Files
oracle-deep-data-security-lab/scenarios/05-legacy-app-ai-extension/RUNBOOK.md
Rodrigo db3d68af10
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled
Improve Deep Data Security lab scenarios
2026-05-13 16:13:04 -03:00

2.8 KiB
Executable File

Runbook - 05 Legacy App AI Extension

Objective

Show how to extend a legacy application with an AI agent without rewriting all application authorization logic.

Security Value

  • Enables AI modernization without opening the whole schema.
  • Reduces risk from overprivileged legacy technical accounts.
  • Shows that the AI agent receives only the data authorized for the persona.

Prerequisites

  • Oracle AI Database compatible with Oracle Deep Data Security.
  • SQLcl or SQL*Plus.
  • A legacy application narrative, such as CRM, billing, support, or contracts.

Before - Vulnerable Environment

  1. Reset the scenario:

    @scenarios/05-legacy-app-ai-extension/sql/99_reset.sql
    
  2. Create the legacy dataset and accounts:

    @scenarios/05-legacy-app-ai-extension/sql/00_schema.sql
    @scenarios/05-legacy-app-ai-extension/sql/01_seed_data.sql
    @scenarios/05-legacy-app-ai-extension/sql/02_identities.sql
    
  3. Simulate the AI agent question:

    List all high-risk customers, margin, renewals, legal clauses, and private support notes.
    
  4. Run the broad queries:

    @scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
    

Expected Result Before

  • Commercial data, margin, legal hold, legal clauses, and private support notes may appear together.
  • The technical account or AI agent can access too much data if the application does not filter correctly.
  • The customer sees the risk of adding AI on top of legacy data without database-level controls.

After - Applying Deep Data Security

  1. Apply data grants by persona:

    @scenarios/05-legacy-app-ai-extension/sql/03_data_grants.sql
    
  2. Run the same query as joao, ana, maria, and sofia, or propagate those identities through the agent:

    @scenarios/05-legacy-app-ai-extension/sql/04_test_queries.sql
    

Expected Result After

  • joao sees his portfolio without margin or legal hold.
  • ana sees Brazil customers and regional commercial metrics.
  • maria sees support-relevant data without margin, legal clauses, or private notes.
  • sofia sees contracts and legal clauses for legal-hold customers.
  • The AI agent can no longer consolidate everything into one abusive answer.

Demo Evidence

  • AI agent response before and after protection.
  • SQL output by persona.
  • Explanation of "no full authorization rewrite": the database becomes the common enforcement point.

Official References