When designing a solution that supports RBAC with CalypsoAI, it’s important to tailor the architecture to the specific use case. This document outlines key concepts related to authentication and authorization, followed by two example use cases that demonstrate how to implement RBAC using Active Directory (AD) as the identity provider.
Authentication Overview
1. CalypsoAI User Interface (UI):Users accessing the CalypsoAI UI can authenticate in one of two ways:
- Single Sign-On (SSO) via an external identity provider (IdP) supporting OAuth or SAML
- Username and password (for local authentication)
Applications interacting with the CalypsoAI API authenticate using authorization tokens (API keys), which are associated with specific projects and permissions.
Authorization Concepts
Authorization in CalypsoAI is governed by the following components:
- Project membership: Determines which users or tokens are associated with a specific project
- Enabled models: Controls which AI models are available within a given project
- Enabled scanners: Defines which security scanners are active for that project
- API token assignment: Each project has one or more API tokens used for authentication via the API
Use Case 1: General-Purpose AI Chat for End Users (via CalypsoAI UI)
In this scenario, end users interact with the CalypsoAI chat interface for general-purpose AI use.
Step 1: Create a Project
Set up a project in CalypsoAI that includes the appropriate models and scanners for this user group.
Step 2: Define AD Groups
Identify the Active Directory group(s) that represent your target user base. Add all applicable users to the group.
Step 3: Sync AD Groups to CalypsoAI
Use a script and the CalypsoAI API to associate each AD group with the appropriate project.
Once complete, users authenticating via SSO will automatically be associated with the correct project and its security policies.
Use Case 2: AI-Powered Application with Specific Use Case (via API Integration)
In this scenario, a custom AI application sends user prompts to CalypsoAI for scanning and model inference.
Step 1: Create a Project
Define a project in CalypsoAI that includes the appropriate models and scanners for this specific application use case.
Step 2: Generate an API Token
Create an API token in CalypsoAI and associate it with the project created in Step 1.
Step 3: Define AD Groups
Identify or create an AD group that includes all end users of the application.
Step 4: Assign API Token to the AD Group
Store the CalypsoAI API token in the directory entry for the AD group. This links all group members to the correct project.
Step 5: Integrate with the Application
Configure the application to:
- Retrieve the correct API token from the AD group based on the logged-in user
- Send prompts to CalypsoAI's /prompts API endpoint using the token
- Include the username as part of the external Metadata payload for auditing and policy enforcement
Sample AI Application
Let’s talk through a sample AI application In order to walk through the concepts with a meaningful example.
Suppose you’ve built an internal, modern HR assistant application that uses RAG (Retrieval-Augmented Generation) and an OpenAI Model to provide intelligent responses to HR-related queries.
The Application has the following features:
- Natural language processing for HR queries
- RAG (Retrieval-Augmented Generation) for context-aware responses
- Integration with an OpenAI model for AI-powered responses
- Authentik SSO integration for secure authentication
- Real-time chat interface
- Dashboard with quick access to HR resources
- Vector-based document storage with ChromaDB
System Overview
The HR Assistant application consists of the following main components:
Authentication Flow
The sample authentication process and token assignment flow:
Chat Flow
The sample message processing and response generation flow:
Summary
The RBAC approach in CalypsoAI enables granular control over which users and applications can access specific models and security scanners. By leveraging AD group membership and either SSO or API tokens, organizations can ensure consistent enforcement of AI security policies across both user-facing interfaces and integrated applications.