Role-Aware Language Models for Secure and Contextualized Access Control in Organizations

TL;DR

This paper explores fine-tuning large language models to generate role-specific responses in enterprise settings, aiming to enhance secure access control by reflecting organizational roles and evaluating robustness against malicious prompts.

Contribution

It introduces three modeling strategies for role-aware LLMs and constructs datasets to evaluate their effectiveness in enterprise access control scenarios.

Findings

Role-conditioned generation effectively reflects organizational roles.

Models demonstrate robustness against prompt injection and role mismatch.

Constructed datasets enable comprehensive evaluation of role-sensitive LLMs.

Abstract

As large language models (LLMs) are increasingly deployed in enterprise settings, controlling model behavior based on user roles becomes an essential requirement. Existing safety methods typically assume uniform access and focus on preventing harmful or toxic outputs, without addressing role-specific access constraints. In this work, we investigate whether LLMs can be fine-tuned to generate responses that reflect the access privileges associated with different organizational roles. We explore three modeling strategies: a BERT-based classifier, an LLM-based classifier, and role-conditioned generation. To evaluate these approaches, we construct two complementary datasets. The first is adapted from existing instruction-tuning corpora through clustering and role labeling, while the second is synthetically generated to reflect realistic, role-sensitive enterprise scenarios. We assess model performance across varying organizational structures and analyze robustness to prompt injection, role mismatch, and jailbreak attempts.