You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc
+14-4Lines changed: 14 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ CREATE ROLE regularUsers;
12
12
[[property-based-access-control]]
13
13
= Property-based access control
14
14
15
-
Property-based access control grants permissions to users to read node properties based on property/value conditions.
15
+
Property-based access control grants permissions to users to read element properties based on property/value conditions.
16
16
Each property-based privilege can only be restricted by a single property.
17
17
For information about read privileges and their syntax, see xref:authentication-authorization/privileges-reads.adoc[Read privileges].
18
18
@@ -40,7 +40,9 @@ To specify the property/value conditions of the read privilege, you can use the
40
40
| FOR {
41
41
42
42
([var][:label["|" ...]] "{" property: value "}")
43
-
| (var[:label["|" ...]])
43
+
| (var[:label["|" ...]])
44
+
| ()[<]-"["[var][:type["|" ...]] "{" property: value "}" "]"-[>]()
45
+
| ()[<]-"["var[:type["|" ...]]"]"-[>]()
44
46
WHERE [NOT] var.property { { = | <> | > | >= | < | <= } value | IS NULL | IS NOT NULL | IN { "["[value[, ...]]"]" | listParam } }
45
47
| (var[:label["|" ...]]
46
48
WHERE [NOT] var.property { { = | <> | > | >= | < | <= } value | IS NULL | IS NOT NULL | IN { "["[value[, ...]]"]" | listParam } } )
@@ -57,7 +59,7 @@ See xref:authentication-authorization/limitations.adoc#property-based-access-con
57
59
58
60
When having property rules, the following factors can worsen the impact on performance:
59
61
60
-
* The number of properties on the nodes concerned (more properties = greater performance impact).
62
+
* The number of properties on the elements concerned (more properties = greater performance impact).
61
63
* The number of property-based privileges (more property-based privileges = greater performance impact).
62
64
* The type of the privilege: `TRAVERSE` property-based privileges have greater performance impact than `READ` property-based privileges.
63
65
* The type of storage medium in operation. The impact of the property-based privileges on performance is considerably amplified by accessing disc storage.
@@ -81,7 +83,7 @@ GRANT privilege-name ON GRAPH graph-name FOR pattern TO role-name
81
83
The user role does not need to have `READ` privilege for the property used by the property-based privilege.
82
84
====
83
85
84
-
=== Grant a property-based privilege on a specific property using its value
86
+
=== Grant a property-based privilege on a specific property using the value of another property
85
87
86
88
The following example shows how to grant permission to `READ` the `address` property on `Email` or `Website` nodes with domain `exampledomain.com` to role `regularUsers`:
87
89
@@ -97,6 +99,14 @@ Alternatively, you can use the following syntax:
97
99
GRANT READ { address } ON GRAPH * FOR (:Email|Website {domain: 'exampledomain.com'}) TO regularUsers
98
100
----
99
101
102
+
=== Grant a property-based privilege on a specific property using the value of that same property
103
+
104
+
The following example shows how to grant permission to `READ` the `since` property on `OWNS` relationships having `since` equal to `2025-01-01` to role `regularUsers`:
105
+
106
+
[source, syntax, role="noheader"]
107
+
----
108
+
GRANT READ { since } ON GRAPH * FOR ()-[o:OWNS]-() WHERE o.since = date("2025-01-01") TO regularUsers
0 commit comments