Skip to main content

Restricting Access to Resources Based on the User

Default Behavior in Nuclia

By default, Nuclia grants access to all resources within a given Knowledge Box to any user who has access to that Knowledge Box. This means that any user with access can view any resource contained within it.

Nuclia allows you to define users with different roles for managing the Knowledge Box, typically via the Nuclia dashboard. However, if you're developing an application where access to resources needs to be restricted for different users, you must take additional steps to ensure security. Users of your application may not necessarily be the same as those who manage the Knowledge Box in Nuclia.

To restrict access to resources, it is recommended to position Nuclia behind your application. This way, users do not have direct access to Nuclia, and your application can act as a proxy to filter requests based on user permissions.

Implementing a Proxy Layer

Adding Security Metadata to Resources

To restrict access to specific resources based on user groups, you can add security metadata when creating each resource.

For example, if you want to limit access to a resource based on user groups, you can include the authorized groups in the security field of the resource creation payload:

{
  "title": "Meeting minutes",
  "texts": { "text": { "format": "PLAIN", "body": "some random text" } },
  "security": {
    "access_groups": ["group1", "group2"]
  }
}

In this example, group1 and group2 represent the groups that are allowed to access the resource. These can be any identifiers you use for access control, such as usernames. The security settings apply to all fields of the resource.

Adding a Security Filter to Requests

Whenever your application queries Nuclia to run a search, it must include the security_groups parameter to ensure only authorized resources are retrieved for the current user.

For example, if the current user belongs to group2, a search query would look like this:

Original query:

GET /search?query=secret+information

Modified query with security filter:

GET /search?query=secret+information&security_groups=group2

If you're using the POST method, include the security groups in the request payload:

POST /search
{
  "query": "secret information",
  "security": {
    "groups": ["group2"]
  }
}

By following these steps, you can ensure that access to resources within your application is properly restricted based on user roles and permissions.