neo4j · renetapopova · Oct 31, 2024 · Oct 21, 2024 · Oct 22, 2024 · Oct 25, 2024
diff --git a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc
@@ -97,4 +97,18 @@ The role `regularUsers` does not need to have `READ` privilege for the property
 [source, syntax, role="noheader"]
 ----
 DENY READ {*} ON GRAPH * FOR (n) WHERE NOT n.classification IN ['UNCLASSIFIED', 'PUBLIC'] TO regularUsers
-----
+----
+
+.Granting permission to `READ` all properties on nodes where the property `createdAt` is later than current date to role `regularUsers`:
+[source, syntax, role="noheader"]
+----
+GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date() TO regularUsers
+----
+[NOTE]
+====
+The `date()` function will be evaluated and the value used to evaluate the privilege will be the date at the time the property-based privilege was created. Bear this in mind when designing your property rules and make use of the `SHOW PRIVILEGES AS COMMANDS` command to check what the stored value is. This is essential when revoking property-based privileges containing evaluated function values like `date()`.
+====
+[NOTE]
+====
+Not all temporal values are comparable, see link:{neo4j-docs-base-uri}/cypher-manual/{page-version}/syntax/operators/#cypher-ordering[Cypher Manual -> Syntax -> Operators -> Ordering and comparison of values].
+====