[Feature Request]Implement Bot Functionality Restrictions

aws-samples / bedrock-claude-chat

AWS-native chatbot using Bedrock + Claude (+Mistral)

MIT No Attribution

784 stars 284 forks source link

[Feature Request]Implement Bot Functionality Restrictions #161

Closed egallama closed 3 months ago

egallama commented 5 months ago

Describe the solution you'd like: I would like to implement controls over the creation and usage of bot functionalities. Specifically, I aim to segregate users into two categories: those who can create bot functionalities and those who can only utilize the bots that have been created.

Why the solution needed: This solution is necessary to ensure controlled access to bot creation features. By segregating users based on their privileges, we can maintain better oversight and security over the bot functionality within our system.

Additional context: At present, we lack the ability to control who can create bot functionalities and who can only use them. Introducing this feature would enhance our system's security and governance, allowing for more effective management of bot-related activities.

statefb commented 4 months ago

Possible solution

Add new cognito user group called like allowCreatingBot
- Need to care existing bedrock claude chat users
Add pre-hook when registering a user in the user pool to add to the user group
The behavior can be configured by cdk.json

iut62elec commented 4 months ago

is there any user group that only have bot usage permission? (no sharing and no creating bot permission, just use the bot that is shared with)

statefb commented 4 months ago

We are seeking your feedback regarding the implementation of this feature. The plan is to allow the control of bot creation permissions through the admin panel, where permissions can be granted to individual users. Technically, this control will be implemented using Cognito user groups. However, due to strict Cognito quota limitations (25RPS), it's hard to include bulk permission assignment in an initial release. With this approach, if we need to continue allowing existing users to create bots, it may require significant operational overhead (since the default will be that bot creation is not allowed, existing users will also be unable to create bots. We will need to grant permissions to existing users individually through the admin panel). Please react with the following: 👍 No issues (plan to proceed with implementation soon) 👎 There are issues (this may delay the release or lower its priority)

Taikono-Himazin commented 4 months ago

I agree with this. However, I would appreciate it if you could provide an option to turn on bulk permission assignment. I don't think there is any problem with turning it on or off using cdk.json or from the screen.

iut62elec commented 3 months ago

any update on this?

statefb commented 3 months ago

Working on #319