From 8abf3aa7fc6fdd15a64bef8fdb6956444bf01ef9 Mon Sep 17 00:00:00 2001 From: Hannes Sandberg Date: Mon, 21 Oct 2024 09:24:17 +0200 Subject: [PATCH 1/6] example of property-based access control using temporal value --- .../property-based-access-control.adoc | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc index 31d08e06c..04bd1f0cf 100644 --- a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc +++ b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc @@ -97,4 +97,18 @@ The role `regularUsers` does not need to have `READ` privilege for the property [source, syntax, role="noheader"] ---- DENY READ {*} ON GRAPH * FOR (n) WHERE NOT n.classification IN ['UNCLASSIFIED', 'PUBLIC'] TO regularUsers ----- \ No newline at end of file +---- + +.Granting permission to `READ` all properties on nodes where the property `createdAt` is later than current date to role `regularUsers`: +[source, syntax, role="noheader"] +---- +GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date() TO regularUsers +---- +[NOTE] +==== +The `date()` function will be evaluated and the value used to evaluate the privilege will be the date at the time the property-based privilege was created. +==== +[NOTE] +==== +Not all temporal values are comparable, see link:{neo4j-docs-base-uri}/cypher-manual/{page-version}/syntax/operators/#cypher-ordering[Cypher Manual -> Syntax -> Operators -> Ordering and comparison of values]. +==== \ No newline at end of file From 1ce97a71c69081dbc63a80b8003d39d37111fab5 Mon Sep 17 00:00:00 2001 From: Hannes Sandberg Date: Tue, 22 Oct 2024 08:24:33 +0200 Subject: [PATCH 2/6] Update modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc Co-authored-by: Phil Wright <95368282+phil198@users.noreply.github.com> --- .../property-based-access-control.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc index 04bd1f0cf..45e6890bd 100644 --- a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc +++ b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc @@ -106,7 +106,7 @@ GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date() TO regularUsers ---- [NOTE] ==== -The `date()` function will be evaluated and the value used to evaluate the privilege will be the date at the time the property-based privilege was created. +The `date()` function will be evaluated and the value used to evaluate the privilege will be the date at the time the property-based privilege was created. Bear this in mind when designing your property rules and make use of the `SHOW PRIVILEGES AS COMMANDS` command to check what the stored value is. This is essential when revoking property-based privileges containing evaluated function values like `date()`. ==== [NOTE] ==== From 1796982364a6161a77de15967e85b821daf6526c Mon Sep 17 00:00:00 2001 From: Hannes Sandberg Date: Fri, 25 Oct 2024 12:02:35 +0200 Subject: [PATCH 3/6] Update modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc Co-authored-by: Reneta Popova --- .../property-based-access-control.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc index 45e6890bd..58429e94e 100644 --- a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc +++ b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc @@ -106,7 +106,9 @@ GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date() TO regularUsers ---- [NOTE] ==== -The `date()` function will be evaluated and the value used to evaluate the privilege will be the date at the time the property-based privilege was created. Bear this in mind when designing your property rules and make use of the `SHOW PRIVILEGES AS COMMANDS` command to check what the stored value is. This is essential when revoking property-based privileges containing evaluated function values like `date()`. +The `date()` function is evaluated, and the value used to evaluate the privilege is the date when the property-based privilege is created. +Keep this in mind when designing your property rules, and use the `SHOW PRIVILEGES AS COMMANDS` command to check the stored value. +This is essential when revoking property-based privileges containing evaluated function values like `date()`. ==== [NOTE] ==== From 3f3369a77da9f6a311ea5e019583e2b8ed839136 Mon Sep 17 00:00:00 2001 From: Hannes Sandberg Date: Fri, 25 Oct 2024 12:40:00 +0200 Subject: [PATCH 4/6] adding a example with show privileges --- .../property-based-access-control.adoc | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc index 58429e94e..9613a9a30 100644 --- a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc +++ b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc @@ -113,4 +113,17 @@ This is essential when revoking property-based privileges containing evaluated f [NOTE] ==== Not all temporal values are comparable, see link:{neo4j-docs-base-uri}/cypher-manual/{page-version}/syntax/operators/#cypher-ordering[Cypher Manual -> Syntax -> Operators -> Ordering and comparison of values]. -==== \ No newline at end of file +==== + +.Show the privilege created by the command in the example above as a revoke command: +[source, syntax, role="noheader"] +---- +SHOW ROLE regularUsers PRIVILEGES AS REVOKE COMMANDS +---- +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"REVOKE GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date('2024-10-25') FROM `regularUsers`" +a|Rows: 1 +|=== \ No newline at end of file From 363a703a7e2563b3ba8a83ac25eeb1a0d83b0c40 Mon Sep 17 00:00:00 2001 From: Hannes Sandberg Date: Fri, 25 Oct 2024 15:17:37 +0200 Subject: [PATCH 5/6] Update modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc Co-authored-by: Reneta Popova --- .../property-based-access-control.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc index 9613a9a30..88dff6652 100644 --- a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc +++ b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc @@ -99,7 +99,7 @@ The role `regularUsers` does not need to have `READ` privilege for the property DENY READ {*} ON GRAPH * FOR (n) WHERE NOT n.classification IN ['UNCLASSIFIED', 'PUBLIC'] TO regularUsers ---- -.Granting permission to `READ` all properties on nodes where the property `createdAt` is later than current date to role `regularUsers`: +.Granting permission to `READ` all properties on nodes where the property `createdAt` is later than the current date to role `regularUsers`: [source, syntax, role="noheader"] ---- GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date() TO regularUsers From c912b3b07fc776539f58397a0d445ec82f8ce286 Mon Sep 17 00:00:00 2001 From: Hannes Sandberg Date: Fri, 25 Oct 2024 15:17:55 +0200 Subject: [PATCH 6/6] Update modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc Co-authored-by: Reneta Popova --- .../property-based-access-control.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc index 88dff6652..e3d57336d 100644 --- a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc +++ b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc @@ -115,7 +115,7 @@ This is essential when revoking property-based privileges containing evaluated f Not all temporal values are comparable, see link:{neo4j-docs-base-uri}/cypher-manual/{page-version}/syntax/operators/#cypher-ordering[Cypher Manual -> Syntax -> Operators -> Ordering and comparison of values]. ==== -.Show the privilege created by the command in the example above as a revoke command: +.Show the privilege created by the command in the previous example as a revoke command: [source, syntax, role="noheader"] ---- SHOW ROLE regularUsers PRIVILEGES AS REVOKE COMMANDS