You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/ROOT/pages/authentication-authorization/limitations.adoc
+8-6Lines changed: 8 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,8 @@ CREATE ROLE unrestricted;
14
14
[[access-control-limitations]]
15
15
= Limitations
16
16
17
-
Using Neo4j's role-based access control imposes some limitations and implications that users should be aware of, such as:
17
+
It is very important to apply the principle of least privilege when defining user roles and privileges.
18
+
Further to that, Neo4j's role-based access control has some limitations and implications that users should be aware of, such as:
18
19
19
20
* Impact on query results regardless of whether indexes are used.
20
21
* Impact on query results when nodes have multiple labels.
@@ -190,22 +191,22 @@ In this case, the query will return zero results rather than simply returning th
190
191
191
192
A `DENY` rule fails open when its criteria is not met, so Neo4j does not apply the restriction and it grants access by default if a broader `GRANT` exists.
192
193
This can lead to unintended data exposure if the `DENY` rule is not carefully crafted.
194
+
To avoid this, you can apply the principle of least privilege and allow access only to the specific data that the user should see.
193
195
194
196
For example, consider the following scenarios:
195
197
196
198
.Example of an un-met `DENY` failing open with property-based RBAC
197
199
====
198
-
You grant a user access to a property, but then try to restrict it with a `DENY` rule that does not match the data.
199
-
If the `DENY` rule does not match any data, it does not apply, and the user can still access the property.
200
-
200
+
You grant a user access to a property and try to restrict it with a `DENY` rule.
201
+
However, if the `DENY` rule does not match any data, for example, if the property is null or misspelled, the `DENY` rule will not apply, and the user can still access the property.
201
202
[source, cypher]
202
203
----
203
204
GRANT READ {salary} ON GRAPH * NODES Employee TO myRole
204
205
DENY READ {salary} ON GRAPH * FOR (e:Employee) WHERE e.position = 'CEO' TO myRole
205
206
----
206
207
In this case, if the `e.position` property is null or misspelled, the `DENY` rule will not apply, and `myRole` will see the `salary` property.
207
208
208
-
A better way is to use a `GRANT` rule that only allows access to the `salary` property for employees whose position is not 'CEO'.
209
+
A better way is to apply the principle of least privilege and only grant access to the `salary` property for employees whose position is not 'CEO'.
209
210
[source, cypher]
210
211
----
211
212
GRANT READ {salary} ON GRAPH * FOR (e:Employee) WHERE e.position <> 'CEO' TO myRole
@@ -244,7 +245,8 @@ Then, you try to restrict it with a `DENY` rule to prevent access to the `salary
244
245
DENY READ {salary} ON GRAPH * NODES Management TO myRole;
245
246
----
246
247
In this case, if the `Management` label is not present on a node that has the `salary` property, the `DENY` rule will not apply, and `myRole` will still see the `salary` property on that node.
247
-
A better way is to use a `GRANT` rule to only allow access to the `salary` property for nodes that have a specific label, such as `IndividualContributor`:
248
+
249
+
A better way is to apply the principle of least privilege and only grant access to the `salary` property for nodes that have a specific label, such as `IndividualContributor`:
248
250
[source, cypher]
249
251
----
250
252
GRANT READ {salary} ON GRAPH * NODES IndividualContributor TO myRole;
0 commit comments