Skip to main content

Restricting Access to Resources Based on the User

Default Behavior in Agentic RAG

By default, Agentic RAG grants access to all resources within a given Knowledge Box to any user who has access to that Knowledge Box. This means that any user with access can view any resource contained within it.

Agentic RAG allows you to define users with different roles for managing the Knowledge Box, typically via the Agentic RAG dashboard. However, if you're developing an application where access to resources needs to be restricted for different users, you must take additional steps to ensure security. Users of your application may not necessarily be the same as those who manage the Knowledge Box in Agentic RAG.

To restrict access to resources, it is recommended to position Agentic RAG behind your application. This way, users do not have direct access to Agentic RAG, and your application can act as a proxy to filter requests based on user permissions.

Implementing a Proxy Layer

Adding Security Metadata to Resources

To restrict access to specific resources based on user groups, you can add security metadata when creating each resource.

For example, if you want to limit access to a resource based on user groups, you can include the authorized groups in the security field of the resource creation payload:

{
  "title": "Meeting minutes",
  "texts": { "text": { "format": "PLAIN", "body": "some random text" } },
  "security": {
    "access_groups": ["group1", "group2"]
  }
}

In this example, group1 and group2 represent the groups that are allowed to access the resource. These can be any identifiers you use for access control, such as usernames. The security settings apply to all fields of the resource.

Adding a Security Filter to Requests

Whenever your application queries Agentic RAG to run a search, it must include the security.groups parameter to ensure only authorized resources are retrieved for the current user.

For example, if the current user belongs to group2, a search query would look like this:

Original query:

GET /search?query=secret+information

Modified query with security filter:

GET /search?query=secret+information&security_groups=group2

If you're using the POST method, include the security groups in the request payload:

POST /search
{
  "query": "secret information",
  "security": {
    "groups": ["group2"]
  }
}

By following these steps, you can ensure that access to resources within your application is properly restricted based on user roles and permissions.