ABAC for Blobs with OpenAI

Question

ABAC for Blobs with OpenAI

Anonymous

Has anyone tried ABAC to enforce access control to blobs from OpenAI chat?

I assigned blob index tags based on department for each blob. Then I created role assignments with conditions that map the user role to their respective department that are in the index blob key values. However, all users can still access all blobs through the chat.

I tried to index the blob 'index tag' in cognitive search, still no luck. I am wondering if using ABAC actually works with OpenAI chat and is not just theory.

1 answer

Your answer

Answer 1

ajkuma 28,036 Microsoft Employee Moderator

@Anonymous ,

Based on the issue description, I understand you're referring to the RBAC roles for Azure resources:
Cognitive Services OpenAI Contributor
Search Index Data Contributor
Storage Blob Data Contributor

As AshokPeddakotla-MSFT mentioned on your other discussion thread:

Yes. RBAC on the blob container will still apply when someone is using the chat, even if you are using Cognitive Search to index the blobs and attach them to the chat.

Kindly let us know if you still have more questions on this, we will be more than happy to assist you further.

Anonymous

2023-08-24T06:12:46.7133333+00:00

I followed this doc to create attribute-based access control for blob access:

https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-overview

I assigned 'blob reader' to the users and added the condition for each user based on the blob index value.

Then I indexed the files using cognitive search and used that as the data source for OpenAI then I deployed a web app from the playground.

When I tested the chat with all the users, all of them can access all the documents regardless of the blob index tag.

I did try to assign roles for OpenAI, such as the Cognitive Services OpenAI User and cognitive search Search Index Data Reader

Are there any additional steps required for the web app, for example?
Anonymous

2023-08-25T10:20:19.89+00:00

.....
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-08-25T20:01:43.59+00:00

Thanks for the follow-up and additional info. Based on your description of the scenario.

It seems like you have followed the instructions in What is Azure attribute-based access control (Azure ABAC)? to create attribute-based access control for blob access. However, you mentioned that all users can access all the docs regardless of the blob index tag. It's possible that there might be an issue with the role assignments or the conditions you have set up.

Regarding the roles for OpenAI, the Cognitive Services OpenAI User and cognitive search Search Index Data Reader roles are not related to the attribute-based access control for blob access.

As for additional steps required for the web app, it depends on how you have integrated the web app with the attribute-based access control. You might need to ensure that the web app is using the correct credentials and permissions to access the blob storage.

I would suggest reviewing the steps you have taken to set up the attribute-based access control and verifying that the role assignments and conditions are correctly configured.

Ref: Tutorial: Add a role assignment condition to restrict access to blobs using the Azure portal

Share via

ABAC for Blobs with OpenAI

1 answer

Your answer