Files
oracle-deep-data-security-lab/scenarios/06-rag-vector-classified-docs
Rodrigo 31bb4b0b86
Some checks failed
Repo Quality / structure (push) Has been cancelled
Link RAG workshop guide from README
2026-05-14 13:36:39 -03:00
..
2026-05-14 13:36:39 -03:00
2026-05-14 13:35:40 -03:00

06 - RAG Vector Classified Docs

Objective

Show that an internal RAG agent or copilot retrieves only documents and chunks authorized for the end user before sending context to the LLM.

What This Lab Shows

Before Oracle Deep Data Security, vector search can retrieve confidential HR, legal, and executive chunks. After data grants are applied, vector retrieval respects document classification and the user persona.

Personas

  • nina: regular employee.
  • heitor: HR user.
  • sofia: legal user.
  • carlos: executive user.

Where To Run The Commands

Run SQL scripts from the repository root. On Linux/macOS/WSL:

cd ~/DEEP-DATA-SECURITY/oracle-deep-data-security-lab
export TNS_ADMIN=~/DEEP-DATA-SECURITY/wallet-ddslab

Connect as the lab administrator:

sql admin@ddslab_tunnel

This scenario uses the VECTOR type, TO_VECTOR, and VECTOR_DISTANCE. Use a database version with Oracle AI Vector Search support.

SQLcl note: when running a script with @file.sql, press Enter once and wait for the output. Do not type / afterward, because / reruns the last command in the SQLcl buffer.

Step By Step - Before, Vulnerable Environment

  1. Reset the scenario as ADMIN:

    @scenarios/06-rag-vector-classified-docs/sql/99_reset.sql
    
  2. Create the chunk table, seed classified documents, and create personas:

    @scenarios/06-rag-vector-classified-docs/sql/00_schema.sql
    @scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql
    @scenarios/06-rag-vector-classified-docs/sql/02_identities.sql
    
  3. Show all available chunks as ADMIN:

    SELECT chunk_id, document_title, department, classification, chunk_text
    FROM dds_rag_chunks
    ORDER BY chunk_id;
    
  4. Simulate the RAG question:

    Summarize critical documents about renewals, people, and legal risks.
    
  5. Connect as nina, a regular employee:

    sql 'nina/Welcome1_DDS!@ddslab_tunnel'
    
  6. Run the vector search before DDS:

    @scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
    

Expected result before protection: the retrieval may return HR_CONFIDENTIAL, LEGAL_CONFIDENTIAL, and EXECUTIVE_CONFIDENTIAL chunks to a regular employee because the legacy retrieval role is broad.

Step By Step - After, With Deep Data Security

  1. Reconnect as ADMIN and apply data grants by classification:

    @scenarios/06-rag-vector-classified-docs/sql/03_data_grants.sql
    
  2. Connect as nina and run the same vector search:

    sql 'nina/Welcome1_DDS!@ddslab_tunnel'
    
    @scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
    
  3. Repeat the same test as heitor, sofia, and carlos.

Expected result after protection:

  • nina sees only PUBLIC and INTERNAL chunks.
  • heitor sees authorized HR content.
  • sofia sees authorized legal content.
  • carlos sees all documents through the executive role.
  • The LLM receives only authorized context.

Optional Automated Execution

Windows:

powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 06-rag-vector-classified-docs -ConnectString "<connect_string>"

Linux/macOS:

./scripts/run-scenario.sh 06-rag-vector-classified-docs "<connect_string>"

Demo Details

See the complete walkthrough, evidence, and official references in RUNBOOK.md.

For a LiveLabs-style guided workshop, use WORKSHOP.md.