You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,9 @@ CREATE ROLE regularUsers;
12
12
[[property-based-access-control]]
13
13
= Property-based access control
14
14
15
-
In Neo4j, you can grant read privileges based on properties of nodes.
15
+
Property-based access control grants permissions to users to read node properties based on property/value conditions.
16
+
Each property-based privilege can only be restricted by a single property.
17
+
For information about read privileges and syntax, see xref:authentication-authorization/privileges-reads.adoc[Read privileges].
16
18
17
19
[IMPORTANT]
18
20
====
@@ -23,7 +25,6 @@ Users who can change this property can affect the granted property-based privile
23
25
24
26
== Syntax
25
27
26
-
For information about read privileges and syntax, see xref:authentication-authorization/privileges-reads.adoc[Read privileges].
27
28
28
29
To specify the property/value conditions of the read privilege, you can use the following `pattern` syntax:
29
30
@@ -68,7 +69,7 @@ The user role does not need to have `READ` privilege for the property used by th
68
69
69
70
=== Grant a property-based privilege on a specific property using its value
70
71
71
-
The following code shows how to grant permission to `READ` the `address` property on `Email` or `Website` nodes with domain `exampledomain.com` to role `regularUsers`.
72
+
The following example shows how to grant permission to `READ` the `address` property on `Email` or `Website` nodes with domain `exampledomain.com` to role `regularUsers`:
72
73
73
74
[source, syntax, role="noheader"]
74
75
----
@@ -85,7 +86,7 @@ GRANT READ { address } ON GRAPH * FOR (:Email|Website {domain: 'exampledomain.co
85
86
86
87
=== Grant a property-based privilege using `NULL`
87
88
88
-
If you want to grant permission to `TRAVERSE` nodes with label `Email` where property `classification` is `NULL` to role `regularUsers`, use the following command:
89
+
The following example shows how to grant permission to `TRAVERSE` nodes with the label `Email` where property `classification` is `NULL` to role `regularUsers`:
89
90
90
91
[source, syntax, role="noheader"]
91
92
----
@@ -94,7 +95,7 @@ GRANT TRAVERSE ON GRAPH * FOR (n:Email) WHERE n.classification IS NULL TO regula
94
95
95
96
=== Deny a property-based privilege using a comparison operator
96
97
97
-
To deny permission to `READ` and `TRAVERSE` nodes where the property `classification` is different from `UNCLASSIFIED` to role `regularUsers`, use the code below:
98
+
The following example shows how to deny permission to `READ` and `TRAVERSE` nodes where the property `classification` is different from `UNCLASSIFIED` to role `regularUsers`:
98
99
99
100
[source, syntax, role="noheader"]
100
101
----
@@ -103,8 +104,7 @@ DENY MATCH {*} ON GRAPH * FOR (n) WHERE n.classification <> 'UNCLASSIFIED' TO re
103
104
104
105
=== Grant a property-based privilege on all properties using a property value
105
106
106
-
Imagine you need to grant permission to `READ` all properties on nodes where the property `securityLevel` is higher than `3` to role `regularUsers`.
107
-
The following example shows how to do that.
107
+
The following example shows how to grant permission to `READ` all properties on nodes where the property `securityLevel` is higher than `3` to role `regularUsers`:
108
108
109
109
[source, syntax, role="noheader"]
110
110
----
@@ -118,7 +118,7 @@ The role `regularUsers` does not need to have `READ` privilege for the property
118
118
119
119
=== Deny a property-based privilege using a list of values
120
120
121
-
The following code shows how to deny permission to `READ` all properties on nodes where the property `classification` is not included in the list of `[UNCLASSIFIED, PUBLIC]`.
121
+
The following example shows how to deny permission to `READ` all properties on nodes where the property `classification` is not included in the list of `[UNCLASSIFIED, PUBLIC]`:
122
122
123
123
[source, syntax, role="noheader"]
124
124
----
@@ -129,7 +129,7 @@ DENY READ {*} ON GRAPH * FOR (n) WHERE NOT n.classification IN ['UNCLASSIFIED',
129
129
130
130
=== Grant a property-based privilege using temporal value
131
131
132
-
Granting permission to `READ` all properties on nodes where the property `createdAt` is later than the current date
132
+
The following example shows how to grant permission to `READ` all properties on nodes where the property `createdAt` is later than the current date:
133
133
134
134
[source, syntax, role="noheader"]
135
135
----
@@ -148,7 +148,7 @@ This is essential when revoking property-based privileges containing evaluated f
148
148
Not all temporal values are comparable, see link:{neo4j-docs-base-uri}/cypher-manual/current/syntax/operators/#cypher-ordering[Cypher Manual -> Syntax -> Operators -> Ordering and comparison of values].
149
149
====
150
150
151
-
Show the privilege created by the command in the previous example as a revoke command
151
+
You can show the privilege created by the command in the previous example as a revoke command by running:
0 commit comments