Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Permissioned LLMs: Enforcing Access Control in Large Language Models

Bargav Jayaraman, Virendra J. Marathe, Hamid Mozaffari, William F. Shen, Krishnaram Kenthapadi

TL;DR

This work formulates Permissioned LLMs (PermLLMs) to enforce enterprise data access controls within fine-tuned language models by mapping data-domain constraints to parameter subsets via PEFT adapters. It introduces a formalism around relevant responses and a new auditing metric, access advantage, with two instantiations—Domain Distinguishability Index (DDI) and Utility Gap Index (UGI)—to evaluate enforcement. Three PEFT-based mechanisms are proposed: Activate (one LoRA per domain), Merge (merge adapters for domain groups), and Union (train adapters on domain unions), with formal guarantees and auditing frameworks. Extensive experiments on five public datasets using Llama-3.1-8B and Mistral-0.1-7B demonstrate that Union yields the strongest domain separation (high DDI) and robust access control, while Evaluate metrics capture utility trade-offs across multi-domain scenarios. The findings highlight the viability of formal, auditable access control in PermLLMs for secure enterprise deployments, while noting scalability and hierarchy limitations as avenues for future work.

Abstract

In enterprise settings, organizational data is segregated, siloed and carefully protected by elaborate access control frameworks. These access control structures can completely break down if an LLM fine-tuned on the siloed data serves requests, for downstream tasks, from individuals with disparate access privileges. We propose Permissioned LLMs (PermLLM), a new class of LLMs that superimpose the organizational data access control structures on query responses they generate. We formalize abstractions underpinning the means to determine whether access control enforcement happens correctly over LLM query responses. Our formalism introduces the notion of a relevant response that can be used to prove whether a PermLLM mechanism has been implemented correctly. We also introduce a novel metric, called access advantage, to empirically evaluate the efficacy of a PermLLM mechanism. We introduce three novel PermLLM mechanisms that build on Parameter Efficient Fine-Tuning to achieve the desired access control. We furthermore present two instantiations of access advantage--(i) Domain Distinguishability Index (DDI) based on Membership Inference Attacks, and (ii) Utility Gap Index (UGI) based on LLM utility evaluation. We demonstrate the efficacy of our PermLLM mechanisms through extensive experiments on five public datasets (GPQA, RCV1, SimpleQA, WMDP, and PubMedQA), in addition to evaluating the validity of DDI and UGI metrics themselves for quantifying access control in LLMs.

Permissioned LLMs: Enforcing Access Control in Large Language Models

TL;DR

This work formulates Permissioned LLMs (PermLLMs) to enforce enterprise data access controls within fine-tuned language models by mapping data-domain constraints to parameter subsets via PEFT adapters. It introduces a formalism around relevant responses and a new auditing metric, access advantage, with two instantiations—Domain Distinguishability Index (DDI) and Utility Gap Index (UGI)—to evaluate enforcement. Three PEFT-based mechanisms are proposed: Activate (one LoRA per domain), Merge (merge adapters for domain groups), and Union (train adapters on domain unions), with formal guarantees and auditing frameworks. Extensive experiments on five public datasets using Llama-3.1-8B and Mistral-0.1-7B demonstrate that Union yields the strongest domain separation (high DDI) and robust access control, while Evaluate metrics capture utility trade-offs across multi-domain scenarios. The findings highlight the viability of formal, auditable access control in PermLLMs for secure enterprise deployments, while noting scalability and hierarchy limitations as avenues for future work.

Abstract

In enterprise settings, organizational data is segregated, siloed and carefully protected by elaborate access control frameworks. These access control structures can completely break down if an LLM fine-tuned on the siloed data serves requests, for downstream tasks, from individuals with disparate access privileges. We propose Permissioned LLMs (PermLLM), a new class of LLMs that superimpose the organizational data access control structures on query responses they generate. We formalize abstractions underpinning the means to determine whether access control enforcement happens correctly over LLM query responses. Our formalism introduces the notion of a relevant response that can be used to prove whether a PermLLM mechanism has been implemented correctly. We also introduce a novel metric, called access advantage, to empirically evaluate the efficacy of a PermLLM mechanism. We introduce three novel PermLLM mechanisms that build on Parameter Efficient Fine-Tuning to achieve the desired access control. We furthermore present two instantiations of access advantage--(i) Domain Distinguishability Index (DDI) based on Membership Inference Attacks, and (ii) Utility Gap Index (UGI) based on LLM utility evaluation. We demonstrate the efficacy of our PermLLM mechanisms through extensive experiments on five public datasets (GPQA, RCV1, SimpleQA, WMDP, and PubMedQA), in addition to evaluating the validity of DDI and UGI metrics themselves for quantifying access control in LLMs.

Paper Structure

This paper contains 45 sections, 3 theorems, 2 equations, 11 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Contributions.
  3. Formalizing Access Control in LLMs
  4. Basic Setup and Notation
  5. Definitions
  6. Auditing Access Control
  7. Audit Game.
  8. Permissioned LLM Mechanisms
  9. One LoRA per Security Domain
  10. Merging LoRA Adapters for Security Domain Groups
  11. Training a LoRA per Combination of Security Domains
  12. Auditing Access Control in Permissioned LLM Mechanisms
  13. Metric 1: Domain Distinguishability Index (DDI)
  14. Metric 2: Utility Gap Index (UGI)
  15. Experimental Evaluation
  16. ...and 30 more sections

Key Result

Lemma B.1

In Merge and Union, after fine-tuning, for every user $u$ that has access to $S_u \subseteq \mathbb{S}, \exists l_{S_u}$, where $l_{S_u}$ is a LoRA adapter, $S_u$affects parameters $W_{l_{S_u}}$, and $W_{l_{S_u}}$ is not affected by any other security domains in $S$.

Figures (11)

  • Figure 1: We propose three types of Permissioned LLM (PermLLM) mechanisms. (a) Activate: that has one-to-one mapping between the security domains and PEFT adapters. When a user queries the model, the mechanism activates the relevant adapter(s). (b) Merge: merges subsets of relevant PEFT adapters to serve the users that have access to multiple security domains. (c) Union: trains adapters on the unions of various security domains, and at the inference phase the relevant PEFT adapter is activated to serve a user query that requires access to multiple security domains.
  • Figure 2: Utility Gap Index, $\Delta_U$ ($mean \pm std$) when user has access to one security domain.
  • Figure 3: Utility Gap Index, $\Delta_U$ ($mean \pm std$) for Llama-3.1-8B models fine-tuned on SimpleQA when user has access to multiple security domains.
  • Figure 4: Comparing model loss on WMDP data set.
  • Figure 5: Comparing model loss on GPQA data set.
  • ...and 6 more figures

Theorems & Definitions (10)

  • Definition 2.1: Relevant Response
  • Definition 2.2: Access Advantage
  • Definition 4.1: Domain Distinguishability Index (DDI)
  • Definition 4.2: Utility Gap Index (UGI)
  • Definition A.1: Relevant Response for PermRAG
  • Definition A.2: Access Advantage for PermRAG
  • Lemma B.1
  • Lemma B.2
  • Theorem B.3
  • proof