Cypher + Traversal for customized security

security

(Shahak Nagiel) #1

We have a requirement to support complex business rules governing attribute-based security. So, for example, a "Car" node might have a "Color" property, which would have a handful of custom security markings on it (i.e. 2-4 sub-attributes), which need to be evaluated to determine whether each user has access to that property or not.

From a modeling perspective, we'd like to keep these properties as native properties, though for security/implementation reasons we would consider exploding each logical property to a separate linked node.

Either way, however, is there a convenient extension point that would allow us to use standard Cypher queries but also incorporate a custom Traversal-like override to make runtime determinations about whether to follow/read attributes (or nodes or relationships) based on these security properties? Or perhaps a sample procedure that does anything like this? We could certainly pass along some user token (e.g. user id) as a procedure argument that could (in custom procedure implementation) lookup the user's credentials (from cache) and then make the authorization decisions based on their accesses.

If there are other alternatives to this problem, we'd be interested to consider them as well.