Files
oracle-deep-data-security-lab/scenarios/06-rag-vector-classified-docs/README.md
Rodrigo db3d68af10
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled
Improve Deep Data Security lab scenarios
2026-05-13 16:13:04 -03:00

2.8 KiB
Executable File

06 - RAG Vector Classified Docs

Objective

Show that an internal RAG agent or copilot retrieves only documents and chunks authorized for the end user before sending context to the LLM.

What This Lab Shows

Before Oracle Deep Data Security, vector search can retrieve confidential HR, legal, and executive chunks. After data grants are applied, vector retrieval respects document classification and the user persona.

Personas

  • nina: regular employee.
  • heitor: HR user.
  • sofia: legal user.
  • carlos: executive user.

Where To Run The Commands

Run commands from the repository root:

cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab

Connect to the database with SQLcl or SQL*Plus:

sql "<connect_string>"

This scenario uses the VECTOR type, TO_VECTOR, and VECTOR_DISTANCE. Use a database version with Oracle AI Vector Search support.

Step By Step - Before, Vulnerable Environment

  1. Connect to the database:

    sql "<connect_string>"
    
  2. Reset the scenario:

    @scenarios/06-rag-vector-classified-docs/sql/99_reset.sql
    
  3. Create the chunk table, simple embeddings, and personas:

    @scenarios/06-rag-vector-classified-docs/sql/00_schema.sql
    @scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql
    @scenarios/06-rag-vector-classified-docs/sql/02_identities.sql
    
  4. Simulate the RAG question:

    Summarize critical documents about renewals, people, and legal risks.
    
  5. Run the vector search:

    @scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
    

Expected result before protection: retrieval may return HR_CONFIDENTIAL, LEGAL_CONFIDENTIAL, and EXECUTIVE_CONFIDENTIAL chunks.

Step By Step - After, With Deep Data Security

  1. Apply data grants by classification:

    @scenarios/06-rag-vector-classified-docs/sql/03_data_grants.sql
    
  2. Run the same vector search again:

    @scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
    
  3. Repeat the demo by simulating nina, heitor, sofia, and carlos.

Expected result after protection:

  • nina sees only PUBLIC and INTERNAL chunks.
  • heitor sees authorized HR content.
  • sofia sees authorized legal content.
  • carlos sees all documents through the executive role.
  • The LLM receives only authorized context.

Optional Automated Execution

Windows:

powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 06-rag-vector-classified-docs -ConnectString "<connect_string>"

Linux/macOS:

./scripts/run-scenario.sh 06-rag-vector-classified-docs "<connect_string>"

Demo Details

See the complete walkthrough, evidence, and official references in RUNBOOK.md.