Glossary
Definitions of acronyms and terms used across Genie documentation, the Authorization Concept, and the Logging & Monitoring Concept.
Product terms
| Term | Definition |
|---|---|
| Genie | DHL Genie — the AI-powered knowledge base chat platform documented on this site. |
| Knowledge Base (KB) | A logical collection of documents that users can chat with. Each KB has its own users, admins, and isolated search index entries. |
| Application | UI term for a Knowledge Base. "Apps Dashboard" lists all KBs you can access. |
| Citation | A clickable reference inside an AI answer pointing to the source document and page where the fact came from. |
| Streaming response | The AI answer arrives word-by-word as it is generated, not all at once. Implemented as NDJSON over plain HTTP. |
| Source link / Source File | The original document (PDF) cited in an answer. Only users with KB access can download it. |
Roles
| Role | Definition |
|---|---|
| Super Admin (R.1) | Member of the designated Entra security group. The only system-wide right is creating new knowledge bases. Does not automatically have access to every KB. |
| KB Creator (R.2) | The user who created a specific KB. Automatically receives full management rights on that KB at creation time. |
| KB Admin (R.3) | Delegated administrator for a specific KB. Can manage KB settings, users, files, and join requests. Explicitly assigned by the KB Creator or an existing KB Admin. In the UI this role is shown as Owner. |
| KB User (R.4) | Read-and-use access to a specific KB. Can chat with the KB and download cited documents. Assigned directly (per-user) or via Entra group membership. In the UI this role is shown as Reader. |
| Authenticated User (R.5) | Any user with a valid Entra ID session. Baseline access level upon successful authentication. Can submit join requests for KBs they don't yet have access to. |
Authentication & authorization
| Term | Definition |
|---|---|
| SSO | Single Sign-On. Genie uses DHL's corporate Entra ID — no separate account or password. |
| MFA | Multi-Factor Authentication. Enforced at the identity-provider level via Conditional Access policies. |
| Entra ID | Microsoft Entra ID, formerly Azure Active Directory. The identity provider for all DHL corporate apps. |
| OAuth 2.0 | The protocol used to obtain access tokens after sign-in. |
| JWT | JSON Web Token. The access token Genie validates on every API call (issuer, audience, signature, expiry). |
| OBO | On-Behalf-Of flow. After validating your JWT, the backend uses OBO to call Microsoft Graph as you, to look up user and group information. |
| MSAL | Microsoft Authentication Library. The browser-side SDK that handles SSO + MFA + token refresh on the frontend. |
| OID | Entra Object ID. A stable per-user unique identifier used in every log line, audit record, and KB user list. Preferred over names or emails because it never changes. |
| RBAC | Role-Based Access Control. Permissions are derived from your roles and Entra group memberships rather than per-user grants. |
| IAM | Identity and Access Management. The discipline that governs SSO, MFA, RBAC, and lifecycle. |
| Conditional Access | Entra policies that decide when to require MFA or block sign-in (e.g., based on device, location, or risk). |
| Service Identity / Managed Identity (MSI) | An identity Genie's backend itself uses to talk to other Azure services. No interactive login; permissions follow the least-privilege principle. |
Retrieval-Augmented Generation
| Term | Definition |
|---|---|
| RAG | Retrieval-Augmented Generation. The technique Genie uses: retrieve relevant document passages, then ask the LLM to compose an answer grounded in those passages. |
| LLM | Large Language Model. Azure OpenAI hosts the GPT models used to compose answers. |
| Embedding | A high-dimensional vector representation of a piece of text, used for similarity search. |
| Chunk | A small slice of a document (paragraphs / sections) embedded and indexed separately so retrieval can return precise passages. |
| Vector search | Finding chunks whose embeddings are most similar to the question's embedding. |
| Hybrid search | Combination of keyword search (exact words) + vector search (semantic similarity) + semantic ranking. Genie uses all three. |
| Semantic ranker | Azure AI Search feature that reorders results by deep semantic relevance after the initial retrieval step. |
| System prompt | The instructions given to the LLM telling it how to behave (e.g., "answer only from these passages, cite sources"). Not user-editable in Genie. |
| Document Intelligence | Azure service that extracts text, tables, and figures from PDFs during upload. |
Logging & monitoring
| Term | Definition |
|---|---|
| PII | Personally Identifiable Information. Includes user OID, email, IP address, and document content. Genie minimizes PII collection. |
| Audit log | An append-only Cosmos DB record of every security-significant action. Retained 2555 days (~7 years) for compliance. |
| TTL | Time-to-Live. Automatic data expiration after a configured period (e.g., short-lived authentication tokens). |
| KQL | Kusto Query Language. Used to query Azure Log Analytics workspaces (admin / DevOps only). |
| SIEM | Security Incident and Event Management. DHL's central security monitoring; integrated via the ITS SIEM at the OS layer for advanced systems. |
| ISTM | Information Security Target Model — the DHL document that defines security baselines all DHL apps must meet. |
Infrastructure
| Term | Definition |
|---|---|
| Azure Container Apps | The hosting service for the Quart backend. Auto-scales horizontally. |
| Azure Static Web Apps | The hosting service for the React frontend SPA. |
| OpenShift | The internal Red Hat container platform used by DHL for some corporate apps. Genie itself runs on Azure Container Apps, not OpenShift. |
| Cosmos DB | The NoSQL database where KB metadata, chat history, audit logs, file-processing jobs, and join requests are stored. |
| Blob Storage / ADLS Gen2 | Where uploaded documents are stored. |
| AI Search | The Azure search index where document chunks live. |
| Key Vault | Where secrets (API keys, connection strings, certificates) are stored. No plain-text secrets in code or env vars. |
| ACS | Azure Communication Services. Sends email notifications (e.g., for join requests). |
| ASGI | Asynchronous Server Gateway Interface. Quart is an ASGI framework, which enables streaming chat responses on a single process. |
| SPA | Single Page Application. The Genie frontend (React + Vite). |
| SSE | Server-Sent Events. Streaming response protocol. Genie's chat uses NDJSON over HTTP rather than SSE, but the concept is similar. |
| NDJSON | Newline-Delimited JSON. The streaming wire format for chat responses — one JSON object per line. |
| W3C Trace Context | Standard headers (traceparent, tracestate) for distributed tracing across frontend and backend. |
Related
- Security & Privacy — for how the roles and logs are enforced
- System Architecture — for how the infrastructure pieces fit together
- The Team — who builds and maintains Genie