# Access Management

The **Settings > Configuration > Access Management** page contains tenant-level settings that apply to all bots in your Aisera tenant.

### Enable Access Management

| **Type**    | Checkbox |
| ----------- | -------- |
| **Default** | Disabled |

Enables the Access Management configuration group. When disabled, the companion settings, [User should match all attributes](#user-should-match-all-attributes) and [Access policy for optional attributes](#access-policy-for-optional-attributes)**,** are not evaluated.

Aisera applies a filtering step during content retrieval that checks whether each knowledge article meets the access control criteria before serving it to the user. Articles that do not meet the criteria are excluded from search and recommendation results. All articles remain indexed regardless of this setting; access decisions are made per request based on the requesting user's profile.

The system supports three filtering methods, which can be configured per data source: attribute-based filtering, workflow-based filtering, and API-based filtering. Attribute-based filtering compares user profile attributes against article attributes such as country, language, or role. Workflow-based and API-based filtering delegate the access decision to an external system.

{% hint style="info" %}
If important knowledge articles are missing from your RAG results, there may be a configuration error or missing attributes in your source data. To troubleshoot, disable **Enable Access Management** and test the query again to determine if the articles are being filtered out by the access control specification.
{% endhint %}

### User should match all attributes

| **Type**     | Checkbox                 |
| ------------ | ------------------------ |
| **Default**  | Enabled                  |
| **Requires** | Enable Access Management |

Controls how multiple required access attributes are combined when determining whether a user can access an article.

When enabled, a user must satisfy all required attributes on an article to access it. For example, if an article requires both a specific country and a specific department, the user must match both.

When disabled, a user can access an article by matching any one of its required attributes. Using the same example, a user who matches the country but not the department will still be granted access.

When a single attribute has multiple accepted values, matching any value will fulfill the requirement of the filter. For example, if an article accepts the roles "Admin" or "Editor," a user with either role will satisfy the roles attribute.

### Access policy for optional attributes

| **Type**     | JEXL expression          |
| ------------ | ------------------------ |
| **Default**  | Empty                    |
| **Requires** | Enable Access Management |

Only evaluated when **Enable Access Management** is enabled.

Optional attributes are those marked as **Not Required** in the access attribute definitions. When this field is empty, optional attributes are not used during access filtering. Defining a policy in this field activates filtering based on optional attributes.

This field accepts a JEXL expression that defines how the system evaluates optional attributes. The expression must return a Boolean value. If the result is true, the knowledge article is displayed. If the result is false, the article is filtered from the results.

This policy is only evaluated after an article has passed the required attributes check. If an article fails the required attributes check, this policy is not applied.

**Evaluation syntax**

The expression evaluates two objects:

* `user`: Represents the user's access attributes
* `entity`: Represents the knowledge article's access attributes

You access specific attributes on these objects using dot notation, for example `user.language` or `entity.country`.

All attribute values are compared in lowercase. Expressions should use lowercase values for string comparisons to ensure correct matching.

**Multi-value attributes**

A built-in `compareList()` function is available for evaluating multi-value access attributes. This function compares two lists and returns true if there is any overlap between them. If the entity's list is empty or `null`, the function returns `true`. If the entity's list has values but the user's list is empty, the function returns `false`.

**Example expression**

The following is an example of a policy applied to this field:

```java
(entity.language == null || entity.language == '' || entity.language == 'en' || entity.language == user.language) && compareList(entity.country, user.country)
```

This expression grants access when the article's language is unset, empty, English, or matches the user's language, and the user's country overlaps with the article's country list.

{% hint style="info" %}
If the expression contains a syntax error, articles that reach this stage of evaluation will be filtered out. Verify that the expression is valid before saving.
{% endhint %}