Implement access control using ReBAC (Relationship-Based Access Control) integrated with a Zanzibar-inspired permission system, combining pre-retrieval permission checks with post-retrieval metadata filtering.
Access control in RAG requires filtering both during retrieval (pre-filtering) and after (post-filtering). Pre-filtering adds tenant or user permissions as metadata to each chunk at ingestion time, then applies filters directly in vector store queries using filter parameters. Post-filtering validates that all retrieved documents are authorized after retrieval. For complex permission models, integrate a Zanzibar-like permission system (SpiceDB, Ory Keto) that evaluates access relationships at query time. This ensures that the LLM never receives unauthorized content—not through the initial retrieval, nor through any attempt to bypass via prompt injection.
Metadata filtering: Add permission metadata to each chunk and filter at query time
ReBAC integration: Use Zanzibar-inspired systems for complex permission relationships
Pre-retrieval filtering: Apply filters directly in vector store query to avoid retrieving unauthorized content
Post-retrieval validation: Double-check all retrieved documents are authorized before passing to LLM