112 lines
2.8 KiB
Markdown
Executable File
112 lines
2.8 KiB
Markdown
Executable File
# 06 - RAG Vector Classified Docs
|
|
|
|
## Objective
|
|
|
|
Show that an internal RAG agent or copilot retrieves only documents and chunks authorized for the end user before sending context to the LLM.
|
|
|
|
## What This Lab Shows
|
|
|
|
Before Oracle Deep Data Security, vector search can retrieve confidential HR, legal, and executive chunks. After data grants are applied, vector retrieval respects document classification and the user persona.
|
|
|
|
## Personas
|
|
|
|
- `nina`: regular employee.
|
|
- `heitor`: HR user.
|
|
- `sofia`: legal user.
|
|
- `carlos`: executive user.
|
|
|
|
## Where To Run The Commands
|
|
|
|
Run commands from the repository root:
|
|
|
|
```powershell
|
|
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
|
|
```
|
|
|
|
Connect to the database with SQLcl or SQL*Plus:
|
|
|
|
```bash
|
|
sql "<connect_string>"
|
|
```
|
|
|
|
This scenario uses the `VECTOR` type, `TO_VECTOR`, and `VECTOR_DISTANCE`. Use a database version with Oracle AI Vector Search support.
|
|
|
|
## Step By Step - Before, Vulnerable Environment
|
|
|
|
1. Connect to the database:
|
|
|
|
```bash
|
|
sql "<connect_string>"
|
|
```
|
|
|
|
2. Reset the scenario:
|
|
|
|
```sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/99_reset.sql
|
|
```
|
|
|
|
3. Create the chunk table, simple embeddings, and personas:
|
|
|
|
```sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/00_schema.sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/01_seed_data.sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/02_identities.sql
|
|
```
|
|
|
|
4. Simulate the RAG question:
|
|
|
|
```text
|
|
Summarize critical documents about renewals, people, and legal risks.
|
|
```
|
|
|
|
5. Run the vector search:
|
|
|
|
```sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
|
|
```
|
|
|
|
Expected result before protection: retrieval may return `HR_CONFIDENTIAL`, `LEGAL_CONFIDENTIAL`, and `EXECUTIVE_CONFIDENTIAL` chunks.
|
|
|
|
## Step By Step - After, With Deep Data Security
|
|
|
|
1. Apply data grants by classification:
|
|
|
|
```sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/03_data_grants.sql
|
|
```
|
|
|
|
2. Run the same vector search again:
|
|
|
|
```sql
|
|
@scenarios/06-rag-vector-classified-docs/sql/04_test_queries.sql
|
|
```
|
|
|
|
3. Repeat the demo by simulating `nina`, `heitor`, `sofia`, and `carlos`.
|
|
|
|
Expected result after protection:
|
|
|
|
- `nina` sees only `PUBLIC` and `INTERNAL` chunks.
|
|
- `heitor` sees authorized HR content.
|
|
- `sofia` sees authorized legal content.
|
|
- `carlos` sees all documents through the executive role.
|
|
- The LLM receives only authorized context.
|
|
|
|
## Optional Automated Execution
|
|
|
|
Windows:
|
|
|
|
```powershell
|
|
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 06-rag-vector-classified-docs -ConnectString "<connect_string>"
|
|
```
|
|
|
|
Linux/macOS:
|
|
|
|
```bash
|
|
./scripts/run-scenario.sh 06-rag-vector-classified-docs "<connect_string>"
|
|
```
|
|
|
|
## Demo Details
|
|
|
|
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).
|
|
|