Data and RAG

New
  • Published on Feb 17, 2026
  • 2 minute(s) read
Prev Next

Controls define what Agents are allowed to access after an interaction has been authorized.

The first data control type is RAG (Retrieval Augmented Generation). RAG controls determine which data collections an Agent can retrieve on behalf of the originating Identities.

RAG controls follow a least privileged model. By default, all collections are denied. An Agent can retrieve documents only if access has been explicitly granted in a Policy.

RAG controls answer the question:

Which data collections can these users, through these Agents, retrieve content from and under what Conditions?

Granting Access to RAG Collections

During Discovery, the PlainID Authorization Platform connects to your vector databases, identifies available collections, and extracts existing metadata fields and filters. If enrichment is enabled, additional metadata may be generated. These elements are transformed into Policy ready building blocks.

To configure RAG controls:

  1. In the Policies section in the Environment sidebar, click on the relevant Authorization Workspace.
  2. Select a Policy or create one.
  3. In the Policy Canvas, click the plus (+) icon in the RAG Control component.
  4. In the side panel, review the available Collections.
    Image

You can grant retrieval access at either a collection level or a metadata-filtered level.

Granting Access to an Entire Collection

Use this option when access should apply to all documents within a specific collection.

To add a collection:

  1. In the Policies section in the Environment sidebar, click on the relevant Authorization Workspace.
  2. Select a Policy or create one.
  3. In the Controls section, click on RAG Controls. This opens the RAG Control side panel.
  4. Search for or browse to the relevant collection.
  5. Select the relevant collection.

The selected collection appears in the RAG Control widget on the canvas. This grants retrieval access to all documents within that collection.

Example use cases:

  • Allow a finance Agent to access the entire Public Financial Reports collection.
  • Grant internal support teams full access to a knowledge base that is already segmented by environment.

This approach is appropriate when collections are logically separated by sensitivity or business domain.

Granting Access Using Metadata Filters

For fine-grained control, restrict access within a collection using discovered metadata fields.

During Discovery, the platform:

  • Retrieves existing metadata Attributes from the vector database.
  • Normalizes them into structured, Policy ready fields.
  • Makes them available in the query builder interface.

This enables document-level authorization.

To apply metadata filters:

  1. In the Policies section in the Environment sidebar, click on the relevant Authorization Workspace.
  2. Select a Policy or create one.
  3. Select a collection in the RAG Control section.
  4. Click Filter next to the collection.
  5. In the query builder, define the required conditions using the available metadata fields.
    Image

The collection appears in the RAG Control widget with the defined conditions applied.

By combining collection selection and metadata filters, you can define precise, least privileged access to retrieval pipelines within your Policies.

Related articles