GenAI Chatbot on AWS

Appearance

Access Control

NOTE

You need to assign the admin role to a user to be able to use the project after the first deployment revision with this feature. Users without a role will not be able to use the Chatbot.

Users can have one or more roles defining their permissions. It can be used to restrict access to the functionalities as defined below.

Rubicon has 3 pre-defined roles. They are created during deployment by CDK code.

  1. admin - full access
  2. workspace_manager - full access except the admin pages such as managing applications
  3. user - access to assigned applications

Instead of using pre-defined user role you can create new roles in Cognito and assign them to applications.

Create users and Roles

Users are created in Cognito user pool - Create new users. If Cognito federation is used then users should be created in third-party identity provider. See Cognito Federation configuration examples.

User roles are defined using Cognito user group. When using federation with Cognito, the user's role is assigned on user log in reading the "custom:chatbot_role" user attribute.

Page Access by Role

  • admin

    • ✅ Home (documentation)
    • ✅ Chatbot - Playground
    • ✅ Chatbot - Multi-chat playground
    • ✅ Chatbot - Sessions
    • ✅ Chatbot - Models
    • ✅ RAG - Dashboard
    • ✅ RAG - Semantic search
    • ✅ RAG - Workspaces
    • ✅ RAG - Embeddings
    • ✅ RAG - Engines
    • ✅ Admin - Applications
    • ✅ Applications - End user view

  • workspaces_manager

    • ✅ Home (documentation)
    • ✅ Chatbot - Playground
    • ✅ Chatbot - Multi-chat playground
    • ✅ Chatbot - Sessions
    • ✅ Chatbot - Models
    • ✅ RAG - Dashboard
    • ✅ RAG - Semantic search
    • ✅ RAG - Workspaces
    • ✅ RAG - Embeddings
    • ✅ RAG - Engines
    • ⛔️ Admin - Applications
    • ✅ Applications - End user view

  • user: It could be a role with any name which is associated with an application.

    • ⛔️ Home (documentation)
    • ⛔️ Chatbot - Playground
    • ⛔️ Chatbot - Multi-chat playground
    • ⛔️ Chatbot - Sessions
    • ⛔️ Chatbot - Models
    • ⛔️ RAG - Dashboard
    • ⛔️ RAG - Semantic search
    • ⛔️ RAG - Workspaces
    • ⛔️ RAG - Embeddings
    • ⛔️ RAG - Engines
    • ⛔️ Admin - Applications
    • ✅ Applications - End user view

GraphQL operations access by Role

  • Workspace

    • createKendraWorkspace - admin, workspace_manager
    • startKendraDataSync - admin, workspace_manager
    • isKendraDataSynching - admin, workspace_manager
    • createBedrockKBWorkspace - admin, workspace_manager
    • createOpenSearchWorkspace - admin, workspace_manager
    • createAuroraWorkspace - admin, workspace_manager
    • performSemanticSearch - admin, workspace_manager
    • listWorkspaces - admin, workspace_manager
    • listKendraIndexes - admin, workspace_manager
    • listBedrockKnowledgeBases - admin, workspace_manager
    • listRagEngines - admin, workspace_manager
    • getWorkspace - admin, workspace_manager
    • deleteWorkspace - admin, workspace_manager

  • Document

    • addWebsite - admin, workspace_manager
    • addRssFeed - admin, workspace_manager
    • updateRssFeed - admin, workspace_manager
    • setDocumentSubscriptionStatus - admin, workspace_manager
    • addQnADocument - admin, workspace_manager
    • addTextDocument - admin, workspace_manager
    • getUploadFileURL - any authenticated user
    • getDocument - admin, workspace_manager
    • getRSSPosts - admin, workspace_manager
    • listDocuments - admin, workspace_manager
    • deleteDocument - admin, workspace_manager

  • Session

    • addUserFeedback - any authenticated user
    • deleteSession - any authenticated user
    • deleteUserSessions - any authenticated user
    • listSessions - any authenticated user
    • getSession - any authenticated user

  • Model

    • listModels - admin, workspace_manager
    • listEmbeddingModels - admin, workspace_manager
    • listCrossEncoders - admin, workspace_manager
    • rankPassages - admin, workspace_manager
    • calculateEmbeddings - admin, workspace_manager
    • sendQuery - any authenticated user
    • receiveMessages - any authenticated user

  • Application

    • createApplication - admin
    • updateApplication - admin
    • deleteApplication - admin
    • getApplication - admin, workspace_manager, any other role that is assigned to the application
    • listApplications - admin, workspace_manager, any other role that is assigned to the application

  • Role

    • listRoles - admin

  • Internal

    • publishResponse - IAM Can only be called by the Lambda forwarding the chatbot responses

  • Other

    • checkHealth - any authenticated user

This library is licensed under the MIT-0 License.