Skip to content

[Bug]: Team’s “Allowed Vector Stores” setting not enforced correctly #16304

New issue
New issue
Open
#16639
Open
[Bug]: Team’s “Allowed Vector Stores” setting not enforced correctly#16304
#16639
Labels
bugSomething isn't workingllm translation
@Outvoker

Description

@Outvoker
Outvoker
opened on Nov 6, 2025

What happened?

When configuring vector stores and teams in LiteLLM (v1.79.1), the team-level “Allowed Vector Stores” setting doesn’t seem to apply as expected.
A key linked to a user and a team can still access all vector stores, not just those allowed for the team.

If I later specify an additional allowed vector store in the key’s Optional Settings, the behavior flips — the key can access only that specific store and not the team’s allowed store(s).
This behavior seems inconsistent and different from how LLM model access is managed (where team-level permissions are respected).

Steps to reproduce

  1. LiteLLM version: 1.79.1

  2. Create multiple vector stores via YAML config:

    vector_store_registry:
  - vector_store_name: rag-engine-test
    litellm_params:
      vector_store_id: "xxxx"
      custom_llm_provider: "vertex_ai"
      vector_store_description: "Vertex AI RAG Engine for testing"
      litellm_credential_name: vertex_ai_cred
  - ...

credential_list:
  - credential_name: vertex_ai_cred
    credential_values:
      vertex_credentials: xxx
      vertex_project: xxx
      vertex_location: xxx
    credential_info:
      provider: gcp

  3. Create a team (e.g., test team).

  4. In Additional Settings → Allowed Vector Stores, only add one vector store permission, e.g., rag-engine-test (6917***).

Image
  1. Create a key, link it to a user and the test team.
    (BTW: How can we make it so that teams/users have no vector store access by default?)
    Observed behavior:
  • The key can still access all vector stores, not just the one allowed for the team.
  • If you edit the key and in Optional Settings specify a different allowed vector store (e.g., 88X***), then the key can only access that specific store(88X***) and not the team’s allowed one(6917***).
  • This means we need to add an Allowed Vector Stores configuration bound to the key. It cannot be managed at the team level the way Models are.
  • Also, the current access management allows access to all vector stores by default, rather than denying access to any by default.

Expected behavior

The key should inherit and be restricted by the team’s allowed vector store permissions, similar to how team-level permissions for LLM models work(like specify the team and choose All Team Model option).

Relevant log output



Are you a ML Ops Team?


No


What LiteLLM version are you on ?


1.79.1


Twitter / LinkedIn details


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't workingllm translation
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions