PRACTICAL GUIDE / permission-aware RAG testing

Permission-Aware RAG Tests for Cross-Tenant Retrieval Leakage

Test permission-aware RAG with synthetic tenant canaries, pre-ranking ACL enforcement, trace assertions, policy-version fixtures, and fail-closed gates.

By The Testing AcademyUpdated July 11, 202610 min read
All field guides
In this guide11 sections
  1. Define the security invariant and trust boundary
  2. Build a principal and policy matrix
  3. Create synthetic canary corpora
  4. Enforce authorization before ranking
  5. Assert every observable stage
  6. Probe adversarial and confused-deputy paths
  7. Test revocation, caches, and failures
  8. Scope labels and corpus splits correctly
  9. Measure security, quality, and latency together
  10. Review uncertainty and ablations safely
  11. Execute a permission-aware release plan

What you will learn

  • Define the security invariant and trust boundary
  • Build a principal and policy matrix
  • Create synthetic canary corpora
  • Enforce authorization before ranking

Permission-aware RAG has a binary security invariant before it has a relevance objective: evidence outside the requesting principal's authorization set must not cross the retrieval trust boundary. Filtering a final answer is too late if an unauthorized chunk already reached a reranker, model prompt, cache, trace, or analyst dashboard.

The test strategy must exercise identity, policy, indexing, ranking, generation, and observability as one path. Synthetic tenant canaries make leakage detectable without putting real customer data at risk, while authorized-recall and latency measurements ensure the secure path remains usable.

Animated field map

Cross-Tenant Retrieval Leakage Test

A versioned tenant identity enters ACL-filtered retrieval, where adversarial queries and complete trace assertions verify that only authorized chunks survive.

  1. 01 / tenant identity

    Tenant Identity

    Bind principal, tenant, roles, groups, policy version, and request time.

  2. 02 / acl filtered index

    ACL-Filtered Index

    Enforce eligible document and chunk scope inside the trusted search boundary.

  3. 03 / adversarial query

    Adversarial Query

    Probe exact markers, shared topics, role changes, revocations, and cache keys.

  4. 04 / retrieved chunks

    Retrieved Chunks

    Inspect candidates, scores, reranker input, citations, logs, and fallback paths.

  5. 05 / leakage assertion

    Leakage Assertion

    Require zero unauthorized artifacts while gating authorized recall and latency.

Define the security invariant and trust boundary

Write the invariant in terms of observable artifacts: for principal P, corpus snapshot C, policy version V, and request time T, every document or derived chunk entering ranking, reranking, generation, citation, caching, or logging must belong to the eligibility set authorized for that tuple. Unknown eligibility is denied, not guessed.

Define where authorization is trusted. Identity verification, group expansion, ACL resolution, and policy evaluation should happen in controlled components, not inside a prompt. The model may explain an access denial, but it must not decide that a persuasive query overrides a document policy.

The MCP security best-practices guide is an official threat-model reference for authorization boundaries and delegated access. Apply the same discipline to RAG connectors: bind access to the actual user context, avoid confused-deputy behavior, and restrict credentials and scopes to the operation being performed.

Build a principal and policy matrix

Test more than tenant ID. Include users with no groups, one group, overlapping groups, tenant administrator roles, read-only roles, suspended users, service identities, and principals whose membership changes during a session. Add document states such as tenant-private, group-shared, user-private, globally public, revoked, and time-limited.

Every case stores identity issuer, subject, tenant, roles, groups, token audience, authentication time, policy version, request time, and expected eligible document IDs. Keep authentication and authorization expectations separate: a valid token can still lack permission for a source.

Include negative combinations that look plausible. Reuse the same user ID string in two synthetic tenants, use group names shared across tenants, and create resources whose external IDs collide while canonical tenant-scoped IDs differ. These cases catch joins or cache keys that omit tenant scope.

Create synthetic canary corpora

Build at least two synthetic tenants with parallel document structures. Give each a unique, harmless marker and several documents with nearly identical wording. If retrieval separates tenants only because topics differ, the test will not exercise authorization. Matched documents force the ACL boundary, not semantics, to decide eligibility.

Create positive canaries the principal may retrieve and negative canaries it must never observe. Include markers in body text, titles, metadata, chunk boundaries, and derived summaries. Never use real customer secrets, production credentials, or personal data. The fixture should remain safe even if every artifact is exposed to a test reviewer.

Version ACL changes. A document can move from private to shared, a group membership can be revoked, or a tenant can be disabled. Preserve event order and use a controlled clock so cache invalidation and session refresh behavior can be reproduced.

JSON
{
  "caseId": "acl-tenant-cross-014",
  "principal": {
    "subject": "user-7",
    "tenant": "tenant-a",
    "groups": ["support"],
    "policyVersion": "policy-12"
  },
  "query": "Find the launch marker for the support handbook",
  "mustAllow": ["tenant-a:handbook:v3:chunk-2"],
  "mustDeny": ["tenant-b:handbook:v3:chunk-2"],
  "deniedMarkers": ["CANARY_TENANT_B_9Q7"],
  "requestTime": "2026-06-30T10:00:00Z"
}

This record is illustrative. Store generated fixture provenance and expected policy reasoning outside the model-visible payload.

Enforce authorization before ranking

The LangChain retrieval documentation describes search across indexed data as a distinct runtime step. The authorization filter belongs in the trusted path that determines which indexed data is eligible for that search. Validate that every chunk carries a resolvable parent policy and that derived representations inherit the intended scope.

Post-filtering a global top list creates two problems. First, unauthorized candidates may cross internal boundaries before removal. Second, authorized recall can collapse when denied documents consume the top ranks. Pre-ranking eligibility or a tenant-isolated index avoids those specific failure modes, though its implementation and operational tradeoffs still require testing.

If a backend cannot enforce the full policy, place a trusted retrieval service in front of it and ensure raw results never escape that service. Oversampling followed by filtering may help authorized recall, but it does not excuse logging or transmitting unauthorized candidates. High-consequence designs may require physical or cryptographic isolation rather than metadata filtering alone.

Assert every observable stage

Do not assert only the final answer. Inspect first-stage candidate IDs, metadata, similarity scores, reranker input, selected context, prompt payload, citations, model output, caches, traces, metrics labels, error messages, and review queues. The first unauthorized artifact marks the boundary failure.

Use stable canary detection on exact synthetic markers and canonical IDs. Also inspect summaries and paraphrases because generation can reveal content without repeating the marker. For deterministic fixtures, expected facts can be enumerated and prohibited at the claim level.

An authorization assertion should run before relevance scoring. A semantically perfect answer based on another tenant's document is a security failure, not a high-quality retrieval. Stop the case, preserve a restricted incident trace, and avoid sending leaked content into ordinary evaluation tooling.

Probe adversarial and confused-deputy paths

Query exact denied titles, unique markers, known document IDs, shared employee names, and phrases copied from the negative canary. Ask the assistant to compare tenants, quote an earlier user's context, ignore filters, or use an administrator connector. These prompts should not change the principal's eligibility set.

Exercise connectors with separate credentials. A service account that can read all tenants must apply user authorization before data is retrieved, not merely after a privileged search. Verify resource indicators, tenant binding, token audience, delegated scopes, and policy version at each call boundary supported by the architecture.

Test indirect paths: query rewriting, synonym expansion, hybrid branches, reranking, fallback search, document previews, autocomplete, citation resolution, and tool retries. A primary vector path may filter correctly while a lexical fallback or citation fetch uses a global index.

Test revocation, caches, and failures

Warm every cache with an authorized request, then repeat the same query as an unauthorized principal. Cache keys and stored values must include the identity and policy dimensions needed to prevent reuse. Repeat with users in the same tenant but different groups, and with the same subject string in another tenant.

Apply a revocation event and test before and after the declared propagation boundary. Old chunks, generated answers, search results, and source previews must stop appearing as required by policy. Long-lived sessions should refresh authorization according to the product contract rather than retaining access indefinitely.

Simulate identity-provider, policy-service, index, and connector failures. Protected retrieval should fail closed when eligibility cannot be established. Verify that retries do not drop filters, fallbacks do not broaden scope, and error messages do not reveal that a denied document exists.

Scope labels and corpus splits correctly

Relevance judgments are principal-specific. A document can be the best semantic answer and still have zero eligibility for the requester. Store relevant and authorized as separate fields keyed by policy version and time. Authorized recall is calculated only over eligible relevant evidence; unauthorized exposure is a separate security metric.

Keep fixture tenants, document families, query templates, and canary markers out of model training and prompt examples. Split source and generated variants before tuning retrieval. A held-out security set should include unseen marker formats and policy combinations, while a stable sentinel set protects known failure paths.

Assessors should receive only data they are permitted to view. Cross-tenant pool construction can itself leak content into an annotation platform. Use synthetic fixtures for broad attack testing and tenant-scoped review environments for any real-world relevance analysis.

Measure security, quality, and latency together

The primary security count is unauthorized artifacts observed at any declared boundary, broken down by stage and policy case. The release requirement for a controlled test suite should be zero observed leakage, while acknowledging that passing tests does not prove the absence of all vulnerabilities. Expand threat coverage continuously.

Alongside security, report authorized recall at k, first eligible rank, empty-result rate, abstention behavior, and answer groundedness. Overly broad denial can make the system secure but unusable. Never combine leakage and relevance into one average where a quality gain can offset an authorization failure.

Measure policy lookup, filtered retrieval, reranking, cache, and end-to-end latency under realistic concurrency and ACL cardinality. Compare tenant-isolated and filtered designs under the same workload if architecture is still being selected. Thresholds belong to local service objectives; the non-negotiable condition is that timeout or overload must not disable authorization.

Review uncertainty and ablations safely

Authorization outcomes should be deterministic for a frozen identity, policy, resource, and time. If policy data is incomplete or conflicting, classify the result as denied or error according to the fail-closed contract. Do not let a model judge resolve security ambiguity.

Relevance and answer judgments can still be uncertain. Preserve assessor disagreement and unknown labels without weakening the deny assertion. A candidate may require more relevance evidence while already failing security on one definite unauthorized ID.

Run unsafe ablations only against synthetic corpora in an isolated environment. Comparing no-filter, post-filter, pre-filter, and tenant-isolated paths can locate the control that prevents leakage and quantify authorized-recall effects. Never disable authorization against real multi-tenant data for convenience.

Execute a permission-aware release plan

  1. Freeze the identity tuple, policy engine version, trust boundary, corpus snapshot, and fail-closed behavior.
  2. Build matched synthetic tenant corpora with allowed and denied canaries, collisions, ACL changes, and controlled clocks.
  3. Enforce eligibility inside a trusted retrieval boundary and validate document-to-chunk policy inheritance.
  4. Assert candidates, reranker inputs, prompts, citations, caches, traces, and outputs before calculating relevance.
  5. Probe exact markers, shared topics, connector delegation, query rewrites, fallbacks, revocations, and dependency failures.
  6. Report unauthorized exposure separately from authorized recall, groundedness, empty results, latency, and uncertainty.
  7. Block release on any definite leak or fail-open path; repair the earliest boundary and rerun the complete policy matrix.

Permission-aware retrieval is secure only when authorization survives every transformation and failure path. Synthetic canaries, complete trace assertions, and principal-scoped relevance labels turn cross-tenant isolation from an assumption into a repeatable release test.

The Testing Academy editorial desk

Practical QA guidance built around test evidence, production tradeoffs, and interview-ready explanations.

Published July 11, 2026 / Reviewed July 11, 2026

PRIMARY REFERENCES

Verify the details at the source

QABattle guides are practical explanations. Product behavior, standards, and APIs can change, so use these primary references for the canonical details.

  1. 01
    Retrieval documentation

    LangChain

    Official retrieval pipeline concepts covering indexing, retrieval, and generation boundaries.

  2. 02
    Ragas metric reference

    Ragas

    Primary definitions for retrieval, groundedness, relevance, and agent evaluation metrics.

  3. 03
    Web Security Testing Guide

    OWASP Foundation

    Primary web application security testing scenarios and methodology.

FAQ / QUICK ANSWERS

Questions testers ask

Is filtering unauthorized documents after vector search sufficient?

Usually not as a security boundary. Unauthorized candidates may reach caches, logs, rerankers, or traces before post-filtering, and the final list may underfill. Enforce eligibility in a trusted retrieval boundary.

What counts as cross-tenant leakage in a RAG test?

Any unauthorized content, identifier, metadata, score, citation, summary, or existence signal that crosses the declared trust boundary. A blocked final answer does not erase an earlier candidate exposure.

Should real customer documents be used as leakage canaries?

No. Use synthetic, non-sensitive documents with unique markers and controlled ACLs. Real tenant data expands impact and can expose it to test systems, reviewers, logs, or model providers.

How should retrieval relevance labels handle permissions?

Scope them to a principal and policy version. A document can be semantically relevant yet ineligible, so authorized recall and unauthorized exposure must be measured as separate dimensions.

What should happen when the authorization service is unavailable?

Follow a predeclared fail-closed policy for protected data. Tests should verify that retries, fallbacks, caches, and degraded search never broaden access when eligibility cannot be established.