Subgraph access control configuration in enterprise edition
47 views
Skip to first unread message
rien rienk
Jan 16, 2017, 9:16:51 PM1/16/17
to Neo4j
Hello everyone,
It's written in the official and current documentation (3.1 : http://neo4j.com/docs/operations-manual/current/security/authentication-authorization/subgraph-access-control/)
that a user can be configured to read, not write nodes labelled 'something' and / or relationships of type 'somethingelese'
But in fact I couldn't find how to do it.
Using the "call dbms.procedures()" i see many new functions that can be used to manage roles and user, but nothing enough fine to concretely configure the users by type of access and type of objects, as said. (http://neo4j.com/docs/operations-manual/current/security/authentication-authorization/native-user-role-management/procedures/#user-roles-create-role)
Can anyone knows how to do it or where is the relevant documentation for this?
Thanks
Craig Taverner
Jan 17, 2017, 4:51:14 AM1/17/17
to ne...@googlegroups.com
Hi Rien,
The document you linked to explains also that subgraph permissions in 3.1 are only enabled for procedures, not for Cypher. This means that there is no way in 3.1 to control access to label/relationshiptype/property information for users running Cypher queries. So if you want to provide access to only a specific subgraph, you need to create a procedure that accesses that subgraph, and then give users that do not have access (eg. a no-access custom role) specific access to that procedure only. This 'permission boosting' can also be used to give read-only users write access to subgraphs (via custom write-procedures).
Note that even though this feature is not enabled for normal Cypher, you can still embed one of these custom procedures in a normal Cypher query. So a read only user that can run a read only Cypher query could have a procedure that does some specific write action run within that Cypher query. The users permission level will be boosted within the procedure only, while still not allowing the user to perform writes within the Cypher part of the query.
Regards, Craig
--
You received this message because you are subscribed to the Google Groups "Neo4j" group.
To unsubscribe from this group and stop receiving emails from it, send an email to neo4j+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
rien rienk
Jan 17, 2017, 8:59:08 AM1/17/17
to Neo4j
Thanks for your answer. First I thought it was something else this procedure feature.
I relaized what you explain really later as it wasn't at all what we expected.
It's really strange to have created a so difficult system to put in place (coding java/creating jar, deploying, restarting server)
We were searching something more dynamic, not prehistoric, we may re-code our graph layer using OrientDB
I relaized what you explain really later as it wasn't at all what we expected.
It's really strange to have created a so difficult system to put in place (coding java/creating jar, deploying, restarting server)
We were searching something more dynamic, not prehistoric, we may re-code our graph layer using OrientDB
BTW, thanks again!
Reply all
Reply to author
Forward
0 new messages