Role-based access control through user id (metadata)

[NikhilAdvani]

Hello everyone,

I am developing a Retrieval-Augmented Generation (RAG) chatbot that includes a role-based access control feature. This chatbot will cater to three types of users: doctors, patients, and admins. Users will be able to access and query information from three different types of documents through the chatbot.

1. Research Papers Directory: This directory contains research papers that both doctors and patients can query for general information.

2. Clinic Notes (clinic_notes.json): This JSON file contains notes taken by doctors during patient visits. The format is as follows:
   {
   "note1": {
   "Meta": {"type": "clinic notes", "doctor_id": "2", "patient_id": "2"},
   "content": {"07/01/24": "He is suffering from abc disease"}
   },
   "note2": {
   "Meta": {"type": "clinic notes", "doctor_id": "1", "patient_id": "3"},
   "content": {"07/02/24": "She is suffering from xyz disease"}
   },
   "note3": {
   "Meta": {"type": "clinic notes", "doctor_id": "1", "patient_id": "1"},
   "content": {"07/03/24": "He is suffering from pqr disease"}
   }
   }

3. Patient Data (patient_data.json): This JSON file contains detailed information about patients. The format is as follows:
   {
   "note1": {
   "Meta": {"type": "diagnose data", "doctor_id": "1", "patient_id": "1"},
   "content": {"Name": "Jacob Nicolson", "height": "165 cm", "weight": "145 lbs", "age": "26", "sex": "Male", "disease": "pqr"}
   },
   "note2": {
   "Meta": {"type": "diagnose data", "doctor_id": "2", "patient_id": "2"},
   "content": {"Name": "Colt Bruke", "height": "170 cm", "weight": "156 lbs", "age": "32", "sex": "Male", "disease": "abc"}
   },
   "note3": {
   "Meta": {"type": "diagnose data", "doctor_id": "1", "patient_id": "3"},
   "content": {"Name": "Eliza Walter", "height": "180 cm", "weight": "150 lbs", "age": "27", "sex": "Female", "disease": "xyz"}
   }
   }

I have implemented a Streamlit login page using this approach Link. My goal is to ensure that access to these documents is restricted based on the user's role and association:

Doctor Access: A logged-in doctor should only be able to access information where they are involved. For instance, a doctor with doctor_id: 1 should only be able to access note2 and note3 from clinic_notes.json, and note1 and note3 from patient_data.json.

Patient Access: A logged-in patient should only be able to access their own information. For example, a patient with patient_id: 2 should only be able to access note1 from clinic_notes.json and note2 from patient_data.json.

Despite trying several approaches and searching online for solutions, I haven't found a robust method to implement this. Any ideas or assistance would be greatly appreciated.