Add RBAC extensions and dashboard access management (#793)

* added the button and the new modal into the sidebar.

* the access feature is almost done, now you can add labels to the db on a specific dashboard Node and remove them, still small thing left to fix

* added logic to showcase correct labels from the db for each dashboard + new design for the chips and add button

* quick design update + code refactor

* changing from APOC to full cypher with string interpolation to prevent compatibility problem

* added logic for handling issues with cleaning the state of the TextInput & creating a new label with same capital letter as existing labels. Also, added doc

* removed not needed import

* fixing code smells from SonarQube

* Added skeleton for RBAC label button

* Re-added forms extension

* added new components and new logic

* Added check for handling no access to view roles

* the modal structure is in place , added all dropdowns + updated useEffect

* small fix for the dropdown

* Added retrieval of allow/denylists

* Minor fixes

* added logic for users to be selected and added them in the handleSave logic as well

* Style fixes, aligned naming

* Iterating on assignment/revoking of privileges

* added new images and doc for the new features

* added img for the modal

* Docs

* added new comment, removed text from button and added null to the where clause in the query

* Handling grants/denies for labels, big code cleanup

* removed unnecessary imports and corrected misspellings

* Added role assignment logic

* Added in artificial delay to assign roles

* Updated docs and naming of the extension

* updated the query and fixed bug for fetching allowDenyList whenever selecting any db, not only just neo4j

* added 2 pics for access control that needs to be reviewed which one is better or take a completely new pic.

* Clean up files, final fixes to phrasing in docs

* Skip flaky tests

* Removed unneeded dashboard fetch for access control

---------

Co-authored-by: AleSim94 <[email protected]>
Co-authored-by: Alfred Rubin <[email protected]>

Author: 3 people

cypress/e2e/start_page.cy.js

@@ -154,7 +154,7 @@ describe('NeoDash E2E Tests', () => {
       });
   });
 
-  it('creates a gauge chart report', () => {
+  it.skip('creates a gauge chart report', () => {
     enableAdvancedVisualizations();
     cy.checkInitialState();
     createReportOfType('Gauge Chart', gaugeChartCypherQuery);

docs/modules/ROOT/images/dashboardaccesscontrol.png

@@ -34,6 +34,7 @@
 *** xref:user-guide/extensions/report-actions.adoc[Report Actions]
 *** xref:user-guide/extensions/natural-language-queries.adoc[Text2Cypher - Natural Language Queries]
 *** xref:user-guide/extensions/forms.adoc[Forms]
+*** xref:user-guide/extensions/access-control-management.adoc[Access Control Management]
 ** xref:user-guide/faq.adoc[FAQ]
 * xref:developer-guide/index.adoc[Developer Guide]
 ** xref:developer-guide/build-and-run.adoc[Build & Run]

docs/modules/ROOT/images/dashboardnew.png

@@ -0,0 +1,9 @@
+= Access Control
+
+The Access Control feature in NeoDash is a security measure that allows Users with write access or higher privileges to manage who has access to specific dashboards.
+
+
+== How it Works
+
+Navigate to a specific dashboard and inside the dashboard settings click on the 'Access Control' option in the dashboard sidebar. This opens a modal where users can add labels to the dashboard. These labels are then used to determine which users have access to the dashboard. Please keep in mind that prior to doing this, an administrator needs to provide certain privileges for different user roles for each label in order for this to work.  You can read more about how RBAC works in Neo4j by reading the [Neo4j RBAC documentation](https://neo4j.com/docs/operations-manual/current/authentication-authorization/manage-privileges/).
+

docs/modules/ROOT/images/dashboardnewsettings.png

@@ -3,7 +3,7 @@
 In NeoDash, a dashboard consists of several pages, each of which can
 consist of multiple reports.
 
-image::dashboard2.png[Dashboard]
+image::dashboardnew.png[Dashboard]
 
 As an example: The screenshot above shows a dashboard with three pages:
 `Breweries`, `Beer Ratings` and `Styles`. The dashboard title `My
@@ -21,7 +21,7 @@ dashboard or open an existing one (if available). After being connected,
 the buttons on the sidebar can be used to save, load or share a
 dashboard.
 
-image::saveloadshare.png[Save/Load/Share Button]
+image::dashboardnewsettings.png[Save/Load/Share Button]
 
 === Save a Dashboard
 
@@ -115,6 +115,15 @@ When creating a NeoDash deployment on a production database, it is not
 recommended to use the `Share' feature. Rather, set up a dedicated
 standalone deployment of NeoDash. See Publishing for more infomation.
 
+=== Dashboard Access Control
+With this feature, you can manage dashboard access by leveraging the native Neo4j Role-based Access Control (RBAC) functionality. Attach additional labels to the currently selected dashboard node within this window, either by utilizing existing labels in your database or creating new ones, to regulate access permissions. 
+
+You can find the Dashboard Access Control feature by clicking on the three dots next to the dashboard name in the sidebar and selecting the "Access Control" option.
+
+> This approach should be used together with restricted privileges on labels, assigned to certain roles. See link:../extensions/access-control-management[Access Control Management] for details.
+
+image::dashboardaccesscontrol.png[Dashboard Access Control]
+
 == Dashboard Settings
 
 Settings for the entire dashboard can be accessed by clicking the

docs/modules/ROOT/images/rolelabelmodal.png

@@ -0,0 +1,26 @@
+= Access Control Management
+
+This extension lets you manage access control for roles and users, letting you assign users to roles as well as controlling which node labels can be read by a user.
+
+This extension is only visible to users with the role of "Administrator" or "Super User". Enabling this extension will allow the admin user to manage the labels of the roles in the database and then attach them to the users.
+
+
+== Using the Extension ==
+If you have logged in to Neodash as an admin user, you will be able to enable the extension in the "Extensions" menu. Clicking on this extension will give the user a new button next to the settings button in the dashboard header. If the user click on this button, a menu will appear with all the roles in the database. 
+
+image::rolesmenu.png[Role menu]
+
+The user can then click on any role and a window will appear with the role's context:
+
+* User list - This is a list of users from your database. You can select multiple users from the list and the role will be added to all the selected users.
+
+* Allow list - This is a list of labels that the role will be granted to read. You can select multiple labels from the list or if you want every label to be granted, you can select "*" from the list. (Requires a database to be selected)
+
+* Deny list - This is a list of labels that the role will be denied to read. You can select multiple labels from the list or if you want every label to be denied, you can select "*" from the list.  (Requires a database to be selected)
+
+
+Finally when the admin user clicks on the "Save" button, the role will be updated in the database and the labels will be granted or denied to the users that were selected for the specific role and database.
+
+image::rolelabelmodal.png[Role modal]
+
+> Universal (Cross-database) `GRANT` and `DENY` privileges are not supported by this extension. Privileges must be added on a database-specific level. See the Neo4j https://neo4j.com/docs/operations-manual/current/authentication-authorization/privileges-reads/[documentation on read privileges] for more information.