You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/ROOT/pages/authentication-authorization/limitations.adoc
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -391,7 +391,8 @@ So due to the additional data access required by the security checks, this opera
391
391
[[property-based-access-control-limitations]]
392
392
=== Property-based access control limitations
393
393
Extra element-level security checks are necessary when adding security rules based on property rules, and these can have a significant performance impact.
394
-
The following example shows how the database behaves when adding security rules to roles `restricted` and `unrestricted`:
394
+
395
+
The following example shows how the database behaves when adding security rules for nodes to roles `restricted` and `unrestricted`, the same limitations apply to relationships as well:
Copy file name to clipboardExpand all lines: modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,9 +12,9 @@ CREATE ROLE regularUsers;
12
12
[[property-based-access-control]]
13
13
= Property-based access control
14
14
15
-
Property-based access control grants permissions to users to read element properties based on property/value conditions.
15
+
Property-based access control grants/denies permission to read or traverse elements based on property/value conditions.
16
16
Each property-based privilege can only be restricted by a single property.
17
-
For information about read privileges and their syntax, see xref:authentication-authorization/privileges-reads.adoc[Read privileges].
17
+
For information and syntax for these privileges, see xref:authentication-authorization/privileges-reads.adoc[Read privileges].
18
18
19
19
[IMPORTANT]
20
20
====
@@ -25,7 +25,7 @@ Users who can change this property can affect the granted property-based privile
25
25
26
26
== Syntax
27
27
28
-
To specify the property/value conditions of the read privilege, you can use the following syntax:
28
+
To specify the property/value conditions of the privilege, you can use the following syntax:
29
29
30
30
[source, syntax, role="noheader"]
31
31
----
@@ -99,13 +99,13 @@ Alternatively, you can use the following syntax:
99
99
GRANT READ { address } ON GRAPH * FOR (:Email|Website {domain: 'exampledomain.com'}) TO regularUsers
100
100
----
101
101
102
-
=== Grant a property-based privilege on a specific property using the value of that same property
102
+
=== Grant a property-based privilege on a specific property using the value of another property
103
103
104
-
The following example shows how to grant permission to `READ` the `since` property on `OWNS` relationships having `since` equal to `2025-01-01` to role `regularUsers`:
104
+
The following example shows how to grant permission to `READ` the `since` property on `OWNS` relationships having `classification` equal to `UNCLASSIFIED` to role `regularUsers`:
105
105
106
106
[source, syntax, role="noheader"]
107
107
----
108
-
GRANT READ { since } ON GRAPH * FOR ()-[o:OWNS]-() WHERE o.since = date("2025-01-01") TO regularUsers
108
+
GRANT READ { since } ON GRAPH * FOR ()-[o:OWNS]-() WHERE o.classification = 'UNCLASSIFIED' TO regularUsers
0 commit comments