Neo4j

Is there any progress on this topic since July? Either in released form that this issue might link to, or information about what is in store for the future? @andrew.bowman

Hi all,

I'm really looking for a feature similar to what @andrew.bowman suggested: being able to have read restrictions based on property values. I did already investigate using schema-based security where I created custom roles that can only access nodes/relationships with certain labels. But I was hoping to take this 1 step further.

First let me explain my use-case: I'm currently experimenting with migrating an Angular-based web application with a Kotlin backend to a backendless solution. This application is used for giving typing lessons to children. Basically a student logs into the application and types a few exercises. All the security bits are currently handled by the backend, ensuring that students can only add/submit new exercise results to their own profile. Students are member of a group and a group is assigned 1 or more teachers. Teachers can also login into the application and view the exercise results of students that are member of groups they are assigned to.

Last year I already experimented a bit with Google's Firebase which has all the features that I'd like: offline-first, data-based security and real-time queries. It allows students with a bad internet connection to still practice and be sure that their results are saved sometime later. I can configure security in a way that the backend is complete unnecessary by using a few (but still complex) database rules. And real-time queries allow me teachers to watch results live during a lesson.
However, for me Google Firebase also has some major downsides: this web application is for a small Dutch company and storing data of children on a platform that is owned and operated by an US company is not desirable from a privacy perspective. It is much more preferred to host the database on an on-premise server or VPS, or at least have a choice where the data is stored in case of a SaaS offering (side question: can we choose the location where data is stored when using Aura?).

Long story short: what I'm looking for / missing in Neo4j is configuring privileges based on property values. In my data model I have a node with a label Person and a dozen of properties including the username. What I'd like to do is allowing users to only read data on the :Person node that has an username property which value corresponds with the Neo4j's authenticated user. My application has at most around 1000 users and I did already experiment with creating a Neo4j account for each user and assigning them a custom role. So far this works fine but the security (filtering own data) is currently done in the web application. Since it's all javascript using the neo4j-javascript-driver under the hood it's quite easy for a student to open the developer tools in their browser, retrieve the neo4j driver object and running Cypher queries to retrieve the data of other students.

Although I understand that managing security per user is not the primary use case of roles I do think that allowing filtering on property values would be a huge addition to Neo4j's security model. I'm thinking of something like defining a Cypher query that should return true or false. It should have access to a few parameters such as the currently logged in user, the node/relationship accessed, and the action that is performed (traverse, read or write). What do you think? Is something like this feasible/possible in Neo4j?