Enforcing per-user document permissions in a multi-tenant RAG system — where does access control belong?
Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Design access control for a multi-tenant RAG system where users may only see documents they are authorized for. Where in the pipeline must permissions be enforced, and why is enforcing them in the prompt unsafe?
Enforce permissions at retrieval time as an identity-scoped pre-filter so unauthorized chunks never enter the prompt. A probabilistic model told to ignore forbidden chunks is not an access boundary.
Imagine a library where some shelves are off-limits to you. The safe rule is that the librarian only ever hands you books you're allowed to read — the forbidden ones never leave the locked room. The unsafe rule is the librarian piling every book on your desk, including the secret ones, with a sticky note saying "please don't read the red ones." Maybe you obey, maybe you peek, maybe someone tricks you into reading one aloud. In a retrieval system, the locked room is the search filter tied to who you are. Once a secret document is on the desk — in the model's context — there's no real guarantee it stays unread.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Lead with the principle: authorization is enforced at retrieval time by a trusted system, never by the prompt. Describe identity-scoped pre-filtering — per-chunk ACL metadata joined with the user's resolved permission set so forbidden chunks are never candidates. Explain precisely why prompt enforcement fails: a probabilistic model is not a boundary, and indirect injection can defeat any 'ignore this' instruction once the chunk is in context. Then cover the hard parts: pre-filter versus post-filter and ANN starvation, tenant isolation via partitioning, deny by default on missing or stale ACLs, revocation propagation, and defense in depth with sanitization and audit logging.
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Retrieving broadly and instructing the LLM to ignore unauthorized chunks — once a forbidden chunk is in the context window, no prompt instruction is a real access boundary.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.