A secure internal AI assistant built using Retrieval Augmented Generation (RAG) that allows employees to query company documents while enforcing strict role-based access control (RBAC).
This system is designed to simulate a real enterprise internal knowledge assistant, ensuring:
- Users only access documents permitted by their role
- AI responses are grounded strictly in authorized company data
- Unauthorized data is never retrieved or generated
- Every response is traceable to its source
- π JWT-based authentication
- π§ Strict role-based access control
- π Semantic search over company documents
- π§ RAG pipeline with source attribution
- π Pluggable LLM architecture (OpenAI / Groq / Stub)
- ποΈ Vector database with metadata filtering
- π§ͺ RBAC validation and misuse testing
- π₯οΈ Streamlit-based user interface for interaction
User (Streamlit / Swagger)
β
Authentication (JWT)
β
Role Extraction
β
RBAC Enforcement
β
Semantic Retrieval (Vector DB)
β
Context Assembly
β
LLM Generation (Optional)
β
Answer + Sources
π Security and authorization are enforced before retrieval and generation.
| Layer | Technology |
|---|---|
| Backend API | FastAPI |
| Frontend | Streamlit |
| Vector Database | Chroma |
| Embeddings | Sentence Transformers |
| LLM | OpenAI / Groq (optional) |
| Authentication | OAuth2 + JWT |
| Database | SQLite |
| Language | Python 3.9+ |
company-chatbot/
β
βββ app/ # Backend application
β βββ main.py # FastAPI entry point
β βββ auth.py # Authentication & JWT logic
β βββ rbac.py # Role hierarchy & permissions
β βββ search.py # Semantic search with RBAC filtering
β βββ rag.py # RAG pipeline
β βββ llm_client.py # LLM abstraction layer
β βββ vectorstore.py # Vector DB operations
β
βββ frontend/
β βββ app.py # Streamlit frontend (main UI entry)
β
βββ scripts/
β βββ explore_data.py # Dataset inspection
β βββ preprocess_docs.py # Chunking & metadata tagging
β βββ build_vector_db.py # Embedding generation & indexing
β βββ test_search.py # RBAC & retrieval validation
β
βββ data/
β βββ raw/ # Original documents (MD, CSV)
β βββ processed/ # Chunked & enriched documents
β
βββ requirements.txt
βββ README.md
βββ .env.example
| Role | Accessible Data |
|---|---|
| Employee | General company handbook |
| Finance | Finance + General |
| HR | HR + General |
| Marketing | Marketing + General |
| Engineering | Engineering + General |
| C-Level | Full access (all departments) |
RBAC rules are enforced at retrieval time, not post-generation.
git clone https://github.com/sai-kumar-dev/company-chatbot.git
cd company-chatbotpython -m venv venvActivate it:
Windows
venv\Scripts\activateMac / Linux
source venv/bin/activatepip install -r requirements.txtEnsure Python version is 3.9 or above.
This phase prepares company documents for semantic search.
python -m scripts.explore_dataThis script:
- Lists all departments
- Shows document types (Markdown, CSV)
- Previews content
- Confirms data structure
π Purpose: understand document scope and role mapping.
python -m scripts.preprocess_docsThis performs:
-
Text cleaning
-
Section extraction
-
Chunking into ~300-token segments
-
Metadata enrichment:
- department
- source file
- allowed roles
Output:
data/processed/document_chunks.jsonl
Each chunk is RBAC-aware.
python -m scripts.build_vector_dbThis step:
- Generates embeddings using Sentence Transformers
- Indexes chunks into Chroma
- Stores metadata for secure filtering
This step is required only once, unless documents change.
python -m scripts.test_searchThis script verifies:
- Same query returns different results for different roles
- Unauthorized documents are never retrieved
- Role hierarchy behaves correctly
This is critical validation evidence.
uvicorn app.main:app --reloadServer URL:
http://127.0.0.1:8000
Open:
http://127.0.0.1:8000/docs
Swagger UI provides:
- OAuth2 password-based login
- Automatic Bearer token handling
- Interactive testing of secured endpoints
By default, the system runs in stub mode (no external LLM calls).
Create .env file:
LLM_PROVIDER=groq
GROQ_API_KEY=your_api_key_here
GROQ_MODEL=llama3-8b-8192LLM_PROVIDER=openai
OPENAI_API_KEY=your_key_here
OPENAI_MODEL=gpt-4o-miniRestart the backend after changing environment variables.
streamlit run frontend/app.pyApplication runs at:
http://localhost:8501
This is the main user-facing application.
- RBAC enforced before retrieval
- JWT required for all protected endpoints
- Prompt injection cannot bypass permissions
- LLM never receives unauthorized context
- Source attribution ensures auditability
| Milestone | Description |
|---|---|
| Milestone 1 | Data preparation & metadata tagging |
| Milestone 2 | Vector DB & RBAC search |
| Milestone 3 | Authentication & RAG pipeline |
| Milestone 4 | Frontend, testing & documentation |
- Security-first architecture
- Authorization before generation
- Explicit access control
- Provider-agnostic LLM integration
- Enterprise-readiness over demos
To understand the system quickly:
- Start with
scripts/test_search.py - Then review
app/search.py - Then
app/rag.py
These files represent the core logic.
- Conversation memory
- Usage analytics & audit logs
- Admin dashboard
- Fine-grained permissions
- Multi-tenant support
This project demonstrates:
- Secure AI system design
- Production-style RBAC enforcement
- Reliable RAG implementation
- Clear separation of concerns
- Strong emphasis on correctness and safety