Access Control
Access control is a fundamental security feature of AI Controller that governs who can access what resources within the system, providing comprehensive security for your organization's AI operations.
Access Control Overview
AI Controller implements a multi-layered access control system that provides fine-grained control over:
- Administrative functions: Who can manage providers, users, rules, and system settings
- LLM access: Which users and applications can access which models and providers
- Feature access: What features and endpoints each user or application can use
- Data access: What logs, metrics, and system information each user can view
This comprehensive approach forms a critical part of AI Controller's security model.
Core Access Control Components
AI Controller's access control system consists of several integrated components:
1. User Authentication
Before access control decisions are made, users must be authenticated:
- Local authentication: Username/password credentials stored securely in AI Controller's database
- API key authentication: For application access to the AI Controller API
Security is paramount - neither passwords nor API Keys are stored directly in the database. They are stored as a SHA512 hash; the actual values are not known to AI Controller and cannot be obtained.
2. Role-Based Access Control (RBAC)
AI Controller implements a robust RBAC system that assigns permissions based on roles. This role-based approach is an important element of AI Controller's governance framework.
| Role | Description | Default Permissions |
|---|---|---|
| Administrator | Full system administration | All permissions |
| User | Basic access to use LLMs | Use assigned LLM models via web interface & API |
3. Groups
Users can be organized into groups for easier access management:
- Department-based groups: Marketing, Engineering, Customer Support
- Role-based groups: Administrators, Developers, Analysts
- Project-based groups: Project X Team, Temporary Consultants
4. Rules Engine
The Rules Engine extends access control with dynamic, contextual rules that govern model access based on sophisticated criteria. For a deeper understanding of how rules fit into the overall system architecture, see Architecture Overview.
Security Considerations
Sensitive Data Protection
Access control helps protect sensitive information:
- Provider API keys are encrypted in the database and not displayed to anyone, not even administrators
- User profile information is visible only to certain roles
- User activity data is accessible based on permissions
- System logs are handled with appropriate security measures
- Models with potential for abuse can be limited to specific users
Regulatory Compliance
AI Controller's access controls support compliance requirements:
- GDPR: Control who can access personal data
- SOC 2: Implement and audit access controls
- Internal policies: Enforce organizational governance
Audit and Compliance
AI Controller maintains comprehensive audit trails:
- User activity is recorded
- Permission changes are timestamped and attributed
- Regular reports can be generated for compliance reviews
Related Documentation
- Rules Engine
- API Key Management
- Security Model - Learn about AI Controller's comprehensive security architecture
- Governance - Understand how access control fits into AI Controller's governance framework
Updated: 2025-05-15