Cognee Permissions System

[LStromann]

=What is the future plan for the permissions system built in? I see that there are some limitations, like forced to use file based databases for graph and vector stores. Also the user management does not seem to be "complete" right now. To build a management layer the superuser e.g. would need to get a list of users, roles, tenants. I guess I could simply write those functions by myself in the backend since I control the user database. But I guess there is a valid reason why this API endpoint is missing?

So my question is, is there a plan that the permissions system will be enhanced in future releases, or is there a better way for permission management and data isolation?

This discussion was automatically pulled from Discord.

[LStromann]

Hi <@701864286091477072> , thanks for reaching out!!

Current state of the permissions system:

• When ENABLE_BACKEND_ACCESS_CONTROL=true, the system enforces Kùzu (graph) and LanceDB (vector) for data isolation.
• Endpoints exist for creating tenants, roles, and assigning users, but there are no built-in endpoints for listing all users, roles, or tenants.
• You can refer to the permissions docs to understand how permissions are structured.

hope this helps. If you want, feel free to open a feature request here so the team can prioritize it! 🙂

[LStromann]

btw is there a specific use case you’re trying to achieve?

[LStromann]

hey <@701864286091477072> we have been working on this and we'll share the relevant docs very soon!
Briefly, we are enabling a few more databases out of the box and introducing a way to create your own handlers for different databases and infra requirements.
How does your stack look like? what are you building?

[LStromann]

Hi <@1373135538147692604> , <@778635401958522961> , thanks for your reply. I have already read the docs 😉
My usecase would be to have a multi tenant system, where each tenant will get default roles and users, but shall be also able to create additional roles and users by themselfs. As the provider of this service I need to be able to manage those resources if a customer needs support. But how could I "see" and manage roles and users if I don´t be able to get the available ones?

I didn´t plan to create an additional user / permission system next to the cognee ones. Maybe this is the wrong decision? Is cognees permissions system ment to be used "stand alone"? Or should I put the permissions system "behind" an additional user management and map the user to the cognees user_id?

The question about different databases is only regarding to my concern about file based databases would not be sufficient for production ready applications.

[LStromann]

The permissions system will be enhanced in the future with more abilities in the management layer. If you by any chance add endpoints to enhance the permission system with management endpoints feel free to open a PR we're an open source project and appreciate contribution 🙏

Adding an endpoint to list users/roles in a tenant, remove a user and role from a tenant and to remove a user from a role should be straightforward. At the moment only the tenant owner has permission to make such changes.

There is a plan to allow the tenant owner to share admin privileges to other users in a tenant and when this feature is added the existing permission endpoints will be updated