Data Security

Enterprise edition functionality

Permission: ACL data management

You can manage which data in Neo4j are visible for which user. Users are members of groups and these groups are used to manage permissions to data. If group has permission to a node, then every user of this group can view this node. If group hasn't permission to a node, then no user of this group can view this node and users don't know about existence of this node in any way. If group has permission to a relationship depends on permissions to source and target nodes of this relationship and on relationship filter setting. Group has permission to a relationship only if this group has permission both to source and target nodes of this relationship and this relationship passes the relationship filter (see below).

If user is member of more groups then effective setting is created as "union" of settings of all groups.

Data security page

Permissions to data can be set in data security page (see screenshot below).

images/download/attachments/18580630/01.jpg

In image:

  1. Entity security for group - contains rules for permitting access to nodes (Node Filter) and relationships (Relationship Filter) for particular group. These rules are used in every Cypher query done by Graphlytic when accessing data in Neo4j.

  2. Property security for group - contains lists of properties which are enabled or disabled for particular group. If the same property is listed both in enabled and in disabled properties then this property is disabled.

  3. Actions for changing the Entity security and Property security settings. For changing either of them follow these steps:

    1. Click on the filter icon (the first button) to change Entity security setting or on the lock icon (the second button) to change Property security setting.

    2. Enter new setting

    3. Confirm the change

  4. Entity security for user - here you can lookup the effective setting of Entity security for particular user. This setting can't be changed. If you want to alter it you have to change the setting of one of user's groups.

  5. Property security for user - here you can lookup the effective setting of Property security for particular user. If the same property is listed both in enabled and in disabled properties then this property is disabled. This setting can't be changed. If you want to alter it you have to change the setting of one of user's groups.

Entity security

Configuration is entered as JSON. Example of JSON:

{
"nodeFilter": "_n_:Data or _n_:Data_extended",
"relationshipFilter": "_r_.type = 'Server'"
}

Entity security for newly created group and for user without group:

{
"nodeFilter": null,
"relationshipFilter": null
}

Explanation of JSON properties:

Property

Values

Description

nodeFilter

String

Cypher condition. Use "_n_" to identify node. Empty or null value means that all nodes are permitted.

relationshipFilter

String

Cypher condition. Use "_r_" to identify relationship. Empty or null value means that all relationships are permitted.

Property security

Configuration is entered as JSON. Example of JSON:

{
"enableNodeProperties": ["*"],
"disableNodeProperties": ["prop_4"],
"enableRelProperties": ["rel_1", "rel_2"],
"disableRelProperties": ["rel_3"]
}

Property security for newly created group and for user without group:

{
"enableNodeProperties": ["*"],
"disableNodeProperties": [],
"enableRelProperties": ["*"],
"disableRelProperties": []
}

Explanation of JSON properties:

Property

Values

Description

enableNodeProperties

Array of strings

List of node property names which are enabled. Empty list or null value means that no property is enabled. Value "*" means that all properties are enabled.

disableNodeProperties

Array of strings

List of node property names which are disabled. Empty list or null value means that no property is disabled. Value "*" means that all properties are disabled.

enableRelProperties

Array of strings

List of relationship property names which are enabled. Empty list or null value means that no property is enabled. Value "*" means that all properties are enabled.

disableRelProperties

Array of strings

List of relationship property names which are disabled. Empty list or null value means that no property is disabled. Value "*" means that all properties are disabled.