SYSTEM_CONSOLE v2.4.0
BLUEPRINT_ARCHITECTURE

Access and policy

How to enforce least privilege for retrieval and tool access using role and attribute-based rules.

LAST_UPDATED: 2025-05

Enforce least privilege for retrieval and tool access using role-based and attribute-based rules. The key principle is that retrieval is an access path and must be secured like an API.

Key Takeaways

  • • Policy must apply before retrieval, not after generation.
  • • Structured data requires row and column controls.
  • • Tool access must be explicit, scoped, and audited.

Policy enforcement points

Layered enforcement for both context retrieval and tool execution.

Policy Enforcement Points

Context access model (RBAC and ABAC)

Use a layered model where RBAC identifies the user and ABAC determines what they are permitted to see in a specific context.

User Attributes

roledepartmentregion

Data Attributes

classificationdomainowner_team

Row and column-level controls

For structured sources, tagging is not enough. If a user is not allowed to query the underlying data directly, the AI system must not retrieve it either.

  • Column masking for sensitive fields
  • Row filtering by region, tenant, or business unit
  • Aggregation-only access where raw records are restricted
  • Strict separation between “metrics” and “raw data”

Tool registry and permissions

Treat tools like APIs. Tool permissions should be explicit per role and scoped for least privilege.

Requirement Details
Tool Metadata name, owner, purpose, schema
Data Auth classification of returned data
Operational rate limits, budgets, logging reqs

Secrets and credential scoping

  • • Use short-lived tokens
  • • Scope tokens to the minimum dataset or API
  • • Never put credentials in prompts
  • • Separate execution identity from user identity

GCP mapping

Illustrative. Each layer maps to equivalent services on AWS, Azure, or any cloud.

Policy Engine
IAM + VPC Service Controls
ABAC / Fine-grained
BigQuery row/column security
Tool Gate
Cloud Run + IAM invoker roles
Audit Log
Cloud Audit Logs → BigQuery

Failure modes

  • ! “Superuser retriever” bypasses policy and leaks data.
  • ! Tool outputs are not validated and return sensitive data.
  • ! Policies exist on paper but are not enforced in retrieval.
  • ! Too much reliance on prompt instructions vs access control.

Checklist

  • Policy engine exists and is called before retrieval.
  • Structured data access respects row and column rules.
  • Tool registry exists with explicit per-role permissions.
  • Credentials are short-lived and scoped.
  • Denied requests are safe and explainable.