records for legal-hold customers.
legacy_support_ticket_access Support sees ticket fields without private notes.

DDS is enabled on customers, contracts, and tickets.

Lab 4 - Validate Protected AI Retrieval

Task 4.1 - Test Maria After DDS

exit
sql 'maria/Welcome1_DDS!@ddslab_tunnel'
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql

Expected result: Maria receives only support-authorized information.

Task 4.2 - Optional Persona Tests

Repeat the same script as:

sql 'joao/Welcome1_DDS!@ddslab_tunnel'
sql 'ana/Welcome1_DDS!@ddslab_tunnel'
sql 'sofia/Welcome1_DDS!@ddslab_tunnel'

Expected result: each user sees a different authorized subset.

Lab 5 - Clean Up

exit
sql admin@ddslab_tunnel
@scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
exit

What You Built

Component Purpose
Legacy tables Customers, contracts, and tickets used by the AI extension.
legacy_app Existing application technical account.
ai_agent_app New AI agent technical account.
END USER joao, ana, maria, sofia; business personas.
DATA ROLE Sales, manager, support, and legal authorization profiles.
DATA GRANT Cross-table rules that limit rows and columns by role.
legacy_ai_broad_access_role Broad role used only for the vulnerable before state.

The trust chain is: legacy/AI access path -> end-user persona -> DATA ROLE -> DATA GRANT enforcement.

Product Manager Talking Points

  • DDS lets customers modernize legacy apps with AI without exposing the full schema.
  • The database applies consistent rules across customer, contract, and ticket data.
  • AI output becomes safer because unauthorized context is filtered before it is returned.