--- title: "Data and RAG" slug: "data-and-rag" updated: 2026-03-01T15:14:57Z published: 2026-03-01T15:14:57Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.plainid.io/llms.txt > Use this file to discover all available pages before exploring further. # Data and RAG {{snippet.Early Access}} **Controls** define what **Agents** are allowed to access after an interaction has been authorized. The first data control type is **RAG (Retrieval Augmented Generation)**. RAG controls determine which data collections an **Agent** can retrieve on behalf of the originating **Identities**. RAG controls follow a least privileged model. By default, all collections are denied. An **Agent** can retrieve documents only if access has been explicitly granted in a **Policy**. RAG controls answer the question: > **Which data collections can these users, through these Agents, retrieve content from and under what Conditions?** --- ## Granting Access to RAG Collections During Discovery, the **PlainID Authorization Platform** connects to your vector databases, identifies available collections, and extracts existing metadata fields and filters. If enrichment is enabled, additional metadata may be generated. These elements are transformed into **Policy** ready building blocks. **To configure RAG controls**: 1. In the Policies section in the Environment sidebar, click on the relevant Authorization Workspace. 2. Select a Policy or create one. 3. In the **Policy Canvas**, click the plus (+) icon in the **RAG Control** component. 4. In the side panel, review the available **Collections**. ![Image](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/image\(407\).png) You can grant retrieval access at either a collection level or a metadata-filtered level. --- ## Granting Access to an Entire Collection Use this option when access should apply to all documents within a specific collection. **To add a collection:** 1. In the Policies section in the Environment sidebar, click on the relevant Authorization Workspace. 2. Select a Policy or create one. 3. In the Controls section, click on RAG Controls. This opens the **RAG Control** side panel. 5. Search for or browse to the relevant collection. 6. Select the relevant collection. The selected collection appears in the **RAG Control** widget on the canvas. This grants retrieval access to all documents within that collection. **Example use cases:** * Allow a finance **Agent** to access the entire `Public Financial Reports` collection. * Grant internal support teams full access to a knowledge base that is already segmented by environment. This approach is appropriate when collections are logically separated by sensitivity or business domain. --- ## Granting Access Using Metadata Filters For fine-grained control, restrict access within a collection using discovered metadata fields. During Discovery, the platform: * Retrieves existing metadata **Attributes** from the vector database. * Normalizes them into structured, **Policy** ready fields. * Makes them available in the query builder interface. This enables document-level authorization. **To apply metadata filters**: 1. In the Policies section in the Environment sidebar, click on the relevant Authorization Workspace. 2. Select a Policy or create one. 4. Select a collection in the **RAG Control** section. 5. Click **Filter** next to the collection. 6. In the query builder, define the required conditions using the available metadata fields. ![Image](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/image\(408\).png) The collection appears in the **RAG Control** widget with the defined conditions applied. --- By combining collection selection and metadata filters, you can define precise, least privileged access to retrieval pipelines within your **Policies**.