|
1 | 1 | [role=enterprise-edition] |
2 | 2 | [[auth-access-control]] |
3 | 3 | = Fine-grained access control |
4 | | -:description: Describes an example that illustrates various aspects of security and fine-grained access control. |
| 4 | +:description: Describes an example that illustrates various aspects of security and fine-grained access control. |
5 | 5 |
|
6 | 6 | When creating a database, administrators may want to establish which users have the ability to access certain information. |
7 | 7 |
|
8 | | -As described in xref:authentication-authorization/built-in-roles/auth-built-in-roles[Built-in roles], Neo4j already offers preset roles configured to specific permissions (i.e. read, edit, or write). |
| 8 | +As described in xref:authentication-authorization/built-in-roles/auth-built-in-roles[Built-in roles], Neo4j already offers preset roles configured to specific permissions (i.e. read, edit, or write). |
9 | 9 | While these built-in roles cover many common daily scenarios, it is also possible to create custom roles for specific needs. |
10 | 10 |
|
11 | 11 | This page contains an example that illustrates various aspects of security and fine-grained access control. |
@@ -35,7 +35,7 @@ They can be described using the properties: |
35 | 35 | * `description` |
36 | 36 |
|
37 | 37 | `(:Disease)`:: |
38 | | -Known illnesses mapped in a catalog found in the database. |
| 38 | +Known illnesses mapped in a catalog found in the database. |
39 | 39 | They can be described using the properties: |
40 | 40 | + |
41 | 41 | * `name` |
@@ -82,7 +82,7 @@ This same database would be used by a number of different users, each with diffe |
82 | 82 |
|
83 | 83 | Unlike applications which often require users to be modeled within the application itself, databases provide user management resources such as roles and privileges. |
84 | 84 | This allows users to be created entirely within the database security model, a strategy that allows the separation of access to the data and the data itself. |
85 | | -For more information, see link:/docs/cypher-manual/{neo4j-version}/access-control/[Cypher Manual -> Access control]. |
| 85 | +For more information, see link:{neo4j-docs-base-uri}/cypher-manual/current/access-control/[Cypher Manual -> Access control]. |
86 | 86 |
|
87 | 87 | The following examples show two different approaches to using Neo4j security features to support the _healthcare_ database application. |
88 | 88 | The first approach uses xref:authentication-authorization/built-in-roles/auth-built-in-roles[Built-in roles], whereas the second uses more advanced resources with fine-grained privileges for <<auth-access-control-using-privileges, sub-graph access control>>. |
@@ -128,13 +128,13 @@ Neo4j comes with built-in roles that cover a number of common needs: |
128 | 128 | * `architect` - Has all the capabilities of the publisher as well as the ability to manage indexes and constraints. |
129 | 129 | * `admin` - Can perform architect actions as well as manage databases, users, roles, and privileges. |
130 | 130 |
|
131 | | -Consider Charlie from the example of users. |
| 131 | +Consider Charlie from the example of users. |
132 | 132 | As a researcher, they do not need write access to the database, so they are assigned the `reader` role. |
133 | 133 |
|
134 | | -On the other hand, Alice (the doctor), Daniel (the nurse), and Bob (the receptionist) all need to update the database with new patient information, but do not need to expand the schema with new labels, relationship types, property names or indexes. |
| 134 | +On the other hand, Alice (the doctor), Daniel (the nurse), and Bob (the receptionist) all need to update the database with new patient information, but do not need to expand the schema with new labels, relationship types, property names or indexes. |
135 | 135 | For this reason, they are all assigned the `editor` role. |
136 | 136 |
|
137 | | -Tina, the IT administrator who installs and manages the database, needs to be assigned the `admin` role. |
| 137 | +Tina, the IT administrator who installs and manages the database, needs to be assigned the `admin` role. |
138 | 138 |
|
139 | 139 | Here is how to grant roles to the users: |
140 | 140 |
|
@@ -183,11 +183,11 @@ Has the permission to save _diagnoses_ to the database, but not expand the schem |
183 | 183 | Receptionist:: |
184 | 184 | Should be able to read and write all patient data, but not be able to see the symptoms, diseases, or diagnoses. |
185 | 185 | Researcher:: |
186 | | -Should be able to perform statistical analysis of all data, except patients’ personal information, to which they should have restricted access. |
| 186 | +Should be able to perform statistical analysis of all data, except patients’ personal information, to which they should have restricted access. |
187 | 187 | To illustrate two different ways of setting up the same effective privileges, two roles are created for comparison. |
188 | 188 | Nurse:: |
189 | 189 | Should be able to perform all tasks that both the doctor and the receptionist can do. |
190 | | -Granting both roles (doctor and receptionist) to the nurse does not work as expected. |
| 190 | +Granting both roles (doctor and receptionist) to the nurse does not work as expected. |
191 | 191 | This is explained in the section dedicated to the creation of the `nurse` role. |
192 | 192 | Junior nurse:: |
193 | 193 | While the senior nurse is able to save diagnoses just as a doctor can, some (junior) nurses might not be allowed to do that. |
@@ -278,7 +278,7 @@ SHOW ROLE itadmin PRIVILEGES AS COMMANDS; |
278 | 278 |
|
279 | 279 | [NOTE] |
280 | 280 | ==== |
281 | | -Privileges that were granted or denied earlier can be revoked using link:/docs/cypher-manual/{neo4j-version}/access-control/manage-privileges/#access-control-revoke-privileges[the `REVOKE` command]. |
| 281 | +Privileges that were granted or denied earlier can be revoked using link:{neo4j-docs-base-uri}/cypher-manual/current/access-control/manage-privileges/#access-control-revoke-privileges[the `REVOKE` command]. |
282 | 282 | ==== |
283 | 283 |
|
284 | 284 | To provide the IT administrator `tina` these privileges, they must be assigned the new role `itadmin`: |
@@ -500,7 +500,7 @@ If the `researcherB` role is revoked to Charlie, but `researcherW` is granted, w |
500 | 500 |
|
501 | 501 | [NOTE] |
502 | 502 | ==== |
503 | | -Privileges that were granted or denied earlier can be revoked using link:/docs/cypher-manual/{neo4j-version}/access-control/manage-privileges/#access-control-revoke-privileges[the `REVOKE` command]. |
| 503 | +Privileges that were granted or denied earlier can be revoked using link:{neo4j-docs-base-uri}/cypher-manual/current/access-control/manage-privileges/#access-control-revoke-privileges[the `REVOKE` command]. |
504 | 504 | ==== |
505 | 505 |
|
506 | 506 | === Privileges of `doctor` |
@@ -709,7 +709,7 @@ RETURN n.name, n.ssn, n.address, n.dateOfBirth; |
709 | 709 |
|
710 | 710 | [[detach-delete-restricted-user]] |
711 | 711 |
|
712 | | -With the `receptionist` role, Bob can delete any new patient nodes they have just created, but they are not able to delete patients that have already received diagnoses since those are connected to parts of the graph that Bob cannot see. |
| 712 | +With the `receptionist` role, Bob can delete any new patient nodes they have just created, but they are not able to delete patients that have already received diagnoses since those are connected to parts of the graph that Bob cannot see. |
713 | 713 | Here is a demonstration of both scenarios: |
714 | 714 |
|
715 | 715 | [source, cypher] |
@@ -787,7 +787,7 @@ GRANT DELETE ON GRAPH healthcare RELATIONSHIPS HAS, DIAGNOSIS TO receptionist; |
787 | 787 |
|
788 | 788 | [NOTE] |
789 | 789 | ==== |
790 | | -Privileges that were granted or denied earlier can be revoked using link:/docs/cypher-manual/{neo4j-version}/access-control/manage-privileges/#access-control-revoke-privileges[the `REVOKE` command]. |
| 790 | +Privileges that were granted or denied earlier can be revoked using link:{neo4j-docs-base-uri}/cypher-manual/current/access-control/manage-privileges/#access-control-revoke-privileges[the `REVOKE` command]. |
791 | 791 | ==== |
792 | 792 |
|
793 | 793 | === Privileges of nurses |
@@ -838,7 +838,7 @@ SHOW USER daniel PRIVILEGES AS COMMANDS; |
838 | 838 |
|
839 | 839 | [NOTE] |
840 | 840 | ==== |
841 | | -Privileges that were granted or denied earlier can be revoked using link:/docs/cypher-manual/{neo4j-version}/access-control/manage-privileges/#access-control-revoke-privileges[the `REVOKE` command]. |
| 841 | +Privileges that were granted or denied earlier can be revoked using link:{neo4j-docs-base-uri}/cypher-manual/current/access-control/manage-privileges/#access-control-revoke-privileges[the `REVOKE` command]. |
842 | 842 | ==== |
843 | 843 |
|
844 | 844 | Now the intention is that a nurse can perform the actions of a receptionist, which means they should be able to read and write the `address` field of the `Patient` nodes. |
@@ -1111,7 +1111,7 @@ neo4j@system> SHOW USER tina PRIVILEGES AS COMMANDS; |
1111 | 1111 | ==== |
1112 | 1112 | No other privilege management privileges were granted here. |
1113 | 1113 | How much power this role should have would depend on the requirements of the system. |
1114 | | -Refer to the section link:/docs/cypher-manual/{neo4j-version}/access-control/built-in-roles/[Cypher Manual -> The `admin` role] for a complete list of privileges to consider. |
| 1114 | +Refer to the section link:{neo4j-docs-base-uri}/cypher-manual/current/access-control/built-in-roles/[Cypher Manual -> The `admin` role] for a complete list of privileges to consider. |
1115 | 1115 | ==== |
1116 | 1116 |
|
1117 | 1117 | Now Tina should be able to create new users and assign them to roles: |
|
0 commit comments