User Permission-based Content Filtering

When using Knowledge Base (KB) with a Large Language Model (LLM), you can refine Knowledge Base (KB) search results by performing a real-time permissions check for the current user against the referenced sources. This ensures that the AI agent only provides information that the specific user is authorized to view within the source system.

NOTE: This feature is available starting with Druid 9.18 only for SharePoint Online data sources.
IMPORTANT! To use this feature, the SharePoint Sites.FullControl.All permission must be granted to the Druid App Registration in your Azure environment. For more details, refer to the Microsoft SharePoint Authorization documentation.

How to Filter User Permission-based Content

The content filtering process is not an automated; you must manually configure the KB agent flow by adding the KBCheckUserPermissions internal action and defining the logic to verify and evaluate user access.

Step 1. Add the Internal Action

First, add the internal action to your KB Agent flow to identify the collection of Knowledge Base results returned by the intent and the user:

Copy 
{
  "KBQnAItems": "[[Intent]].KBQnAItems",
  "UserIdentifier": "[[ChatUser]].DomainUserName"
}

Step 2. Instruct the Permissions Check (VerifyReadAccess)

The [[Intent]].KBQnAItem[*].VerifyReadAccess field instructs the internal action on which specific KB search results to check. You can optimize latency by checking permissions only on cited sources rather than the entire result set.

Use as example this logic in a code extension to mark specific citations for verification:

Copy
Sample code
let objArguments = JSON.parse([[GPTFunction]].Arguments); 
if (objArguments!= null){ 
  intCitation1Id = objArguments.Citation1Id === null ? "": objArguments.Citation1Id; 
  intCitation2Id = objArguments.Citation2Id === null ? "": objArguments.Citation2Id; 
  intCitation3Id = objArguments.Citation3Id === null ? "": objArguments.Citation3Id; 

else 

  [[GPT]].response = "Missing 'response' property from the Arguments of function " + [[GPT]].GPTFunction.Name +"."


if (intCitation1Id != null && [[Intent]].KBQnAItems[intCitation1Id] != null

  [[Intent]].KBQnAItems[intCitation1Id].VerifyReadAccess = true 

if (intCitation2Id != null && [[Intent]].KBQnAItems[intCitation2Id] != null

  [[Intent]].KBQnAItems[intCitation2Id].VerifyReadAccess = true 

if (intCitation3Id != null && [[Intent]].KBQnAItems[intCitation3Id] != null

  [[Intent]].KBQnAItems[intCitation3Id].VerifyReadAccess = true 
}

Step 3. Evaluate Results (HasReadAccess)

The result of the check is provided in the [[Intent]].KBQnAItems[i].HasReadAccess field. You must then use this information to decide whether to share the content with the KB agent or remove the restricted records from the agent context.

Copy

Sample code

let strToolResponse=""
for (i=0;i<[[Intent]].KBQnAItems.Count;i++){ 
  if ([[Intent]].KBQnAItems[i].HasReadAccess == false){ 
    strToolResponse+=`The user does not have access to this document: '${[[Intent]].KBQnAItems[i].Url}'\r\n`
  } 

if (strToolResponse=="") strToolResponse="The user has no security restriction on the available context."
else strToolResponse+="Trigger KB_response and tell the user 'I cannot give this information as per your security permissions.' Include the references to the Citation's you verified."

User Experience

When a user lacks the necessary SharePoint permissions for a specific document, the AI agent identifies the restricted access and informs the user that the content cannot be provided, ensuring data security within the chat interface.

KB Agent Dashboard

You can use the KB Agent Dashboard to observe events where user questions could have been answered by documents for which the user lacks access. This data allows you to review the respective permissions in SharePoint and follow up with users.