Files
oracle-deep-data-security-lab/scenarios/06-rag-vector-classified-docs/README.md
Rodrigo db3d68af10
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled
Improve Deep Data Security lab scenarios
2026-05-13 16:13:04 -03:00

112 lines
2.8 KiB
Markdown
Executable File

# 06 - RAG Vector Classified Docs
## Objective
Show that an internal RAG agent or copilot retrieves only documents and chunks authorized for the end user before sending context to the LLM.
## What This Lab Shows
Before Oracle Deep Data Security, vector search can retrieve confidential HR, legal, and executive chunks. After data grants are applied, vector retrieval respects document classification and the user persona.
## Personas
- `nina`: regular employee.
- `heitor`: HR user.
- `sofia`: legal user.
- `carlos`: executive user.
## Where To Run The Commands
Run commands from the repository root:
```powershell
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
```
Connect to the database with SQLcl or SQL*Plus:
```bash
sql "<connect_string>"
```
This scenario uses the `VECTOR` type, `TO_VECTOR`, and `VECTOR_DISTANCE`. Use a database version with Oracle AI Vector Search support.
## Step By Step - Before, Vulnerable Environment
1. Connect to the database:
```bash
sql "<connect_string>"
```
2. Reset the scenario:
```sql
@scenarios/06-rag-vector-classified-docs/sql/99_reset.sql
```
3. Create the chunk table, simple embeddings, and personas:
```sql
@scenarios/06-rag-vector-classified-docs/sql/00_schema.sql
@scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql
@scenarios/06-rag-vector-classified-docs/sql/02_identities.sql
```
4. Simulate the RAG question:
```text
Summarize critical documents about renewals, people, and legal risks.
```
5. Run the vector search:
```sql
@scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
```
Expected result before protection: retrieval may return `HR_CONFIDENTIAL`, `LEGAL_CONFIDENTIAL`, and `EXECUTIVE_CONFIDENTIAL` chunks.
## Step By Step - After, With Deep Data Security
1. Apply data grants by classification:
```sql
@scenarios/06-rag-vector-classified-docs/sql/03_data_grants.sql
```
2. Run the same vector search again:
```sql
@scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
```
3. Repeat the demo by simulating `nina`, `heitor`, `sofia`, and `carlos`.
Expected result after protection:
- `nina` sees only `PUBLIC` and `INTERNAL` chunks.
- `heitor` sees authorized HR content.
- `sofia` sees authorized legal content.
- `carlos` sees all documents through the executive role.
- The LLM receives only authorized context.
## Optional Automated Execution
Windows:
```powershell
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 06-rag-vector-classified-docs -ConnectString "<connect_string>"
```
Linux/macOS:
```bash
./scripts/run-scenario.sh 06-rag-vector-classified-docs "<connect_string>"
```
## Demo Details
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).