Can I use Native User Role to limit access to a user's 'own' data?

Is there a built-in way to use Native User Roles to limit a user's access to only his/her own nodes & relationships? Does neo4j maintain any record of which user created a node, or would such ownership have to be explicitly built into the model?

If there is not a built-in ownership mechanism, I see that in the operations manual-- 8.4.2. Custom roles--we can add our own custom roles and add custom procedures to them. Has anyone used this method for giving only a user access to his/her own creations (while blocking others' access)?

2 Likes

Bumping this thread up as I'm very much interested in this as well. I need to display exclusively logged-in users's managed items in his/her dashboard. These items are, of course, nodes in Neo4j but not necessarily the ones the user created himself.

Currently our role and security features don't cover these kind of cases, you would have to enforce these in the queries themselves, or in filtering before the results are returned to the user.

That said, improving on the richness of our security and visibility features became high priority awhile back, so you're very likely to see improvements here in our next major release near the end of the year which may better address these cases.

1 Like

Thanks Andrew. I guess in the end it will likely be a graph solution, whether implemented under the hood or explicitly.

Is there any progress on this topic since July? Either in released form that this issue might link to, or information about what is in store for the future? @andrew.bowman

Hello, yes, we've had a few 4.0 milestone releases as we march toward the GA release around the turn of the year, and some of the applicable features are multi database and schema based security.

However, at present these new features are not owner-based. We don't have automatic tagging of created nodes and relationships for the logged in user, that would have to be done using something like a trigger via APOC or transaction listeners.

With multi-database, it could be possible to have a separate database per role (though this would require some setup and some way to provision the new database for a role, and grant the appropriate permissions/role for the user), and the databases would be isolated from each other, but this is only meant to scale to 100's of databases at most, so if the userbase you need to support is greater than that then this wouldn't be the way to go.

With schema based security you could enforce various privileges such that roles could only read/write/traverse nodes with specific labels/relationship-types, and I think there may be some work in the backlog to enhance these such that certain property values can be used as a security filter (so when this does get implemented, you could have read restrictions for a role so they can only read nodes where property x = y). This in combination with the trigger for adding a property to a node on creation sounds like it's the best match for what you're looking for, but it will require waiting for that enhanced security feature on the property values.

Also note that we're talking roles here, not individual users. The primary use case we're tackling on the security side right now is based on roles, not on individual users.

1 Like

Hi all,

I'm really looking for a feature similar to what @andrew.bowman suggested: being able to have read restrictions based on property values. I did already investigate using schema-based security where I created custom roles that can only access nodes/relationships with certain labels. But I was hoping to take this 1 step further.

First let me explain my use-case: I'm currently experimenting with migrating an Angular-based web application with a Kotlin backend to a backendless solution. This application is used for giving typing lessons to children. Basically a student logs into the application and types a few exercises. All the security bits are currently handled by the backend, ensuring that students can only add/submit new exercise results to their own profile. Students are member of a group and a group is assigned 1 or more teachers. Teachers can also login into the application and view the exercise results of students that are member of groups they are assigned to.

Last year I already experimented a bit with Google's Firebase which has all the features that I'd like: offline-first, data-based security and real-time queries. It allows students with a bad internet connection to still practice and be sure that their results are saved sometime later. I can configure security in a way that the backend is complete unnecessary by using a few (but still complex) database rules. And real-time queries allow me teachers to watch results live during a lesson.
However, for me Google Firebase also has some major downsides: this web application is for a small Dutch company and storing data of children on a platform that is owned and operated by an US company is not desirable from a privacy perspective. It is much more preferred to host the database on an on-premise server or VPS, or at least have a choice where the data is stored in case of a SaaS offering (side question: can we choose the location where data is stored when using Aura?).

Long story short: what I'm looking for / missing in Neo4j is configuring privileges based on property values. In my data model I have a node with a label Person and a dozen of properties including the username. What I'd like to do is allowing users to only read data on the :Person node that has an username property which value corresponds with the Neo4j's authenticated user. My application has at most around 1000 users and I did already experiment with creating a Neo4j account for each user and assigning them a custom role. So far this works fine but the security (filtering own data) is currently done in the web application. Since it's all javascript using the neo4j-javascript-driver under the hood it's quite easy for a student to open the developer tools in their browser, retrieve the neo4j driver object and running Cypher queries to retrieve the data of other students.

Although I understand that managing security per user is not the primary use case of roles I do think that allowing filtering on property values would be a huge addition to Neo4j's security model. I'm thinking of something like defining a Cypher query that should return true or false. It should have access to a few parameters such as the currently logged in user, the node/relationship accessed, and the action that is performed (traverse, read or write). What do you think? Is something like this feasible/possible in Neo4j?