Security & Permissions
BotDojo provides a comprehensive security and permissions system to ensure that your AI applications and data are protected and accessible only to authorized users. This section will guide you through the process of inviting users to your BotDojo account and assigning them appropriate roles and permissions.
User Roles
BotDojo offers different user roles to control access and permissions within your account:
-
Account Administrator: Account Administrators have full control over the BotDojo account. They can manage users, assign roles, modify project settings, and access all features and data within the account. However, they cannot change billing information.
-
Account Owner: The Account Owner has the same permissions as an Account Administrator but with the additional ability to modify billing information for the account.
-
Project Administrator: Project Administrators have permissions limited to a specific project within the BotDojo account. They can modify Flows, Indexes, and other project-related settings. However, they cannot invite users or add / view integration api keys.
-
Chat Access:- Users with Chat Access can only use the BotDojo Chat API to interact with the AI applications. They can only see and access Flows assigned to their User Group
Inviting Users
Account Administrators have the ability to invite new users to the BotDojo account. To invite a user, follow these steps:
Navigate to the "Accounts" section in your BotDojo dashboard. Go to the "Team" tab and select "Invite User". Enter the email address of the user you want to invite and select the appropriate role (Account Administrator, Project Administrator, or Custom (for Chat Only Access)).
Click "Send Invitation" to send an email invitation to the user with instructions on how to join your BotDojo account.
User Groups
When you need to restrict access to specific projects or grant chat-only access to users within your BotDojo account, you can create user groups. User Groups allow you to define granular access controls based on projects and permissions. To create a user group, follow these steps:
Navigate to the "Accounts" section in your BotDojo dashboard. Go to the "Team" tab and select "Group." Choose the type of access you want to grant to the group:
Project Access: Specify which projects the group members should have administrator access to. Flows Access: Specify which flows members should have access to. Policy: Granular access policies to underlying resources.
Assign users to the created group to grant them the specified access permissions.
Group Policies
Group Policies provide fine-grained access control over how AI flows interact with underlying resources. While users with access to a flow can generally perform all actions the agent is configured to do, Group Policies allow you to restrict the flow's behavior to specific underlying resources based on conditions you define.
How Group Policies Work
Note: Group Policies only apply to users with authenticated Chat Only access. Users with higher-level roles (such as Project Administrators or Account Administrators) are not restricted by Group Policies.
Group Policies add an extra layer of security by allowing you to define fine-grained access controls for Chat Only users. These policies determine which resources and data a Chat Only user can access when interacting with flows.
By default, when someone has access to a flow, the flow can access any resources it's configured to use without restrictions. Group Policies add an additional layer of security by allowing you to:
- Filter Index Search Results: Control which documents are returned from vector index searches based on document metadata
This allows you to create agents that can search indexes and the search results will be restricted to what the user has access to.
Current Policy Support
Currently, BotDojo supports Custom Index Search Policies that filter what documents are returned from an index search by filtering on the metadata of the document.
Policy Structure
A Group Policy consists of several components:
- Effect: Whether to "permit" access
- Principal: The entity requesting access ("User")
- Action: The specific action being performed (currently supports "search")
- Resource: The resource being accessed (currently supports "Index")
- Condition: The metadata filter applied to the index
Example Policy Configuration
Here's an example of a Group Policy that restricts index search results to documents with specific path patterns:
{
"policies": [
{
"effect": "permit",
"principal": {
"id": "*",
"type": "User"
},
"action": {
"type": "Action",
"in": ["search"]
},
"resource": {
"id": "*",
"type": "Index"
},
"condition": {
"kind": "DocumentMetadataFilter",
"body": {
"path": {
"$regex": "MyFolder/SubFolderUserHasAccessTo"
}
}
}
}
]
}
This policy:
- Permits search actions for all users (
"principal": {"id": "*", "type": "User"}) - Applies to all indexes (
"resource": {"id": "*", "type": "Index"}) - Filters results to only include documents whose metadata path matches the regex pattern "MyFolder/SubFolderUserHasAccessTo"
Policy Components Explained
Principal: Specifies who the policy applies to
"id": "*"- Applies to all users"id": "alice"- Applies only to user "alice""type": "User"- Currently supported principal type
Action: Defines what actions are controlled
"type": "Action"- Standard action type"in": ["search"]- Specifies that this policy applies to search actions
Resource: Specifies which resources are affected
"type": "Index"- Applies to vector indexes"id": "*"- Applies to all indexes, or specify a specific index ID
Condition: Defines when the policy applies
"kind": "DocumentMetadataFilter"- Currently supported condition type"body"- Contains the MongoDB like query that filters documents based on their metadata
Metadata Filtering
The condition.body uses MongoDB lke query syntax to filter documents. Common patterns include:
- Path filtering:
{"path": {"$regex": "folder/subfolder"}} - Exact matches:
{"department": "engineering"} - Multiple conditions:
{"path": {"$regex": "public"}, "status": "published"}