This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

ABAC (Attribute Based Access Control) in Neo4j

are_yas999
Node

‎09-17-2020 06:59 AM

Hello,

Can we use ABAC (Attribute Based Access Control) in Neo4j or not?. If yes, how can we achieve this.

Thank you so much.

0 Kudos
Reply
6 REPLIES 6

anthapu
Graph Fellow

‎09-20-2020 06:33 AM

Welcome to the Neo4J Community.

Can you please elaborate more on this?

Do you mean to say if a node has an attribute should the node be not visible or only the attribute?

RBAC in neo4j works at node/relationship/attribute level.

If you do not have access to see a node label or relationship type or attribute name then they are not visible.

At attribute level you can see or not see an attribute only, not the node. You cannot do value level filter.

One option is if the attribute values are limited then you can use labels to control the access to the node.

0 Kudos
Reply

are_yas999
Node
In response to anthapu

‎09-20-2020 06:49 AM

Thank you so much for your reply.
In fact, ABAC is a finer access control than RBAC. Here is a scenario:

Suppose that you have some users, for each of these users you give some attributes (tags). And for each of you nodes, relations, ... you give some attributes (tags).

Then you define some policies such as: Only users with tags (let us say Name for instance) that starts with the letter M can access to the nodes that were created before a given date time and whose number of connected edges are higher than 6.

This is just an arbitrary example but I think you catch the idea.

You can have a look to XACML in order to see how I would like to define these conditions/policies/access methods.

Regards.

0 Kudos
Reply

anthapu
Graph Fellow
In response to are_yas999

‎09-20-2020 09:11 AM

I think that is better implemented at application layer or using stored procedures in Neo4j. The scope of the functionality based on your description is very vast.

If your scope is limited then you can use node labels to achieve this in a reasonable way.

0 Kudos
Reply

are_yas999
Node

‎09-21-2020 12:58 AM

Can you show me please such layers that allow functionalities similar to I described?

0 Kudos
Reply

amsilf
Node Clone
In response to are_yas999

‎09-21-2020 07:08 PM

Good day,

there is no build in ABAC in Neo4J, I was thinking about it recently as well. I think the database is a perfect environment to implement such functionality. Firstly, you have to use one of neo4J entities - attributes or labels - to introduce security attributes. Secondly, you'll need to build a service layer as suggested above. If you would like to use pure db mechanisms, then stored procedure is an only way, e.g you implement wrappers around requests that check execution permissions based on attributes. On other side, I would say it will be easier to implement some rest service that would construct ABAC aware queries. neo4j has awesome spring support, so spring-boot together with spring-data would be the great choise.

0 Kudos
Reply

skflowne
Node
In response to amsilf

‎11-10-2020 08:59 AM

Is it possible to implement owner based + role based authorization with those procedures ?
What I want to achieve is currentUser.id === node.userId || currentUser.role === 'admin', can't find a way to do this so far.

0 Kudos
Reply
Nodes 2022
Nodes
NODES 2022, Neo4j Online Education Summit

All the sessions of the conference are now available online

Watch replays