This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

Neo4J Fine-Grained Security for Subset of Nodes with Label

Xef
Node

‎11-17-2020 11:12 AM

I'm currently in the process of evaluating the fine-grained access control available in Neo Enterprise Edition v4.1. For reference we are currently using the Community Edition 3.5.4.

What I am trying to achieve is to have only a subset of nodes with a certain label able to be read by certain users/roles.

2X_d_de118ea8934d73855a213c81bc66d4126a9d8c08.png

Take a user who is the manager of Team 1, they need to be able to Read and Write for Player 1/2/3. Using the access control system I can create a Role that has Read & Write permissions to the labels Team & Player and assign Manager 1 to that role.

What I would like to do restrict Manager 1's access to the node Team 2 and therefore Player nodes 4/5/6 as well. From what I can see in the docs you can only apply permission to a specific Label or Relationship Type Names.

0 Kudos
Reply
1 REPLY 1

lukas_zaugg
Node

‎11-20-2020 02:45 AM

Hey @Xef
As far as I understand we are facing almost the same challenge: define privileges based on node properties.
In our case it's: limiting the visibility of elements by tenant (security trimming) within the same database.

Waiting for the support for privileges based on node properties takes probably too long (see DENY TRAVERSE on neo4j 4.0 EE).

Alternative:
Multi tenancy for our case can be implemented in different ways (see also Proper way to implement multi-tenancy on Neo4j). The most promising one is by using multiple labels (have a dedicated tenant label like "Tenant_1") and grant privileges towards those tenant labels (one label per tenant).

The same approach might be of interest in your case.
Create a role name "team_1_manager" with the RW permission for nodes with label "Team_1" and add the additional label "Team_1" to all Players below the node "Team 1". Now you can control the privileges individually per team. The disadvantage is, that you need to manage those labels individually; means to have as many roles as teams and the privileges need to be kept consistent with the relationship of player to team.

0 Kudos
Reply
Nodes 2022
Nodes
NODES 2022, Neo4j Online Education Summit

All the sessions of the conference are now available online

Watch replays