5.6 KiB
Executable File
Workshop - Extend A Legacy Application With AI Safely
About This Workshop
This workshop demonstrates how Oracle Deep Data Security protects a legacy application when a new AI agent is added without rewriting the entire authorization model.
Before DDS, the AI agent can reuse broad legacy privileges and combine customer, commercial, legal, and support data. After DDS, the database filters results according to the end-user persona.
Workshop Goals
- Create a legacy customer, contract, and support dataset.
- Demonstrate overexposure through an AI extension.
- Apply DDS grants across multiple tables.
- Validate role-based results for sales, manager, support, and legal users.
Estimated Time
35 to 50 minutes.
Scenario Summary
| Persona | Business Role | Expected Access After DDS |
|---|---|---|
joao |
Sales representative | Own portfolio and approved contract fields. |
ana |
Brazil manager | Brazil customer metrics without legal hold. |
maria |
Support user | Support-relevant customer and ticket fields. |
sofia |
Legal user | Legal-hold customers and legal contract clauses. |
Before You Begin
cd <repo-root>
export TNS_ADMIN=<wallet-directory>
sql admin@ddslab_tunnel
SQLcl note: after running @file.sql, do not type /.
Connection alias note: ddslab_tunnel is the TNS alias configured in the wallet tnsnames.ora for this lab. If your wallet uses another alias, replace ddslab_tunnel with your own service alias.
Lab 1 - Prepare The Environment
Task 1.1 - Reset The Scenario
@scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
Task 1.2 - Create Legacy Tables
@scenarios/05-legacy-app-ai-extension/sql/00_schema.sql
| Table | Purpose |
|---|---|
DDS_LEGACY_CUSTOMERS |
Customer, risk, revenue, margin, and legal hold. |
DDS_LEGACY_CONTRACTS |
Contract status, renewal dates, legal clauses, and value. |
DDS_LEGACY_TICKETS |
Support tickets and private notes. |
Task 1.3 - Load Sample Data
@scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql
The data intentionally mixes commercial, legal, and support fields to show what an AI extension might over-combine.
Task 1.4 - Create Personas And Baseline Access
@scenarios/05-legacy-app-ai-extension/sql/02_identities.sql
The script creates technical users, end users, data roles, and legacy_ai_broad_access_role, which simulates the vulnerable before state.
Lab 2 - Demonstrate The Vulnerable AI Extension
Task 2.1 - Connect As Maria
exit
sql 'maria/Welcome1_DDS!@ddslab_tunnel'
Maria represents support using the AI extension.
Task 2.2 - Run The Broad AI Query Before DDS
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
The simulated AI question is:
List all high-risk customers, margin, legal holds, renewals and support notes.
Expected result before DDS: Maria can see too much, including commercial margin, legal clauses, and private support notes.
Lab 3 - Apply Oracle Deep Data Security
Task 3.1 - Reconnect As ADMIN
exit
sql admin@ddslab_tunnel
Task 3.2 - Apply Data Grants
@scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql
Key grants:
| Data Grant | What It Allows |
|---|---|
legacy_sales_customer_access |
Sales reps see their customer portfolio and approved columns. |
legacy_manager_customer_access |
Brazil managers see Brazil customer data except LEGAL_HOLD. |
legacy_support_customer_access |
Support sees LATAM operational customer fields. |
legacy_legal_customer_access |
Legal sees customers under legal hold. |
legacy_sales_contract_access |
Sales sees allowed contract fields for owned customers. |
legacy_legal_contract_access |
Legal sees legal contract records for legal-hold customers. |
legacy_support_ticket_access |
Support sees ticket fields without private notes. |
DDS is enabled on customers, contracts, and tickets.
Lab 4 - Validate Protected AI Retrieval
Task 4.1 - Test Maria After DDS
exit
sql 'maria/Welcome1_DDS!@ddslab_tunnel'
@scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
Expected result: Maria receives only support-authorized information.
Task 4.2 - Optional Persona Tests
Repeat the same script as:
sql 'joao/Welcome1_DDS!@ddslab_tunnel'
sql 'ana/Welcome1_DDS!@ddslab_tunnel'
sql 'sofia/Welcome1_DDS!@ddslab_tunnel'
Expected result: each user sees a different authorized subset.
Lab 5 - Clean Up
exit
sql admin@ddslab_tunnel
@scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
exit
What You Built
| Component | Purpose |
|---|---|
| Legacy tables | Customers, contracts, and tickets used by the AI extension. |
legacy_app |
Existing application technical account. |
ai_agent_app |
New AI agent technical account. |
END USER |
joao, ana, maria, sofia; business personas. |
DATA ROLE |
Sales, manager, support, and legal authorization profiles. |
DATA GRANT |
Cross-table rules that limit rows and columns by role. |
legacy_ai_broad_access_role |
Broad role used only for the vulnerable before state. |
The trust chain is: legacy/AI access path -> end-user persona -> DATA ROLE -> DATA GRANT enforcement.
Product Manager Talking Points
- DDS lets customers modernize legacy apps with AI without exposing the full schema.
- The database applies consistent rules across customer, contract, and ticket data.
- AI output becomes safer because unauthorized context is filtered before it is returned.