Others' documents being inferenced despite having set up the ACLs

[khallissey]

Our model still inferences others' documents despite having run the "python ./scripts/manageacl.py --acl-action enable_acls" command. Everything else is up and running, but we just realized it was still pulling documents from other users, so we guessed there was a problem with how the acls got setup. We looked through the documentation but it seems like after running that command the documents should be restricted...thank you for your help!

[pamelafox]

Here are some ideas for how to debug:

When you look at the thought process for the answers, take note of the filter being sent to the search engine, and of the groups and oids that are attached to the search results. It should only find documents that match the filter.

What are your values for these azd env variables?

azd env get-value AZURE_ENFORCE_ACCESS_CONTROL

azd env get-values AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS

Make sure those variables match what you want to happen:
https://github.com/Azure-Samples/azure-search-openai-demo/blob/main/docs/login_and_acl.md#environment-variables-reference

[khallissey]

AZURE_ENFORCE_ACCESS_CONTROL is set to true and AZURE_ENABLE_ GLOBAL_DOCUMENT_ACCESS is false. That being said the filter hasn't been set to anything. It is transmitting the same OID for multiple people, is there something else we would need to change?

[pamelafox]

Just making sure, you also have user login enabled, correct? The build_filter function should be building the filter based off the Entra OID of the currently logged in user.

[khallissey]

AZURE_USE_AUTHENTICATION is set to true...here are the .env variables (with our info redacted):

AZURE_AUTH_TENANT_ID="###"
AZURE_CHAT_HISTORY_CONTAINER="chat-history"
AZURE_CHAT_HISTORY_DATABASE="chat-database"
AZURE_CLIENT_APP_ID="###"
AZURE_CLIENT_APP_SECRET="###"
AZURE_CONTAINER_REGISTRY_ENDPOINT="###"
AZURE_CONTENTUNDERSTANDING_ENDPOINT=""
AZURE_COSMOSDB_ACCOUNT=""
AZURE_DOCUMENTINTELLIGENCE_RESOURCE_GROUP="###"
AZURE_DOCUMENTINTELLIGENCE_SERVICE="###"
AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS="false"
AZURE_ENFORCE_ACCESS_CONTROL="true"
AZURE_ENV_NAME="###"
AZURE_LOCATION="centralus"
AZURE_OPENAI_API_VERSION=""
AZURE_OPENAI_CHATGPT_DEPLOYMENT="gpt-4o"
AZURE_OPENAI_CHATGPT_DEPLOYMENT_CAPACITY=10
AZURE_OPENAI_CHATGPT_DEPLOYMENT_SKU="GlobalStandard"
AZURE_OPENAI_CHATGPT_DEPLOYMENT_VERSION="2024-05-13"
AZURE_OPENAI_CHATGPT_MODEL="gpt-4o"
AZURE_OPENAI_EMB_DEPLOYMENT="embedding"
AZURE_OPENAI_EMB_MODEL_NAME="text-embedding-ada-002"
AZURE_OPENAI_GPT4V_DEPLOYMENT="gpt-4o"
AZURE_OPENAI_GPT4V_MODEL="gpt-4o"
AZURE_OPENAI_RESOURCE_GROUP="###"
AZURE_OPENAI_SERVICE="###"
AZURE_RESOURCE_GROUP="###"
AZURE_SEARCH_INDEX="gptkbindex"
AZURE_SEARCH_SEMANTIC_RANKER="free"
AZURE_SEARCH_SERVICE="###"
AZURE_SEARCH_SERVICE_ASSIGNED_USERID="###"
AZURE_SEARCH_SERVICE_RESOURCE_GROUP="###"
AZURE_SERVER_APP_ID="###"
AZURE_SERVER_APP_SECRET="###"
AZURE_SPEECH_SERVICE_ID=""
AZURE_SPEECH_SERVICE_LOCATION=""
AZURE_STORAGE_ACCOUNT="###"
AZURE_STORAGE_CONTAINER="content"
AZURE_STORAGE_RESOURCE_GROUP="###"
AZURE_SUBSCRIPTION_ID="###"
AZURE_TENANT_ID="###"
AZURE_USERSTORAGE_ACCOUNT="###"
AZURE_USERSTORAGE_CONTAINER="user-content"
AZURE_USERSTORAGE_RESOURCE_GROUP="###"
AZURE_USE_AUTHENTICATION="true"
AZURE_VISION_ENDPOINT=""
BACKEND_URI="###"
OPENAI_HOST="azure"
SERVICE_BACKEND_IMAGE_NAME="###"
SERVICE_BACKEND_RESOURCE_EXISTS="true"
USE_CHAT_HISTORY_BROWSER="true"
USE_USER_UPLOAD="true"

Thank you for all your help!