Re: [Neo4j] Is Neo4j suitable for modelling access control

[Lasse Westh-Nielsen]

Mark,

Without knowing any details of your domain, Telenor are using Neo4j for business-critical resource authorisation: http://www.slideshare.net/verheughe/how-nosql-paid-off-for-telenor

But to answer your questions, maybe you could take a stab at modelling it in http://console.neo4j.org/ and then sharing it with us?

 - Lasse

On Tue, Jul 16, 2013 at 2:23 PM, Mark <emsa...@gmail.com> wrote:

Hi

I am new to Neo4j and I am trying to use it in order to model Role Based Access Control. In RBAC, for example,  the user (u)  assigned to the roles r and r' the relation that relates users tole roles named user role assignment. it is many to many relation. I believe this example is similar to the movie example in Neo4j website. I wonder whether it would be possible to write query to to work out the graph of the user (u)? if yes I wonder whether time constraint can also be modeled via Neo4j or not. For example is we want to say the user u can only have the role r if the time is between 9:00 am and 6:00 pm.

Your help is highly appreciated in advance.

Kind regards

Mark

--
You received this message because you are subscribed to the Google Groups "Neo4j" group.
To unsubscribe from this group and stop receiving emails from it, send an email to neo4j+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

(Neo Technology)<-[:WORK_FOR]-(I)-[:DEVELOP]->(Neo4j)

[Mike Bryant]

We have quite an extensive access control/permissions system in our app and I'd say, yes, Neo4j is definitely suitable for this. Especially if you have hierarchical roles and items that inherit their permission set in a hierarchical manner. There are a million different ways to implement AC though and it really depends quite closely on your needs and your specific domain.

For example, we use a "default off" access control scheme where items are default visible to all unless there's an "accessibleTo" relationship to either a single user or a role. So when asking to view something as a specific user we first check if it has any constraints and on the rare occasion that it does, check if the targets of those constraints intersect with that user and her hierarchically inherited roles.

Our perm system, on the other hand, requires that users (or their inherited roles) have specific "permission grants", which are nodes that link together a permission type node (i.e. "update"), a user/role, and an item. Items themselves can inherit permission grants from other items via a "permissionScope" relationship. 

When you're exploring all these hierarchies trying to determine who can do/see what you really value the fact that Neo4j (and graph DBs in general) are capable of very fast recursive (or looping) traversals, and at modelling hierarchies in general.

Cheers,

~Mike

[Peter Neubauer]

Mike,

as the RBAC things are coming up all the time, would it be possible for you to do a super-small sample as a GraphGist, maybe cloning something along the lines of http://gist.neo4j.org/?5956246 ? Would be good for others to get started, as the example at http://docs.neo4j.org/chunked/snapshot/examples-acl-structures-in-graphs.html#_read_permission_example might be a bit simplistic.

Would be much appreciated.

/peter

Cheers,

/peter neubauer

G:  neubauer.peter
S:  peter.neubauer
P:  +46 704 106975
L:   http://www.linkedin.com/in/neubauer
T:   @peterneubauer

Kids in Malmö this summer?        - http://www.kidscraft.se
Neo4j questions? Use GraphGist. - http://gist.neo4j.org

--

[Mike Bryant]

Hi Peter,

I've started one off at http://gist.neo4j.org/?6008933 but I am handicapped by my uselessness with Cypher (mainly still in Java/Gremlin land). Will try and flesh it out a bit later but feel free to correct my queries in the mean time!

Cheers,

Mike

[Peter Neubauer]

Very cool Mike!!

You can even use //table and //graph to get visualizations and results listed. Awesome start! Will check it out more tomorrow.

/peter

Cheers,

/peter neubauer

G:  neubauer.peter
S:  peter.neubauer
P:  +46 704 106975
L:   http://www.linkedin.com/in/neubauer
T:   @peterneubauer

Kids in Malmö this summer?        - http://www.kidscraft.se
Neo4j questions? Use GraphGist. - http://gist.neo4j.org

[Mike Bryant]

Hi Mark,

I'd imagine temporal constraints could be modelled fairly straightforwardly as edge properties, but since my Cypher-foo is inadequate I can't really comment on how this would affect your queries (aside from making them more complex.) Presumably, in your MATCH clause you'd bind a name to the relationship from user to role, and in the WHERE clause you'd ensure it respected a given time with reference to the current time (NOW?). I'm sure when you have something more concrete one of the experts will weigh in.

Good luck with the modelling.

~Mike

On Tuesday, 16 July 2013 22:29:43 UTC+1, Mark wrote:

Thanks Mike. You have done a great job. I will also to try to start a new example as a GraphGist. 

I wonder whether you have thought whether the temporal constraints can be modeled in Neo4j or not. For example in TRBAC a user can only have a role r at time t.

Regards

Mark