feat(rbac/ui): per-tab OpenFGA gates and empty states for Knowledge sidebar#1572
Closed
sriaradhyula wants to merge 1 commit into
Closed
Conversation
…idebar
PR 2 of the 2026-05-27 fine-grained KB ReBAC plan.
Stops the Knowledge sidebar from showing tabs the user cannot actually
use. Non-admin users who own zero knowledge bases would previously see
Search / Data Sources / Graph / MCP Tools live in the sidebar and only
discover the 403 after clicking through. This PR renders those tabs as
disabled-with-tooltip and replaces the page body with a clear empty
state.
Changes:
- ui/src/app/api/rbac/kb-tab-gates/route.ts: new BFF route that returns
`{search, data_sources, graph, mcp_tools, has_any_kb, kb_count}`.
Org admins (resolved via OpenFGA can_manage organization or via
BOOTSTRAP_ADMIN_EMAILS) short-circuit to every tab true with
kb_count = -1; non-admins get the count derived from the
/v1/datasources response filtered by knowledge_base#can_read with
bypassForOrgAdmin = false. Honours RAG_ADMIN_BYPASS_DISABLED.
- ui/src/hooks/use-kb-tab-gates.ts: SWR-style hook that fetches the
route. Fails closed — until the BFF responds every tab is hidden so
the UI never exposes a control the BFF would 403.
- ui/src/components/rag/KnowledgeSidebar.tsx: renders disabled tabs
with hover tooltips explaining the missing access, suppresses the
empty-state banner when the org-admin bypass fires, and respects
both graphRagEnabled AND RBAC on the Graph tab.
- ui/src/components/rag/NoKbAccessEmpty.tsx: page-level fallback for
Search / Data Sources / Graph / MCP Tools when no KB is readable.
- ui/src/lib/rbac/types.ts: adds KbTabKey and KbTabGatesMap.
Tests:
- ui/src/app/api/rbac/__tests__/kb-tab-gates.test.ts: BFF tests
(admin bypass, non-admin with zero KBs, kill switch, error
fallthrough).
- ui/src/components/rag/__tests__/KnowledgeSidebar.test.tsx: sidebar
render tests (disabled-with-tooltip, empty-state banner, org-admin
bypass, graphRagEnabled interaction).
- Full UI Jest suite passes (5257 / 5258, 1 skip; no failures).
- npx eslint clean on every touched file.
Docs:
- docs/docs/security/rbac/architecture.md: policy paragraph.
- docs/docs/security/rbac/file-map.md and pdp-coverage-audit.md: rows.
Assisted-by: Cursor claude-opus-4-7
Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
🧪 CAIPE UI Test Results✅ All tests passed 🟠 Overall Coverage: 55%
📊 Detailed Coverage
✅ Test Suites
📈 Coverage Thresholds
|
This was referenced May 27, 2026
Member
Author
|
Superseded by collapsed replacement PR #1584. |
github-project-automation
Bot
moved this to Done
in CAIPE (AI Platform Engineering) Project Backlog
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR 2 of the 2026-05-27 fine-grained KB ReBAC plan. Stops the Knowledge sidebar from showing tabs the user cannot use. Non-admin users who own zero knowledge bases would previously see Search / Data Sources / Graph / MCP Tools live in the sidebar and only discover the 403 after clicking. This PR renders those tabs as disabled-with-tooltip and replaces the page body with an empty state.
GET /api/rbac/kb-tab-gatesreturns{search, data_sources, graph, mcp_tools, has_any_kb, kb_count}. Org admins (via OpenFGAcan_manage organizationorBOOTSTRAP_ADMIN_EMAILS) short-circuit to every tabtruewithkb_count = -1; non-admins get the count derived from/v1/datasourcesfiltered byknowledge_base#can_read. HonoursRAG_ADMIN_BYPASS_DISABLED.useKbTabGatesSWR-style hook the sidebar consumes. Fails closed — until the BFF responds, every tab is hidden so the UI never exposes a control the BFF would 403.KnowledgeSidebarrenders disabled tabs with hover tooltips, suppresses the empty-state banner on the org-admin bypass, and respects bothgraphRagEnabledAND RBAC on Graph.NoKbAccessEmptypage-level fallback for Search / Data Sources / Graph / MCP Tools when no KB is readable.Depends on PR #1571 (
bypassForOrgAdmininfrastructure).Test plan
ui/src/app/api/rbac/__tests__/kb-tab-gates.test.ts— BFF tests (admin bypass, non-admin zero KBs, kill switch, error fallthrough) pass.ui/src/components/rag/__tests__/KnowledgeSidebar.test.tsx— sidebar render tests pass.npx eslintclean on every touched file.Manual verification (post-merge)
kb_countincrements.RAG_ADMIN_BYPASS_DISABLED=true; confirm even admins go through the per-resource path.