Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.
09-17-2020 06:59 AM
Hello,
Can we use ABAC (Attribute Based Access Control) in Neo4j or not?. If yes, how can we achieve this.
Thank you so much.
09-20-2020 06:33 AM
Welcome to the Neo4J Community.
Can you please elaborate more on this?
Do you mean to say if a node has an attribute should the node be not visible or only the attribute?
RBAC in neo4j works at node/relationship/attribute level.
If you do not have access to see a node label or relationship type or attribute name then they are not visible.
At attribute level you can see or not see an attribute only, not the node. You cannot do value level filter.
One option is if the attribute values are limited then you can use labels to control the access to the node.
09-20-2020 06:49 AM
Thank you so much for your reply.
In fact, ABAC is a finer access control than RBAC. Here is a scenario:
Suppose that you have some users, for each of these users you give some attributes (tags). And for each of you nodes, relations, ... you give some attributes (tags).
Then you define some policies such as: Only users with tags (let us say Name for instance) that starts with the letter M can access to the nodes that were created before a given date time and whose number of connected edges are higher than 6.
This is just an arbitrary example but I think you catch the idea.
You can have a look to XACML in order to see how I would like to define these conditions/policies/access methods.
Regards.
09-20-2020 09:11 AM
I think that is better implemented at application layer or using stored procedures in Neo4j. The scope of the functionality based on your description is very vast.
If your scope is limited then you can use node labels to achieve this in a reasonable way.
09-21-2020 12:58 AM
Can you show me please such layers that allow functionalities similar to I described?
09-21-2020 07:08 PM
Good day,
there is no build in ABAC in Neo4J, I was thinking about it recently as well. I think the database is a perfect environment to implement such functionality. Firstly, you have to use one of neo4J entities - attributes or labels - to introduce security attributes. Secondly, you'll need to build a service layer as suggested above. If you would like to use pure db mechanisms, then stored procedure is an only way, e.g you implement wrappers around requests that check execution permissions based on attributes. On other side, I would say it will be easier to implement some rest service that would construct ABAC aware queries. neo4j has awesome spring support, so spring-boot together with spring-data would be the great choise.
11-10-2020 08:59 AM
Is it possible to implement owner based + role based authorization with those procedures ?
What I want to achieve is currentUser.id === node.userId || currentUser.role === 'admin'
, can't find a way to do this so far.
All the sessions of the conference are now available online