"Secure RAG Authorization: Row-Level Security, ACLs, and Per-User Retrieval"
Modern RAG systems don't fail because models are "unsafe"—they fail because retrieval quietly breaks authorization. This book is for experienced engineers, security architects, and platform teams building multi-tenant, tool-using AI systems where every retrieved chunk must be correct for the requesting principal. It treats "secure per-user retrieval" as an end-to-end invariant across ingestion, indexing, search, tool calls, and prompt construction—where a single bypass path can become a data leak.
You'll learn to model principals and session context, design tokens and on-behalf-of flows, and translate business sharing rules into enforceable semantics using RBAC, ABAC, ReBAC, and real-world ACL evaluation. The book dives into PDP/PEP architecture choices, fail-closed behavior, and bypass elimination; implements database-native controls with row-level security and planner-resistant SQL patterns; and builds auth-aware vector indexes with revocation, tombstones, strict pre-filters, and safe post-filtering backstops. Threat modeling, audit logging, detection engineering, and rigorous authorization test strategies show how to prove correctness at scale.
Assumes comfort with distributed systems, identity/IAM, and production databases/vector stores. The differentiator is pragmatic, production-focused guidance: reference architectures, anti-patterns, and decision criteria that connect policy design to operational reality.
