Access control for RAG — keeping retrieval inside the line

The access control gap in RAG is the space between two enforcement points: query submission and document retrieval. In a non-RAG system, these are the same operation — a user requests a resource and the system checks whether they can have it. In a RAG system, the user's query is not a direct request for a document. It is a natural-language question that causes the retrieval mechanism to select documents the user did not explicitly name.

A user who can query “what is our policy on executive compensation?” is implicitly requesting whatever document ranks highest for that query — even if that document is a confidential board memo they are not cleared to read. If access control is only checked at query submission (“can this user query the system?”), it will pass. If access control is also checked at retrieval (“can this user read the documents being returned for this query?”), it will fail.

Query-time access control answers the wrong question. It asks “can this user submit a query?” Retrieval-time access control answers the right question: “can this user read the specific documents this query will return?”

Query-time access control is easy to implement and commonly present. It typically takes the form of authentication gates on the query endpoint — only authenticated users can submit queries, and the authentication policy enforces session validity and rate limits. This control is necessary but not sufficient.

Retrieval-time access control must operate at the vector database query. When the retrieval mechanism issues its similarity search, it must filter results to documents within the querying user's authorisation scope. The user's identity and access attributes must be propagated from the query interface through the retrieval pipeline to the vector database query itself.

This requires three capabilities that many RAG implementations do not have by default:

1. Identity propagation:the user's identity and access attributes must be passed to the retrieval layer as part of every query. If the retrieval layer does not receive the user's identity, it cannot enforce per-user access control.
2. Document access metadata: each document in the knowledge base must carry access control metadata — which users, groups, or roles are permitted to read it. This metadata must be stored in a form the vector database can filter on at query time.
3. Filter-at-retrieval capability:the vector database must support metadata filtering that restricts similarity search results to documents within the querying user's scope. This must be an unconditional filter, not a post-processing step that happens after results are returned.

Attribute-based access control (ABAC) in a RAG context means attaching access attributes to each document in the knowledge base and enforcing those attributes at retrieval time. The attributes can express simple ownership (“only members of this group”), classification levels (“restricted, confidential, public”), or complex policy (“users in these roles, in this business unit, with this clearance level”).

Most production vector databases — Pinecone, Weaviate, Qdrant, pgvector — support metadata filtering at query time. The retrieval query can include a filter expression that restricts results to documents whose stored metadata satisfies a predicate. For ABAC, this filter is constructed from the user's access attributes and evaluated at the vector database layer.

The critical implementation requirement: the access filter must be applied before the similarity search returns results, not after. Post-retrieval filtering — retrieving all top-k results and then discarding the ones the user cannot see — exposes document existence information (the user can infer that documents exist even if the content is withheld) and may expose content if the filtering logic has errors.

Row-level security (RLS) is the database concept that maps directly to retrieval-time access control in RAG. In a relational database, RLS attaches security policies to tables so that queries automatically filter rows based on the executing session's identity. The application does not need to add WHERE clauses for access control — the database enforces it transparently.

For RAG systems using pgvector or other relational vector stores, RLS policies can be applied directly to the vector table. Each embedding row carries an access control column; the RLS policy restricts which rows the querying session can see. The similarity search automatically operates over only the rows the session is permitted to access.

For non-relational vector stores, the equivalent pattern is namespace isolation combined with per-namespace access control. Each user's or group's document set lives in a named namespace; the retrieval query is scoped to the namespaces the user is authorised to access. Namespace isolation is coarser than row-level control but is structurally enforced at the storage layer.

Testing that access control holds at retrieval requires an adversarial approach: construct queries that attempt to extract out-of-scope content and verify what the system returns. The extraction path test is a structured set of such queries.

The basic extraction test: create a document in the knowledge base with a classification that the test user should not be able to access. Submit queries designed to retrieve that document — including direct queries for the document's content, queries that embed key phrases from the document, and queries that ask about the topic the document covers. Verify that none of these queries return the protected document's content in the response.

The advanced extraction test: craft queries that attempt to extract document content incrementally — asking for specific facts, structural information, or partial content that might appear in a restricted document even if the document itself is not returned. This tests whether the access control applies to content at the semantic level or only at the document level.

The multi-tenant extraction test: in systems with multiple tenants sharing infrastructure, verify that a user in Tenant A cannot retrieve documents belonging to Tenant B, regardless of namespace or query construction.

The implementation pattern that consistently produces robust retrieval-time access control has four components:

1. Access metadata schema. Define the access attributes for the knowledge base before ingesting content. Every document carries owner, group, classification level, and any additional access predicates. The schema is defined upfront, not retrofitted.
2. Ingestion-time tagging. Access metadata is assigned at ingestion, from the document source record. Documents from the executive document store are tagged with executive access; documents from the public KB are tagged with all-users access. Tagging is automatic, based on source, not manual.
3. Query-time filter construction.The retrieval layer constructs the access filter from the authenticated user's identity and group memberships at the time the query is issued. The filter is passed to the vector database as a mandatory pre-retrieval constraint.
4. Audit logging. Every retrieval event is logged with the user identity, the query, the access filter applied, and the documents returned. This log is the evidence base for access control verification in a security review.

A RAG access control review covers the following, with evidence for each:

• Access control metadata schema — what attributes are stored with each document.
• Ingestion-time tagging mechanism — how access metadata is assigned at ingestion.
• Retrieval filter implementation — how and where the access filter is applied (pre- or post-retrieval).
• Identity propagation — how the querying user's identity reaches the retrieval layer.
• Multi-tenancy isolation — how tenant namespaces are isolated.
• Extraction test results — what adversarial queries were run and what was returned.
• Audit log configuration — what retrieval events are logged and how the logs are protected.

See the Drel RAG security assessment hub for the full review framework, including the access control module with extraction test templates.