Handle Admin Users and Page Routing

[arm-diaz]

Hi.

Is it possible to add an admin group to the cognito user pool? It would be amazing if non-admin users have access only to the playground and home pages. Restricting access to the admin group will allow us to present two versions of the chatbot based on user's technical background.

[ajaylamba-provar]

Yes, It would be a good feature to have and the chatbot could be used by general users as well with this feature.

[ajaylamba-provar]

@bigadsoleiman I am interested in contributing to this one. I would need some guidance initially.

[flamingquaks]

Feature Proposal: User Access Control and Management

Background

The AWS Generative AI Chatbot Sample application allows users to leverage Amazon Bedrock for LLMs and explore Retrieval-Augmented Generation (RAG) with different vector stores.

Currently, there are no controls over who can access what features. All standard users have equal access. While chats are individualized per user, workspaces are visible to all users. This creates risk of users deleting other users' data, creating unwanted workspaces, etc.

Proposal

Introduce user roles and access control to mitigate risks:

• Admin - Manage users, roles, workspaces
• Workspace Manager - Create, edit, delete workspaces
• Workspace Viewer - View workspaces
• Chatbot Only - Use chatbot, no workspace access

User roles can be applied to users leveraging a custom Cognito User Pool Attribute

Add Admin section to manage users and roles. Update UI to only show features per user role.

Implementation

• Add custom attribute to users in user pool in Cognito
• React UI updates for new Admin page and role-based access
• Refactor REST API to validate roles and scope access
• Refactor Python back-end for role-based validation

Out of Scope

• Fine-grain workspace access controls (sharing, private workspaces, etc)

[flamingquaks]

Proposed Permissions by Role for API Endpoints

Key

✅ - Has Access

⛔️ - Doesn't have Access

API Endpoints

HTTP Method	Endpoint	Admin Role	Workspaces Manager Role	Workspaces User Role	Chatbot User Role
GET	/cross-encoders/models	✅	✅	✅	⛔️
POST	/cross-encoders	✅	✅	✅	⛔️
GET	/embeddings/models	✅	✅	✅	⛔️
POST	/embeddings	✅	✅	✅	⛔️
GET	/health	✅	✅	✅	✅
GET	/models	✅	✅	✅	✅
GET	/rag/engines	✅	✅	✅	⛔️
GET	/rag/engines/kendra/indexes	✅	✅	✅	⛔️
POST	/rag/engines/kendra/data-sync	✅	✅	⛔️	⛔️
GET	/rag/engines/kendra/data-sync/<workspace_id>	✅	✅	⛔️	⛔️
POST	/semantic-search	✅	✅	✅	⛔️
GET	/sessions	✅	✅	✅	✅
GET	/sessions/<session_id>	✅	✅	✅	✅
DELETE	/sessions	✅	✅	✅	✅
DELETE	/sessions/<session_id>	✅	✅	✅	✅
GET	/workspaces	✅	✅	✅	✅
GET	/workspaces/<workspace_id>	✅	✅	✅	⛔️
DELETE	/workspaces/<workspace_id>	✅	✅	⛔️	⛔️
PUT	/workspaces	✅	✅	⛔️	⛔️
POST	/workspaces/<workspace_id>/documents/file-upload	✅	✅	⛔️	⛔️
GET	/workspaces/<workspace_id>/documents/<document_type>	✅	✅	✅	⛔️
GET	/workspaces/<workspace_id>/documents/<document_id>/detail	✅	✅	✅	⛔️
GET	/workspaces/<workspace_id>/documents/<document_id>/posts	✅	✅	✅	⛔️
GET	/workspaces/<workspace_id>/documents/<document_id>/enable	✅	✅	⛔️	⛔️
GET	/workspaces/<workspace_id>/documents/<document_id>/disable	✅	✅	⛔️	⛔️
POST	/workspaces/<workspace_id>/documents/<document_type>	✅	✅	⛔️	⛔️
PATCH	/workspaces/<workspace_id>/documents/<document_id>	✅	✅	⛔️	⛔️

Note: This is documentation of existing endpoints. New admin API endpoints are not documented yet, but only "Admin Role" will have access to Admin API endpoints

[flamingquaks]

Proposed updates to the existing Sidebar navigation

This does not include new admin pages. This also does not include changes within pages based on role, only the sidebar navigation. Page updates will be proposed next.

Key

✅ - Has Access

⛔️ - Doesn't have Access

Main Menu

Name	Path	Section	Admin Role	Workspaces Admin Role	Workspaces User Role	Chatbot User Role
Home	/	N/A	✅	✅	✅	✅
Playground	/chatbot/playground	Chatbot	✅	✅	✅	✅
Multi-chat playground	/chatbot/multichat	Chatbot	✅	✅	✅	✅
Models	/chatbot/models	Chatbot	✅	✅	✅	✅
Dashboard	/rag	Retieval-Augmented Generation (RAG)	✅	✅	✅	⛔️
Semantic search	/rag/semantic-search	Retieval-Augmented Generation (RAG)	✅	✅	✅	⛔️
Workspaces	/rag/workspaces	Retieval-Augmented Generation (RAG)	✅	✅	✅	⛔️
Embeddings	/rag/embeddings	Retieval-Augmented Generation (RAG)	✅	✅	✅	⛔️
Cross-encoders	/rag/cross-encoders	Retieval-Augmented Generation (RAG)	✅	✅	✅	⛔️
Engines	/rag/engines	Retieval-Augmented Generation (RAG)	✅	✅	✅	⛔️

[flamingquaks]

Proposed updates to Page Components

Key

✅ - Has Access

⛔️ - Doesn't have Access

Updates within Pages

Page	Path	Functionality	Admin Role	Workspaces Admin Role	Workspaces User Role	Chatbot User Role
Dashboard	/rag	Create Workspace Button	✅	✅	⛔️	⛔️
Dashboard	/rag	Add Data Drop Down	✅	✅	⛔️	⛔️
Workspaces	/rag/workspaces	Create Workspace Button	✅	✅	⛔️	⛔️
Workspaces	/rag/workspaces	Delete Workspace Button	✅	✅	⛔️	⛔️
Workspace	/rag/workspaces/<workspace_id>	Add Data Drop Down	✅	✅	⛔️	⛔️
Workspace	/rag/workspaces/<workspace_id>?tab=file	Files Tab - Upload files button	✅	✅	⛔️	⛔️
Workspace	/rag/workspaces/<workspace_id>?tab=texts	Texts Tab - Add texts button	✅	✅	⛔️	⛔️
Workspace	/rag/workspaces/<workspace_id>?tab=qna	Q&A Tab - Add Q&A button	✅	✅	⛔️	⛔️
Workspace	/rag/workspaces/<workspace_id>?tab=websites	Websites Tab - Crawl websites button	✅	✅	⛔️	⛔️
Workspace	/rag/workspaces/<workspace_id>?tab=rssfeed	RSS Feed Tab - Subscribe to RSS feed button	✅	✅	⛔️	⛔️
Workspace - Add Data	/rag/workspaces/add-data?tab=file&workspaceId=<workspace_id>	Upload Files	✅	✅	⛔️	⛔️
Workspace - Add Data	/rag/workspaces/add-data?tab=text&workspaceId=<workspace_id>	Add Text	✅	✅	⛔️	⛔️
Workspace - Add Data	/rag/workspaces/add-data?tab=qna&workspaceId=<workspace_id>	Add Q&A	✅	✅	⛔️	⛔️
Workspace - Add Data	/rag/workspaces/add-data?tab=website&workspaceId=<workspace_id>	Crawl Website	✅	✅	⛔️	⛔️
Workspace - Add Data	/rag/workspaces/add-data?tab=rssfeed&workspaceId=<workspace_id>	RSS Feeds	✅	✅	⛔️	⛔️

[flamingquaks]

Proposed Additions to API for Admin Functionality

The proposed endpoints are necessary to add user management functionality within the solution. Currently, user management is solely handled via Cognito in Console/CLI. With the introduction of a customized user attribute to manage user access, having the user management within the UI can ensure users are created correctly, with the right attributes applied.

Key

✅ - Has Access

⛔️ - Doesn't have Access

API Endpoints

HTTP Method	Endpoint	Action	Admin Role	Workspaces Admin Role	Workspaces User Role	Chatbot User Role
GET	/admin/users	List Users	✅	⛔️	⛔️	⛔️
GET	/admin/users/<user_id>	Get User Details	✅	⛔️	⛔️	⛔️
PUT	/admin/users	Create User	✅	⛔️	⛔️	⛔️
PATCH	/admin/users/<user_id>	Update User / Disable User / Enable User	✅	⛔️	⛔️	⛔️
DELETE	/admin/users/<user_id>	Delete User (must already be disabled)	✅	⛔️	⛔️	⛔️
GET	/admin/users/<user_id>/reset-password	Reset User Password	✅	⛔️	⛔️	⛔️

[flamingquaks]

Proposed UI for User Administration

A new section will be added to the sidebar navigation called "Administration" that will be visible to users with a userRole = admin. The admin section has been setup to enable new admin controls easily under the newly created section.

Here are some screenshots of the work in progress updates.

[flamingquaks]

If a user logs into the application w/o a user role attribute on their Cognito User, the user will be navigated to a page for invalid roles. The page includes a quick error message and expandable instructions for chatbot admins.

[hghandri]

Hi,

has development started for this very promising feature ?

++

[github-actions[bot]]

This issue is stale because it has been open for 60 days with no activity.

[github-actions[bot]]

This issue was closed because it has been inactive for 30 days since being marked as stale.