5.5 KiB
Access Control — Enterprise Knowledge Governance
🧭 Quick Return to Map
You are in a sub-page of Enterprise_Knowledge_Gov.
To reorient, go back here:
- Enterprise_Knowledge_Gov — corporate knowledge management and governance
- WFGY Global Fix Map — main Emergency Room, 300+ structured fixes
- WFGY Problem Map 1.0 — 16 reproducible failure modes
Think of this page as a desk within a ward.
If you need the full triage and all prescriptions, return to the Emergency Room lobby.
Guardrails and fix patterns to ensure that enterprise knowledge bases are segmented, secured, and retrievable without silent leaks. Use this page when failures look like “permissions bug” but root cause is schema drift, missing contracts, or evaluation blind spots.
When to use this page
- Agents or LLMs retrieve snippets that a user role should not see.
- Answers omit key passages even though data is present in the KB.
- Knowledge base permissions collapse after re-index or migration.
- Citation shows content from a restricted section without a trace.
- External connectors expose more fields than expected.
Core acceptance targets
- ΔS(question, retrieved) ≤ 0.45, with access role enforced.
- Coverage ≥ 0.70 for the allowed scope, and <0.05 for disallowed scope.
- λ remains convergent across three paraphrases and two seeds.
- All snippets carry explicit
role_scope,section_id, andsource_hash.
Typical access problems → exact fix
| Symptom | Likely cause | Open this |
|---|---|---|
| Leaked restricted snippet | Missing role tag or weak contract | data-contracts.md, retrieval-traceability.md |
| Role upgrade not reflected | Cache or index skew | bootstrap-ordering.md, deployment-deadlock.md |
| Over-blocking (user sees nothing) | Schema mismatch or λ collapse | logic-collapse.md |
| Citations missing access tag | Parser or contract drift | ocr-parsing-checklist.md, data-contracts.md |
Fix in 60 seconds
- Measure ΔS for the retrieved vs allowed anchor.
- Check role_scope — ensure every snippet has an explicit scope.
- Rebuild contract — enforce schema:
{snippet_id, section_id, role_scope, hash}. - Re-index if role tags missing, with explicit normalization.
- Verify λ stability across paraphrases with access role locked.
Copy-paste schema (YAML)
snippet_id: "KB-12345"
section_id: "SEC-42"
role_scope: "finance_analyst"
source_hash: "sha256:..."
text: "..."
Every snippet must carry these fields, and retrieval probes must validate them before citation.
Escalate when
- ΔS remains ≥ 0.60 even with contracts enforced.
- Citations show cross-scope bleed.
- Index mismatch recurs after two re-indexes.
Escalation path: rebuild with chunking-checklist.md and validate via eval_rag_precision_recall.md.
Explore More
| Layer | Page | What it’s for |
|---|---|---|
| Proof | WFGY Recognition Map | External citations, integrations, and ecosystem proof |
| Engine | WFGY 1.0 | Original PDF based tension engine |
| Engine | WFGY 2.0 | Production tension kernel and math engine for RAG and agents |
| Engine | WFGY 3.0 | TXT based Singularity tension engine, 131 S class set |
| Map | Problem Map 1.0 | Flagship 16 problem RAG failure checklist and fix map |
| Map | Problem Map 2.0 | RAG focused recovery pipeline |
| Map | Problem Map 3.0 | Global Debug Card, image as a debug protocol layer |
| Map | Semantic Clinic | Symptom to family to exact fix |
| Map | Grandma’s Clinic | Plain language stories mapped to Problem Map 1.0 |
| Onboarding | Starter Village | Guided tour for newcomers |
| App | TXT OS | TXT semantic OS, fast boot |
| App | Blah Blah Blah | Abstract and paradox Q and A built on TXT OS |
| App | Blur Blur Blur | Text to image with semantic control |
| App | Blow Blow Blow | Reasoning game engine and memory demo |
If this repository helped, starring it improves discovery so more builders can find the docs and tools.
