Relationship PBAC

modules/ROOT/pages/authentication-authorization/limitations.adoc

@@ -390,7 +390,7 @@ So due to the additional data access required by the security checks, this opera
 
 [[property-based-access-control-limitations]]
 === Property-based access control limitations
-Extra node-level security checks are necessary when adding security rules based on property rules, and these can have a significant performance impact.
+Extra element-level security checks are necessary when adding security rules based on property rules, and these can have a significant performance impact.
 The following example shows how the database behaves when adding security rules to roles `restricted` and `unrestricted`:
 
 [source, cypher]

modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc

@@ -119,20 +119,22 @@ GRANT TRAVERSE ON GRAPH * FOR (n:Email) WHERE n.classification IS NULL TO regula
 
 === Deny a property-based privilege using a comparison operator
 
-The following example shows how to deny permission to `READ` and `TRAVERSE` nodes where the property `classification` is different from `UNCLASSIFIED` to role `regularUsers`:
+The following example shows how to deny permission to `READ` and `TRAVERSE` nodes and relationships where the property `classification` is different from `UNCLASSIFIED` to role `regularUsers`:
 
 [source, syntax, role="noheader"]
 ----
 DENY MATCH {*} ON GRAPH * FOR (n) WHERE n.classification <> 'UNCLASSIFIED' TO regularUsers
+DENY MATCH {*} ON GRAPH * FOR ()-[r]-() WHERE r.classification <> 'UNCLASSIFIED' TO regularUsers
 ----
 
 === Grant a property-based privilege on all properties using a property value
 
-The following example shows how to grant permission to `READ` all properties on nodes where the property `securityLevel` is higher than `3` to role `regularUsers`:
+The following example shows how to grant permission to `READ` all properties on nodes and relationships where the property `securityLevel` is higher than `3` to role `regularUsers`:
 
 [source, syntax, role="noheader"]
 ----
 GRANT READ {*} ON GRAPH * FOR (n) WHERE n.securityLevel > 3 TO regularUsers
+GRANT READ {*} ON GRAPH * FOR ()-[r]-() WHERE r.securityLevel > 3 TO regularUsers
 ----
 
 [NOTE]
@@ -142,22 +144,24 @@ The role `regularUsers` does not need to have `READ` privilege for the property
 
 === Deny a property-based privilege using a list of values
 
-The following example shows how to deny permission to `READ` all properties on nodes where the property `classification` is not included in the list of `[UNCLASSIFIED, PUBLIC]`:
+The following example shows how to deny permission to `READ` all properties on nodes and relationships where the property `classification` is not included in the list of `[UNCLASSIFIED, PUBLIC]`:
 
 [source, syntax, role="noheader"]
 ----
 DENY READ {*} ON GRAPH * FOR (n) WHERE NOT n.classification IN ['UNCLASSIFIED', 'PUBLIC'] TO regularUsers
+DENY READ {*} ON GRAPH * FOR ()-[r]-() WHERE NOT r.classification IN ['UNCLASSIFIED', 'PUBLIC'] TO regularUsers
 ----
 
 // The last two examples were added in 5.26.
 
 === Grant a property-based privilege using temporal value
 
-The following example shows how to grant permission to `READ` all properties on nodes where the property `createdAt` is later than the current date:
+The following example shows how to grant permission to `READ` all properties on nodes and relationships where the property `createdAt` is later than the current date:
 
 [source, syntax, role="noheader"]
 ----
 GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date() TO regularUsers
+GRANT READ {*} ON GRAPH * FOR ()-[r]-() WHERE r.createdAt > date() TO regularUsers
 ----
 
 [NOTE]
@@ -184,6 +188,7 @@ SHOW ROLE regularUsers PRIVILEGES AS REVOKE COMMANDS
 |===
 |command
 |"REVOKE GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date('2024-10-25') FROM `regularUsers`"
-a|Rows: 1
+|"REVOKE GRANT READ {*} ON GRAPH * FOR ()-[r]-() WHERE r.createdAt > date('2024-10-25') FROM `regularUsers`"
+a|Rows: 2
 |===