Data Security
Enterprise edition functionality
Required Permission: ACL data management (Read more about Permissions)
Table of Contents
With the Data Security module, it's possible to manage which data in Neo4j are visible for which user. Users are members of groups and these groups are used to manage permissions to data. If a group has permission to a node, then every user of this group can view this node. If a group hasn't permission to a node, then no user of this group can view this node and users don't know about the existence of this node in any way. If a group has permission to a relationship depends on permissions to source and target nodes of this relationship and on relationship filter setting. Group has permission to a relationship only if this group has permission both to source and target nodes of this relationship and this relationship is passing the relationship filter (see below).
If a user is a member of more groups then the effective setting is created as a "union" of settings of all groups where permission is granted if the permission exists on at least one of the user's groups.
Data security page
Main menu (top right) - Page Data Security
Permissions to data can be set on the Data Security page (see screenshot below).
In the image:
Table "Data permissions of groups"
(1) Entity security for a group - contains rules for permitting access to nodes (Node Filter) and relationships (Relationship Filter) for a particular group. These rules are used in every Cypher query done by Graphlytic when accessing data in Neo4j.
(2) Property security for a group - contains lists of properties that are enabled or disabled for a particular group. If the same property is listed both in enabled and in disabled properties then this property is disabled.
(3) Actions for changing the Entity security and Property security settings. For changing either of them follow these steps:
Click on the filter icon (the first button) to change the Entity security setting or on the lock icon (the second button) to change the Property security setting.
Enter new setting
Confirm the change
Table "Data permissions of users"
(4) Entity security for a user - here you can look up the effective setting of Entity security for a particular user. This setting can't be changed. If you want to alter it you have to change the setting of one of the user's groups.
(5) Property security for a user - here you can look up the effective setting of Property security for a particular user. If the same property is listed both in enabled and in disabled properties then this property is disabled. This setting can't be changed. If you want to alter it you have to change the setting of one of the user's groups.
Entity security
Contains rules (list of Condition objets) for permitting access to nodes (Node Filter) and relationships (Relationship Filter) for a particular group. These rules are used in every Cypher query done by Graphlytic when accessing data in Neo4j.
Both "Node Filter" and "Relationship Filter" are lists of Condition objects.
Condition object is a constraint definition defined for a set of node labels or relationship types combined with a set of property constraints.
The final logical filtering condition is constructed using logical AND between parts of the Condition and logical OR between values (see example below).
Example of a Condition object
{
"labels"
:[
"Person"
,
"Company"
],
"properties"
:[
{
"property"
:
"type"
,
"values"
:[
"person"
,
"company"
]
},
{
"property"
:
"subtype"
,
"values"
:[
"auditor"
,
"manager"
,
"limited"
]
}
]
}
The filtering (WHERE) condition for the example above is:
MATCH (n) WHERE (n:Person OR n:Company) AND n.type IN [
"person"
,
"company"
] AND n.subtype IN [
"auditor"
,
"manager"
,
"limited"
]
The Entity Security configuration is entered as a JSON object. Example of such JSON:
{
"nodeFilter"
: [
{
"properties"
: [
{
"property"
:
"prop"
,
"values"
: [
"free"
,
"secret"
]
}
],
"ranges"
: [],
"labels"
: [
"FREE"
,
"SECRET"
]
}
],
"relationshipFilter"
: [
{
"properties"
: [
{
"property"
:
"prop"
,
"values"
: [
"free"
,
"secret"
]
}
],
"ranges"
: [],
"relTypes"
: [
"FREE"
,
"SECRET"
]
}
]
}
Default Entity security for a group and for a user without any group:
{
"nodeFilter"
: [],
"relationshipFilter"
: []
}
Explanation of JSON properties:
Property |
Values |
Description |
nodeFilter |
Array of Condition objects |
An array of Condition objects. The final condition is constructed using logical OR between particular Conditions in the array. An empty array means that all nodes are permitted. |
relationshipFilter |
Array of Condition objects |
An array of Condition objects. The final condition is constructed using logical OR between particular Conditions in the array. An empty array means that all relationships are permitted. |
Property security
The configuration is entered as JSON. Example of JSON:
{
"enableNodeProperties"
: [
"*"
],
"disableNodeProperties"
: [
"prop_4"
],
"enableRelProperties"
: [
"rel_1"
,
"rel_2"
],
"disableRelProperties"
: [
"rel_3"
]
}
Default Property security for a group and for a user without any group:
{
"enableNodeProperties"
: [
"*"
],
"disableNodeProperties"
: [],
"enableRelProperties"
: [
"*"
],
"disableRelProperties"
: []
}
Explanation of JSON properties:
Property |
Values |
Description |
enableNodeProperties |
Array of strings |
List of node property names that are enabled. Empty list or null value means that no property is enabled. Value "*" means that all properties are enabled. |
disableNodeProperties |
Array of strings |
List of node property names that are disabled. Empty list or null value means that no property is disabled. Value "*" means that all properties are disabled. |
enableRelProperties |
Array of strings |
List of relationship property names that are enabled. Empty list or null value means that no property is enabled. Value "*" means that all properties are enabled. |
disableRelProperties |
Array of strings |
List of relationship property names that are disabled. Empty list or null value means that no property is disabled. Value "*" means that all properties are disabled. |