AI-Powered Internal
Knowledge Assistant

Secure RAG Chatbot with Role-Based Access Control


Designed to make enterprise conversations smart, helpful, and above all, secure. We eliminate information silos while strictly enforcing data privacy.

The RBAC Group 3 Team

Led by Arshad Pasha

Mentor: Mr. Narendra Kumar

Team Workflow

Division of labor across 3 distinct groups to build the RBAC-secured architecture.

Group 1

1 & 2. Intro & Chatbot Overview: Pakalapati Akshaya

3. Technical Architecture: Priyanshu Kumar

Group 2

4. Features & Functionality: Keerthi

5. Evaluation Reports: Kanak

Group 3

6. Development & Deployment: Arshad Pasha

- Backup / Support: Karthik

- Challenges & Limitations: Shirisha

7. Conclusion: Vinuthna

- Vote of Thanks: Kavya

Team Workflow Visual

Key Problems in Enterprises Solved

Why standard LLMs and search bars fail inside a company.

Information Silos

Critical data is scattered across Finance, HR, Engineering, and Marketing, making it hard to find answers quickly.

Security Risks

Standard LLMs like ChatGPT cannot be used with sensitive internal company data due to external exposure risks.

No Access Control

Traditional search tools don't respect user roles. An intern could potentially access payroll or C-level documents.

Lack of Context

Keyword search fails to understand complex business queries or the underlying intent behind employee questions.

Technical Architecture

How a query travels from the user to a secure, accurate response.

1. Input

User query is sanitized & intent detected.

2. Security Check

RBAC Middleware validates JWT & permissions.

3. Retrieval

ChromaDB semantic search with Role Metadata filters.

4. Generation

LLM synthesizes answer using ONLY retrieved context.

Role-Based Access Control Concept

Every document chunk in our Vector Database contains metadata tags (e.g., department: finance). When a user queries the system, the backend automatically intercepts the request, reads their role from their JWT Token, and forcefully appends a filter to the Vector Search. Finance users physically cannot retrieve HR data. Admin (C-Level) users have unrestricted filters.

Development & Deployment

A modern, modular tech stack separating scalable APIs from interactive UIs.

Backend & AI Engineering

The core intelligence, data processing, and security layer deployed to Render.


  • FastAPI (Python): A modern web framework for building high-performance APIs. We chose this because python is the native language for ML models.
  • JWT (JSON Web Tokens):
    What is it? A secure, self-contained way for transmitting information between parties as a JSON object.
    Why we use it? When a user logs in, the backend creates a signed token containing their exact Role (e.g., HR, Finance). The frontend sends this back with every query. Our backend trusts this signature, ensuring users cannot hack the system to see unauthorized files.
  • AI & Machine Learning (RAG):
    Why we use it? Because standard LLMs don't know our company secrets.
    How? We use SentenceTransformers (ML) to convert text into numbers (vectors) and store them in ChromaDB. When a query is made, we do a semantic search to find the closest numbers, pull the text, and feed only that text to our LLM (Mistral-7B via OpenRouter) to generate the final answer.

Frontend Engineering

The user-facing interactive portal deployed to Vercel.


  • The Pivot to Next.js:
    Our original goal was to use Streamlit as specified in the project outline. However, Streamlit was completely unsuccessful at handling complex JWT state management, true Role-Based UI rendering, and maintaining a stable, modern look.
  • Our Solution (Next.js):
    We scrapped Streamlit and entirely rebuilt the frontend using Next.js (React). This allowed us to build a lightning-fast, highly secure interface that could physically intercept unauthenticated traffic and provide a premium "Glassmorphism" UI experience using Tailwind CSS.
  • Axios Interceptors:
    We use Axios to communicate with the Render API. Axios automatically attaches the JWT token from LocalStorage to the header of every single request, ensuring strict security on the frontend.

System Evaluation

Rigorous testing to ensure accuracy and data security.

100%
RBAC Accuracy

Zero unauthorized documents leaked during penetration tests across cross-department queries.

1.0
Recall@K Score

System successfully retrieved the correct document for 100% of the benchmark questions.

>0.85
Avg Confidence

High cosine similarity scores from ChromaDB ensuring only highly relevant context is passed to the LLM.

Answer Quality (Human Evaluation)

RAG systems are graded on Relevance, Correctness, and Completeness (Scale 1-4). Our system averaged a 3.8 / 4.0 across complex organizational queries, backed up by exact document citations in the UI.

Conclusion & Future Scope

Transforming enterprise knowledge access.

Key Takeaways

  • Successfully built a secure, role-aware AI chatbot preventing data silos and leaks.
  • Combined FastAPI backend intelligence with an ultra-responsive Next.js interface.
  • Scalable RAG architecture ready for enterprise scaling.
  • Provides transparency by displaying exact sources and relevance scores to the user.

Challenges & Future

  • Challenges: API rate limiting when testing heavily, and balancing prompt context window size.
  • Future Scope: Integrating Azure Active Directory / SSO for enterprise login.
  • Tracking: Implementing an Admin dashboard to track query analytics and most active departments without viewing raw private messages.

Thank You

The RBAC Group 3 Team