Managing Access Rules

This guide explains how to configure and manage access rules in the AI Controller administration interface. Rules determine which users can access specific models and providers. For comprehensive information about the Rules Engine concept, see the Rules Engine Feature documentation.

Rules Overview

The Rules administration page provides control over access permissions throughout the AI Controller system. Rules define what models users can access, through which providers, and under what conditions. The interface allows administrators to create, modify, and organize rules that control AI service access across the organization.

Accessing Rules Management

Navigate to Admin -> Rules in the AI Controller web interface to access the rules configuration. This area is restricted to administrators with appropriate permissions.

Screenshot: Shows the Rules administration interface with a list of configured rules and their properties

Understanding the Rules Interface

The Rules Management page includes several key components:

Filter Controls

At the top of the page, you'll find a set of filters to help you find specific rules:

• Name filter: Search for rules by name
• Group filter: Filter rules by user group
• Provider filter: Filter rules by provider
• Show Filters button: Expands additional filtering options

Rule Creation

Click the "CREATE" button in the upper right corner to add new access rules.

Rules Table

The main table displays comprehensive information about each rule:

• Name: The unique identifier for the rule
• Description: The purpose or function of the rule
• Enabled: Whether the rule is currently active (toggle switch)
• Regex: The regular expression pattern used to match model names
• Who: The user or group the rule applies to
• Provider: The provider the rule applies to
• Actions: Controls for editing or deleting the rule (pencil and trash icons)

Pagination Controls

At the bottom of the page, you can adjust the number of rules displayed per page and navigate between pages of results.

How Rules Work

For detailed information about how the Rules Engine evaluates requests, please refer to the Rules Engine section in the Data Flow documentation.

While the system follows a "deny by default" architecture, AI Controller includes a default "AllowEveryone" rule that grants broad access to ensure the system works immediately after installation. Administrators should customize this configuration based on organizational requirements.

Important: Rule evaluation order matters. Rules are processed in the sequence they appear in the table, with earlier rules taking precedence. Once a rule matches, subsequent rules are not evaluated.

Creating and Managing Rules

To add a new access rule:

1. Navigate to Admin -> Rules
2. Click the CREATE button in the upper right corner
3. Complete the configuration form with required information
4. Click CREATE to save the rule

Screenshot: Shows the rule creation form with all fields for configuring a rule

Modifying Existing Rules

To edit a rule:

1. Locate the rule in the table
2. Click the "Edit" button in the Actions column
3. Update any properties as needed
4. Click "Submit" to apply changes

Changes take effect immediately. Active sessions will use the updated rule permissions on their next request.

Managing Regular Expression Patterns

Regular expressions provide precise control over model access. The pattern is applied to the model field in incoming requests.

Common Pattern Examples

Pattern	Description	Matches	Doesn't Match
.*	Match any model name	gpt-4, claude-3, etc.	None
^gpt-4.*	Any model starting with "gpt-4"	gpt-4, gpt-4-turbo	gpt-3.5-turbo
^gpt-3.5-turbo$	Exact match for gpt-3.5-turbo	gpt-3.5-turbo	gpt-3.5-turbo-16k
^(gpt-4\|claude-3-opus\|llama-3-70b).*	Multiple model prefixes	gpt-4, claude-3-opus, llama-3-70b-instruct	gpt-3.5-turbo, claude-3-sonnet
.*-16k$	Any model ending with "-16k"	gpt-3.5-turbo-16k, gpt-4-16k	gpt-4, claude-3-opus
^(?!gpt-4).*	Any model NOT starting with "gpt-4"	gpt-3.5-turbo, claude-3	gpt-4, gpt-4-turbo

Testing Patterns

Before implementing complex patterns, test them thoroughly using tools like regex101.com.

API-Based Rule Management

Rules can be managed programmatically through the AI Controller API for automated deployments or system integration. For endpoints, request formats, and authentication requirements, please refer to the Rules section in the REST API documentation.

The API supports creating, reading, updating, and deleting rules with the same properties available in the web interface.

Enabling and Disabling Rules

Toggle rule activation without deletion using the "Enabled" control:

1. Find the rule in the table
2. Click the toggle in the "Enabled" column
3. The status updates immediately

Disabled rules remain in the system for future reactivation but don't affect access decisions.

Deleting Rules

To permanently remove a rule:

1. Find the rule in the table
2. Click the "Delete" button in the Actions column
3. Confirm deletion in the dialog

Warning: Deleting the last rule that grants access to a resource will prevent all users from accessing that resource.

Testing Rules

Validate rule behavior before production deployment:

Screenshot: Log entries showing provider selection and rule match allowing a request

Verification Steps

1. Create temporary test rules with clear naming (e.g., "TEST_GPT4_Access")
2. Use the prompt testing interface with test users
3. Check logs to confirm expected rule matches
4. Rename test rules after validation

Common Implementation Scenarios

Restricting Advanced Models

Limit access to high-cost models:

^gpt-4.*

Assign this rule to specific groups that require advanced capabilities.

Department-Specific Access

Create rules for different departments: - Marketing: Access to creative writing models - Engineering: Access to code generation models - Finance: Access to analytical models

Provider-Based Restrictions

Route specific teams through preferred providers based on: - Cost considerations - Performance requirements - Compliance needs

Suggested Rule Management

Organization

1. Use consistent naming conventions (e.g., "Dept_Model_Access")
2. Group related rules together
3. Document rule purposes clearly in descriptions
4. Review rules quarterly for relevance

Security

1. Start with restrictive defaults
2. Grant minimum necessary permissions
3. Regularly audit rule usage
4. Monitor unusual access patterns

Maintenance

1. Remove obsolete rules promptly
2. Consolidate similar rules when possible
3. Test changes in non-production environments
4. Maintain change documentation

Troubleshooting Common Issues

Issue	Possible Causes	Solution
Request unexpectedly denied	No matching rule exists	Check patterns and assignments
Rule not working	Incorrect regular expression pattern	Test pattern with sample model names
User can't access models	Missing group membership	Verify user group assignments
Too many rules	Lack of consolidation	Combine similar patterns

For additional troubleshooting guidance, see Rules Engine Troubleshooting.

Compliance and Auditing

Maintain proper governance over access rules:

1. Regular Audits: Review rules quarterly or as policies change
2. Change Documentation: Log all rule modifications with reasons
3. Approval Workflows: Implement review processes for rule changes
4. Access Reports: Generate periodic reports showing rule usage
5. Compliance Verification: Ensure rules align with organizational policies

Related Documentation

• Rules Engine Feature - Comprehensive rules engine documentation
• Provider Configuration - Managing AI service providers
• User Management - User and group administration
• API Key Management - Related authentication controls

---

Updated: 2025-05-27