Files
oracle-deep-data-security-lab/scenarios/06-rag-vector-classified-docs/RUNBOOK.md
Rodrigo Pace 52bf971b8b
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled
Translate lab documentation to English
2026-05-08 14:50:52 -03:00

2.6 KiB

Runbook - 06 RAG Vector Classified Docs

Objective

Show that a RAG agent retrieves only authorized chunks/documents before sending context to the LLM.

Security Value

  • Reduces over-retrieval in RAG.
  • Prevents confidential chunks from being sent to the model.
  • Combines vector search with data grants by classification.

Prerequisites

  • Oracle AI Database with support for VECTOR, TO_VECTOR, and VECTOR_DISTANCE.
  • Database compatible with Oracle Deep Data Security.
  • SQLcl or SQL*Plus.

Before - Vulnerable Environment

  1. Reset the scenario:

    @scenarios/06-rag-vector-classified-docs/sql/99_reset.sql
    
  2. Create chunks and personas without applying data grants:

    @scenarios/06-rag-vector-classified-docs/sql/00_schema.sql
    @scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql
    @scenarios/06-rag-vector-classified-docs/sql/02_identities.sql
    
  3. Simulate the RAG question:

    Summarize critical documents about renewals, people, and legal risks.
    
  4. Run the vector search:

    @scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
    

Expected Result Before

  • The search may retrieve HR_CONFIDENTIAL, LEGAL_CONFIDENTIAL, and EXECUTIVE_CONFIDENTIAL chunks.
  • The LLM could receive sensitive context before it even generates an answer.

After - Applying Deep Data Security

  1. Apply data grants by classification:

    @scenarios/06-rag-vector-classified-docs/sql/03_data_grants.sql
    
  2. Run the same search as nina, heitor, sofia, and carlos:

    @scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
    

Expected Result After

  • nina retrieves only PUBLIC and INTERNAL chunks.
  • heitor retrieves authorized HR content.
  • sofia retrieves authorized legal content.
  • carlos retrieves all chunks through the executive role.
  • The RAG layer sends only authorized context to the LLM.

Demo Evidence

  • Retrieved chunk list before and after protection.
  • Visible classifications by persona.
  • Explanation that enforcement happens before the LLM call.

Official References