This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Restrict Data to users in Agent Builder or Generative AI

Posted on 02-04-2025 08:39 PM
Rajavelu
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi,

I'm working on a bot that retrieves data from BigQuery tables and documents. I need to implement role-based access control so users only see the information relevant to their roles. Could you advise on the best approach for restricting access based on user roles(Store user,store Manager etc..)? Any guidance would be greatly appreciated.

0 2 313
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dawnberdan
Staff
Reply posted on --/--/---- --:-- AM

Hi @Rajavelu,

Welcome to Google Cloud Community!

To set up role-based access control (RBAC) for your bot that retrieves data from BigQuery, you need to combine BigQuery's access control features with your bot’s logic. You can follow this strategy

1. BigQuery Access Control:

  • IAM Roles: Use BigQuery's Identity and Access Management (IAM) to define roles and assign them to users (or groups of users) based on their roles (Store User, Store Manager, etc.). Create custom roles with granular permissions to allow only necessary access to specific tables or views.

 For example:

  • Store User: A role with SELECT permissions on tables relevant to store data.
  • Store Manager: A role with SELECT permissions on all relevant tables and possible INSERT, UPDATE, or DELETE permissions on specific tables.
  • Views: Create BigQuery views that filter data based on the user's role, showing only relevant data. This simplifies access control. For example, a store_user_sales view might display sales data for a specific store only.
  • Row-Level Security (RLS): For cases where users need access to different rows in the same table, use BigQuery’s Row-Level Security (RLS) policies. These policies filter data based on conditions, ensuring each user sees only their relevant information.

2. Bot Logic (User Authentication and Authorization):

  • Authentication: Your bot needs to authenticate users, which can be done through a custom login interface (e.g., username/password), integration with an existing authentication system (e.g., Google Cloud Identity Platform), or by using tokens.
  • Authorization: After authentication, your bot needs to check the user's role. This involves getting the role from the authentication system, using it to choose the right BigQuery view or RLS policy, and building the query based on the user's role.

3. Data Organization: You can use separate datasets in BigQuery for each role, but views are often a better option for flexibility and easier management.

In addition, you can refer to this document for more information.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes

Posted on --/--/---- --:-- AM
Rajavelu
Bronze 2
Bronze 2
In response to dawnberdan
Reply posted on --/--/---- --:-- AM

Thank you for your response!

I'm working with a scenario where an external website (similar to SAP SuccessFactors) has its own user authentication system. A chatbot is integrated into a section of this website, and some of the chatbot's knowledge comes from documents stored in a separate datastore.

I'm trying to understand the underlying mechanism of how this works.

My current approach is to capture the username from the external website's login process. This username would then be used in conjunction with an unauthenticated API, from a conversational interface, to match the user with the data that can be accessed by them. The user-specific access permissions and information, will be available in a BigQuery table which includes usernames, and the information each user is authorized to access.

0 Likes