Permissions-aware content retrieval with SharePoint and LlamaCloud

A much-requested feature of LlamaCloud's SharePoint integration is being permissions-aware: the ability to use SharePoint's granular access controls to also control access to documents in your RAG application. LlamaCloud supports this out of the box! In this step-by-step walkthrough, we'll show you how it works and what it looks like.

First we'll want to create a new Index by clicking "Create Index" in the top-right of the LlamaCloud interface.

We'll give our Index a human-readable name:

If we don't have one already, we'll need to create a SharePoint data source from the drop-down:

To share with LlamaCloud itself, you'll need a Site Name, a Client ID and secret, and a tenant ID. The other fields are optional but let you specify more specific access for LlamaCloud. You'll want LlamaCloud to have as much access as any user will need, because the permissions-awareness happens on your app:

We'll configure a managed data sink, OpenAI embeddings, and use the defaults for things like multi-modal indexing, parse settings (not shown) and transform settings (not shown). Then we'll click "Deploy index" at the bottom of the screen.

If all is well, LlamaCloud will connect and sync to your documents, pulling them in, parsing them, chunking them, and indexing them for you.

Once everything is indexed, you can go to your Index page and choose "data sources" to see a list of all the files LlamaCloud indexed for you.

Click the "eye" icon to view more detail about any file and click into the "chunks" tab. Here you'll see allowed_siteUser_ids and related fields indicating who has access.

Over in SharePoint's interface, you can click the "share" icon and select specific users with whom to share any individual file (you can also click the 3 dots and select "Manage Access"):

With that done, head back to LlamaCloud and click the "sync" button (or wait for automatic syncing to occur). You'll see the list of allowed users has changed in the chunks preview:

Now you can build a RAG app that is aware of the permissions on chunks and treats them appropriately!