-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node-level permissions #8183
Comments
Hi, are there any news for this feature? I just have a use case where we need this too and I'm currently looking for a solution. |
Is there some Update on this? Implementation should be not too hard, because you can just prefix a filter-Expression in front of an user query. (See e.g. "Splunk", "LogInsight" ...) So as a Role you would say 'if node.[fieldname] == "abc"', then a user with that role would only get nodes back if the node has a field with value "abc". See e.g. https://blogs.vmware.com/management/files/2018/03/2018-03-14_10-51-31.png This is NOT a replacement to multiple Databases (see #266), because for easy multitenancy you want a stronger seperation than this. |
Node level security has been under discussion for some time as an extension to the role-based access control introduced in Neo4j 3.1, and is under consideration. At the moment, however, the only option you have to achieve this is the procedure-based security model (also introduced in 3.1). This approach means that you give specific procedures access to the sub-graphs. The definition of the sub-graph is encoded into the code of the procedure. For more information see: |
Neo4j 4.1 provides granular security for both reads and writes at node and property level which meets this requirement. For information on how to set this up, see: If you feel this does not meet the requirement, feel free to reopen this issue. |
Correct me if I’m wrong, but this is NOT what to expected as “node-level security”. @mnd999 The docs link basically says you could do authorization only based on name of node/property, but not the value of a property.
Please refer to Postgres for an example of “row-level security”, which means you could filter out rows based on what’s inside the rows, not the name of the columns or tables. |
I have to agree with @sep2. This implementation of node-level security is more akin to column-level security in relational databases. |
@sep2 Any update on this, were you able to implement this? |
@nithin-uppila Sorry to hear in two years later this is still not implemented. We switched away from neo4j since it lacks many features and doesn't provide too much gain regarding performance. I don't see neo4j will implement this in the near future. In fact if you are considering row level security is a must, then relational model may be a better fit than graph model to your domain. You may want to look at the AGE project for Postgres as an alternative. We are still using raw Postgres though. It has everything we need to do the "graph" things, and much more matured in other features. |
Hallo! We have good news, Neo4j is enhancing the current RBAC implementation by enabling access control based on the value of properties on a node. Let me add an couple of examples here: |
Many thanks for the detailed response @sep2 |
Hi,
I wish to secure access for the data contained in my Neo4j database down to the level of individual nodes.
In a relational database, this is called "Row-Level-Security".
https://mariadb.com/blog/protect-your-data-row-level-security-mariadb-100
http://kb.tableau.com/articles/knowledgebase/row-level-security-and-user-filters
The text was updated successfully, but these errors were encountered: