Version: 2.0

Apply Metadata Filters for Attribute-Based Access Control (ABAC)

Vectara does not currently offer native field-level or document-level access control levels (ACLs). Without these controls, anyone with query access to a corpus can see all its content.

Vectara solves this problem with Attribute-Based Access Control (ABAC). ABAC enables you to attach metadata to documents and apply filters at query time. This lets your application define who can see what, based on dynamic rules.

This guide shows how to use metadata filters to implement fine-grained access control—ensuring each user sees only what you want to allow based on ownership, group, role, or other attributes.

Attribute-based access control scenarios

Scenario	Example Metadata Fields
Restrict access to user-specific data	`user_id`, `account_id`
Limit visibility to specific teams or departments	`team`, `department`
Control access based on user privileges	`access_level`, `role`
Filter by context or category	`category`, `project`, `tag`

Prerequisites

Metadata fields defined for your corpus—an Admin setup
Documents indexed with access-relevant metadata—a Developer task
Backend logic that maps user attributes (ID, team, role) to filters—typically coded by Developers

ABAC best practices

✅ Construct filters server-side using verified user attributes
✅ Use consistent metadata naming (e.g., user_id, team) across corpora
❌ Never allow users to provide arbitrary filter expressions
🔒 Keep QueryService API keys private; expose only through secure APIs

Configure attribute-based access control

Add metadata when indexing data.
METADATA EXAMPLE
```
1
```
note
Each metadata field must be declared in your corpus schema.
Construct the access filter.
Build a filter string that enforces access control where Mary can access her own documents and anyone in the history group with role professor can also access these documents

(doc.owner in ("mary", "global")) OR ("history" IN doc.groups AND (doc.roles is null OR "professor" IN doc.roles))
Combine metadata with the application-specific filters.
You can layer filters for user access and functional context:

((doc.owner = "mary") OR ("history" IN doc.groups)) AND (doc.project = "orientation")

This ensures access control remains enforced while supporting contextual filtering.

Example ABAC request

ABAC REQUEST EXAMPLE

ABAC Limitations

Limitation	Recommendation
Filters are enforced per query, not at platform level	Rely on backend to inject correct filters
No per-document ACLs	Use metadata and filters instead
QueryService access gives full access	Scope keys narrowly and use ABAC consistently

Attribute-based access control scenarios​

Prerequisites​

ABAC best practices​

Configure attribute-based access control​

Example ABAC request​

ABAC Limitations​