Hero MotoCorp partnered with Wohlig Transformations to build an ADK agent on Vertex AI Agent Engine, surfaced through Gemini Enterprise, that answers natural-language questions over the Hero Wisdom Sphere (HWS) knowledge repository — with per-user RBAC enforced inside the agent itself, verified by an independent 101-case evaluation: 0 real RBAC leaks, 100% tool selection, ~90% accuracy.

Project Overview

The Hero Wisdom Sphere (HWS) is Hero’s institutional knowledge repository — R&D, manufacturing, and quality documents — running on a customised DSpace instance backed by PostgreSQL (cdl_prod) on-premises. A single architectural constraint shaped the entire engagement: the on-prem MCP server that fronts the database is client-owned and out of scope for modification, and it exposes one all-powerful tool, query_database, capable of running any read-only SELECT with full read access. Rather than trust the model with that surface, Wohlig made the defining design decision to reconstruct per-user access control inside the agent — the LLM is restricted to four safe tools and never sees raw SQL, while deterministic Python resolves verified identity, applies the HWS L1-L5 access model, and builds an access-clamped query before anything reaches the MCP. Employees ask in plain English through Gemini Enterprise (Workspace SSO); the answer is grounded, cited, and scoped to their entitlements. An independent 101-case evaluation on the deployed agent confirmed the approach: zero real RBAC leaks, perfect tool selection, and roughly 90% accuracy.

The Challenge

Single All-Powerful MCP Tool: The on-prem MCP server exposes one tool — query_database — that runs any read-only SELECT with full database read access. Anything attached to the model would inherit that blast radius.

Client-Owned, Out of Scope: The MCP server and the DSpace instance itself are client-owned; modifying them was explicitly out of scope per the SOW. The fix had to live entirely in the agent layer.

Native DSpace Permissions Don’t Isolate: DSpace’s native resourcepolicy group 8 (”Read”) grants every user READ on every item — there is no built-in gate to lean on for per-user isolation.

Hidden Multi-Level Access Model: The real control is HWS’s level-driven access model (L1-L5), documented in the client’s MCP reference — but it had to be reconstructed in the agent, not inherited from the database.

Identity at Production Grade: Verified Workspace identity must flow end-to-end from Gemini Enterprise → ADK → tool calls, and must never be read from model output.

Key Objectives

• Surface Through Gemini Enterprise: Employees ask in plain English; the answer is grounded, cited, and respects their entitlements.

• Never Expose Raw SQL to the LLM: Restrict the LLM to a small set of safe tools; deterministic code builds the access-clamped query.

• Enforce L1-L5 In-Agent: Reconstruct the access model from the client’s MCP reference; fail-closed for unknown users and conflicting items.

• Independent Evaluation: Prove the design with a 101-case suite using ground truth verified independently from the database.

• Production-Grade Concurrency: Cache clients per event loop; scale via instances, not in-process concurrency.

• Secure On-Prem Connectivity: Cloud HA VPN + Shared VPC + PSC interface; read-only end to end.

The Solution: ADK Agent with RBAC Reconstructed in the Agent

• Four Safe Tools — search_documents, get_document, browse_documents, and list_knowledge_scope. The raw query_database tool is never attached to the LLM; the model can only ever choose among these four narrow capabilities.

• The L1-L5 Access Model — L1 Public / L2 R&D-wide (R&D departments) / L3 Department (owning department) / L4-L5 explicit per-item grants only / Admin bypass (DSpace group 1, directly or via group2groupcache). Most-restrictive level wins on conflicts. Fail-closed throughout.

• Identity Propagation — Gemini Enterprise passes the verified Workspace email to the agent as the ADK user_id (empirically confirmed via probe before being relied upon). identity.py reads it from the runtime context; the model is never trusted to provide identity.

• sql_guard (sqlglot AST validation) — single statement, SELECT-only, no CTE, table allow-list, and denial of eperson secret columns (password / salt / digest_algorithm). All literals are escaped, so a malicious keyword becomes an inert string literal.

• End-to-End Connectivity — Cloud HA VPN + Shared VPC + PSC interface → on-prem MCP server → PostgreSQL cdl_prod. A read-only DB user (hws_mcp) and a SELECT-only MCP keep the path read-only end to end.

• Technology Stack — Gemini Enterprise, Vertex AI Agent Engine, Gemini 3 Flash Preview (Vertex AI global endpoint), Vertex text-embedding-005, Google Agent Development Kit (ADK), MCP client, sqlglot, Cloud VPN HA, Shared VPC, PSC interface, Cloud IAM, Secret Manager, and Cloud Logging + Monitoring.

Key Benefits & Results

• Previous: All-powerful single MCP tool. Our Solution: 4 safe tools with raw SQL never exposed to the LLM. Result: An architectural ceiling on blast radius — injection or misinstruction cannot widen access.

• Previous: DSpace native permissions ineffective (group 8 reads everything). Our Solution: L1-L5 model reconstructed in entitlements.py from the client’s MCP reference. Result: Per-user access correctly enforced at the agent layer.

• Previous: Model-provided identity is unsafe. Our Solution: Verified Workspace email from the ADK runtime context (empirically confirmed). Result: Identity never trusted from model output; fail-closed for unknown users.

• Previous: Free-form SQL generation risk. Our Solution: sqlglot AST guard + escaped literals + read-only end to end. Result: A malicious keyword becomes an inert string literal; a missing filter cannot occur.

• Previous: No production evidence. Our Solution: 101-case eval with ground truth from an independent read-only introspection engine. Result: 0 real RBAC leaks, 100% tool selection, ~90% accuracy (94% single-turn, 69% multi-turn).

• Previous: Concurrency pitfalls (single-global clients raise “Future attached to a different loop”). Our Solution: Per-event-loop client caching + scaling via instances. Result: A production-stable runtime.

Technical Innovation

RBAC Reconstructed in the Agent: The on-prem MCP server is client-owned and out of scope. The LLM is restricted to 4 safe tools; deterministic Python resolves verified identity, entitlements, and the access predicate before any query reaches the MCP.

Defence in Depth: No raw-SQL tool on the model; sqlglot AST validation; escaped literals; read-only end to end; PSC + HA VPN. Five orthogonal layers — an injected instruction cannot widen scope, and an omitted filter cannot occur.

Independent Eval Harness: A 101-case suite plus 10 client-acceptance questions, with ground truth from an independent read-only introspection engine — not LLM-as-judge. Cross-department L3 and unknown-user requests were correctly denied.

Per-Event-Loop Client Caching: The genai client and MCP toolset are cached per event loop (a single global raises concurrency errors in this runtime). Scaling is via instances and container_concurrency=9, not in-process concurrency.

Transparent Data-Quality Flagging: Three records with conflicting auth-levels (HWS-DOC-279/0, 371/0) and one corrupted record (HWS-DOC-225/0) were surfaced to Hero’s HWS team — production hygiene, not silent papering-over.

Wohlig’s Approach

1. Discovery & connectivity design — workshops with Hero stakeholders; review of the GCP landing zone, IAM policies, and network topology; site-to-site VPN + Shared VPC + PSC design.

2. RBAC + safe-tools architecture — reconstruct the L1-L5 access model from the client’s MCP reference; design the 4 safe tools; design the sql_guard validator.

3. ADK agent build — implement identity, entitlements, search, sql_guard, and mcp_client; integrate Vertex text-embedding-005 for in-agent rerank; cache genai + MCP per event loop.

4. Independent eval harness — a 101-case suite plus 10 client-acceptance questions; ground truth from a read-only introspection engine; RBAC, tool-selection, and accuracy judges.

5. Deployment to Vertex AI Agent Engine — extra_packages=[app], PSC network attachment, container_concurrency=9, min/max instances, and resource limits.

6. Gemini Enterprise registration + handover — import into Gemini Enterprise; validate end-to-end invocation; deliver an architecture document, implementation guide, runbook, and knowledge transfer.

About Hero MotoCorp

Hero MotoCorp Limited is the world’s largest manufacturer of motorcycles and scooters by volume, headquartered in New Delhi with a presence across more than 40 countries. Hero has built a strong reputation for innovation, manufacturing excellence, and customer-centric product design, and is embedding generative + agentic AI into internal workflows as part of its digital transformation programme.

About Wohlig Transformations Pvt. Ltd.

Founded in 2015, Wohlig Transformations specialises in GenAI and DevOps, with 160+ professionals across India and the UK.

Detailed Case Study Presentation :