neo4j · renetapopova · Oct 31, 2024 · Oct 21, 2024 · Oct 22, 2024 · Oct 25, 2024
diff --git a/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc b/modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc
@@ -97,4 +97,33 @@ The role `regularUsers` does not need to have `READ` privilege for the property
 [source, syntax, role="noheader"]
 ----
 DENY READ {*} ON GRAPH * FOR (n) WHERE NOT n.classification IN ['UNCLASSIFIED', 'PUBLIC'] TO regularUsers
-----
+----
+
+.Granting permission to `READ` all properties on nodes where the property `createdAt` is later than the current date to role `regularUsers`:
+[source, syntax, role="noheader"]
+----
+GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date() TO regularUsers
+----
+[NOTE]
+====
+The `date()` function is evaluated, and the value used to evaluate the privilege is the date when the property-based privilege is created. 
+Keep this in mind when designing your property rules, and use the `SHOW PRIVILEGES AS COMMANDS` command to check the stored value.
+This is essential when revoking property-based privileges containing evaluated function values like `date()`.
+====
+[NOTE]
+====
+Not all temporal values are comparable, see link:{neo4j-docs-base-uri}/cypher-manual/{page-version}/syntax/operators/#cypher-ordering[Cypher Manual -> Syntax -> Operators -> Ordering and comparison of values].
+====
+
+.Show the privilege created by the command in the previous example as a revoke command:
+[source, syntax, role="noheader"]
+----
+SHOW ROLE regularUsers PRIVILEGES AS REVOKE COMMANDS
+----
+.Result
+[options="header,footer", width="100%", cols="m"]
+|===
+|command
+|"REVOKE GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date('2024-10-25') FROM `regularUsers`"
+a|Rows: 1
+|===