[VoxxedDaysTicino2026] Securing RAG Pipelines with Fine-Grained Authorization
Lecturer
Sohan Maheshwar is a Lead Developer Advocate at AuthZed, based in the Netherlands. With over 15 years in the IT industry, including a decade in developer relations, Sohan began his career developing mobile applications and has since focused on emerging technologies, developer ecosystems, and authorization systems. He frequently speaks on AI security and access control. Relevant links include his personal website (https://www.sohan.co/) and LinkedIn profile (https://www.linkedin.com/in/sohan-maheshwar/).
Abstract
This article scrutinizes Sohan Maheshwar’s examination of securing retrieval-augmented generation (RAG) pipelines using relationship-based access control (ReBAC). It elucidates authorization paradigms, Zanzibar’s influence, and practical implementations with tools like Pinecone, LangChain, OpenAI, and SpiceDB. Through contextual analysis, methodological demos, and audience interactions, it assesses efficiency, security enhancements, and enterprise implications.
Evolution of Authorization Models and ReBAC’s Role
Sohan delineates authorization from authentication: the former governs access post-identity verification. Historical approaches like access control lists (ACLs)—enumerating users per resource—prove unscalable. Role-based access control (RBAC) assigns permissions via roles (e.g., software engineer accessing code), but reorgs necessitate new roles, complicating management.
Attribute-based access control (ABAC) evaluates attributes (location, IP) at decision points, yet scales poorly with complexity. ReBAC, popularized by Google’s 2019 Zanzibar paper, expresses permissions as relationships between users and objects (e.g., viewer, editor).
Zanzibar, handling 10 million queries per second in 2019, underpins Google services. Relationships form graphs: users connect to objects via relations like “member” or “owner.” Tuples formalize these: “user:3#owner@document:123.” Objects relate to others, enabling hierarchies.
Contexts: Inspired by Google+’s circles, ReBAC facilitates dynamic permissions, easing reorgs by rewriting relationships. Implications: Graphs enable efficient traversals, surpassing list-based models for scale.
Integrating ReBAC into RAG Pipelines
RAG augments LLMs with external data: queries retrieve vectors from databases, enriching prompts for accurate responses. Security demands users access only authorized data, preventing leaks.
Sohan advocates ReBAC for fine-grained control, superior to RBAC/ABAC in relational precision. Zanzibar schemas define relations (e.g., document viewers as owners or parent viewers), supporting unions, intersections for complex policies.
In RAG, pre-filtering queries with authorized IDs enhances efficiency: SpiceDB, an open-source Zanzibar implementation, checks permissions, filtering vectors before retrieval. Post-filtering verifies results, though less efficient.
Demo methodology: Using Pinecone for vectors, LangChain for orchestration, OpenAI for LLMs, and SpiceDB for authorization. Documents store metadata like IDs; SpiceDB relationships (e.g., “user:sohan#viewer@document:hr_policy”) enable checks.
Code integrates:
authorized_docs = spicedb.check_permissions(user, "viewer", documents)
filtered_query = vector_db.query_with_filter(authorized_docs)
Contexts: Enterprises risk breaches without such controls. Implications: Pre-filtering scales better for large datasets, though metadata in vectors can bloat if not optimized via external graphs.
Practical Demonstrations and Error Handling
Sohan’s live demo simulates an HR chatbot: Unsecured, it leaks sensitive data (e.g., salaries). With ReBAC, queries filter to authorized documents (vacation policies for non-HR users).
Pre-filtering: SpiceDB lists permitted IDs, constraining vector queries. Post-filtering: Retrieves broadly, then filters results—viable for small sets but inefficient at scale.
Audience queries highlight extensions: Subset permissions for agents via schema intersections/minuses. Hallucinations mitigated by prompt engineering (“reply only from these documents”) or fail-closed policies (deny access on errors).
Prompt engineering can’t bypass filters, as unauthorized data never reaches the LLM.
Contexts: Multi-agent scenarios require nuanced schemas reflecting privileges. Implications: Schemas model complexities (e.g., GitHub’s owners/repositories), but agent identities remain unresolved—user-linked or independent?
Enterprise Implications and Future Considerations
ReBAC safeguards RAG by centralizing permissions, akin to Zanzibar’s cross-app checks (e.g., Google Docs in Gmail). SpiceDB, handling billions of relationships, offers caching, watch APIs for reactivity.
Implications: Enhances security/efficiency, but demands schema expertise. At scale, vector metadata for users falters; graphs excel. Enterprises must address agent authorization—subsets prevent overreach.
Future: Industry evolves toward agent-specific identities, avoiding user dependency. Tools like Kubernetes controllers leveraging SpiceDB (via operators) indicate broader adoption.
In essence, Sohan’s approach fortifies AI pipelines, balancing access with protection in relational contexts.