Edit

Content Access Control via APIs

Many of our customers use complex content access control on their source systems. For example, User Criteria on ServiceNow or Group-based access control on Confluence content. These types of access control configurations are very complex, many times involves custom scripts that evaluates access. It's not possible to apply such access control outside the context of the source system.

To support such configurations, the Aisera Gen AI platform has support for API-based access control. It is configured on a Data Source.

For ServiceNow, you can use this configuration for applying access control on both Knowledge Articles and Service Catalog Items.

Make sure the user ingestion is setup on a schedule. To check whether a user has access to content, the platform uses the user’s id from the SOR. User ingestion makes sure the platform can access a user’s external ID.

Tenant configuration

You also need to enable the tenant level flag Access Management from Settings > Configuration apart from Data Source level setup.

Tenant Configuration Parameters

Data Source Configuration

After you have checked the Enable Access Management box in the Tenant Configuration, you will see the option External API Access Management, as shown in the following screenshot with a Zendesk data source.

The example below shows the same option with a Confluence data source.

When you choose the Yes option for External API Access Management, you will see two additional fields, API to check access and Attribute based contextual filter. The ServiceNow example below, displays this screen with values in these fields.

External API Access
Parameter
Definition

External API Access Management

Flag to enable access control via an API.

This configuration will be used for all articles ingested via this data source.

API to Check Access

Relative path of the API. External system endpoint will be prefixed with this relative URL to build the final URL.

SerivceNow: This data source does not have an out-of-the-box API to check User Criteria-based access control. Your Aisera Team can access a scripted API (ServiceNow Update Set) that you can install on your system. After you install the package (Update Set) then the API value will be /api/aiser/user_criteria_check/checkTHIS IS A FIXED VALUE FOR ALL ServiceNow calls.

Confluence: The API is provided by Confluence/Jira. The API value will be:rest/api/content/{}/permission/check THIS IS A FIXED VALUE FOR ALL Confluence calls.

Attribute Based Contextual Filter

In addition to checking if the user can view the content or not, you can apply an additional filter to it. The configured filter at the data source level will be applied to KB Articles ingested via this KB only.

You can build the option filter using the following steps.

The optional filter is applied with Access Attributes that are active and marked not required.

For example, you want to apply a filter based on language. If user asks a question in German and multiple documents are available on the topic with different languages, then you want the bot to provide an answer from the Knowledge Base that is written in German. But what if there is no Knowledge Base Article in German for the topic but there is Knowledge Base Article in English? In this case, the bot can use the English document as a fallback document to answer the user’s question.

The Aisera Gen AI platform uses JEXL based expressions to define such filters. For access attribute based filters you can define it at the tenant level. Settings > Configuration > Access Management > Access policy for optional attributes . Note that you can also set Access Attributes at the application/bot (not Tenant) level.

Single value attribute

The expression for the examples above will be similar to this: (entity.language == null || entity.language == '' || entity.language == 'en' || entity.language == user.language)

With these expressions, you define the following:

  1. If a Knowlege Base Article does not have the attribute language then user can view it (entity.language == null)

  2. If a Knowledge Base Article has an empty value for thelanguageattribute, then the user can view it (entity.language == '')

  3. If a Knowledge Base Article has a value and it is en(English) for the language attribute, then the user can view it (entity.language == 'en')

  4. If a Knowledge Base Article has a value other than en then it should match the user’s language to allow the user to view the article. (entity.language == user.language)

ServiceNow Update Set

Ask your Aisera Team to retrieve an Update Set for your specific data source.

Validating SerivceNow API

After the customer has installed this update set, you can validate whether the API is working as expected on ServiceNow.

  1. Navigate to REST API Explorer on ServiceNow.

  2. Select aiser from Namespace .

  3. Select User criteria check from API Name .

  4. Use the following sample payload. Replace userId with the sys_id of the some user on their system. Also update IDs under knowledgeDocuments with some of the Knowledge Base Article numbers from their system. If you want to test the Service Catalog then replace ids under catalogItems with sys_ids of some Service Catalog items. Try the api with few sample users.

    { "userId": "a0f7e879db219150996f4a7f0596193f", "knowledgeDocuments": [{ "id": "KB1233" }, { "id": "KB4455" }], "catalogItems": [{ "id": "9e274809db6ddd10996f4a7f059619fa" }] }

  5. The output of the API will look something like this. ThecanView field diplays whether the user has access to KBAs/Service Catalog Items.

    { "userId": "a0f7e879db219150996f4a7f0596193f", "knowledgeDocuments": [{ "id": "KB1233", "canView” : true }, { "id": "KB4455", "canView": false }], "catalogItems": [{ "id": "9e274809db6ddd10996f4a7f059619fa", "canView": true }] }

User criteria with script

Many customers include a script in their User Criteria. If they are not using appropriate system variable user_id for user’s id in the script then the user criteria will not work properly when checked via an API. Please suggest customer to use pre-defined variable user_id.

Refer to this ServiceNow documentation.

Supported Use Cases for Access Control via API

In the following use cases, note that the applications/bot can recognize regions in user requests, such as APAC, EMEA, or EU.

Category

Supported Use Cases

ServiceNow - Aisera API

  • Limited to Aisera’s UpdateSet (library) in ServiceNow

SerivceNow - Aisera Attributes

  • Region base response (e.g. regional holiday)

  • Group base response (e.g. limit access to HR group) which is a tag-based solution

Confluence Cloud - Aisera API

  • limited to the reference implementation listed in Atlassian API Documentation

    • Only support

      • “Check content permissions” API

    • Only support user with permission to see “anyone” email.

    • Prerequisites:

      • Users are ingested with user email.

      • Ingested users have Confluence Account ID as external id.

      • Datasource with user learning function is defined as SOR.

      • Email of the ingested user record should be same for bots with multiple datasources (Knowledge Learning function Ex. Sharepoint and Confluence)

Confluence Cloud - Aisera Attributes

  • Region base response (e.g. regional holiday)

    • Prerequisites:

      • Region or language attribute should be custom field in the ingested article

      • Region or language should be ingested in the user profile

Confluence On-Premise - Aisera API (Not Supported)

  • Not Supported, On-Premise Confluence does not have a permission check API

Confluence On-Premise - Aisera Attributes

  • Region base response (e.g. regional holiday)

    • Prerequisites:

      • Region or language attribute should be custom field in the ingested article

      • Region or language should be ingested in the user profile

PreviousAccess Information for SharePoint KBAsNextPost-Ingestion Tasks - System Jobs

Last updated

Was this helpful?