Neo4J Fine-Grained Security for Subset of Nodes with Label

I'm currently in the process of evaluating the fine-grained access control available in Neo Enterprise Edition v4.1. For reference we are currently using the Community Edition 3.5.4.

What I am trying to achieve is to have only a subset of nodes with a certain label able to be read by certain users/roles.


Take a user who is the manager of Team 1, they need to be able to Read and Write for Player 1/2/3. Using the access control system I can create a Role that has Read & Write permissions to the labels Team & Player and assign Manager 1 to that role.

What I would like to do restrict Manager 1's access to the node Team 2 and therefore Player nodes 4/5/6 as well. From what I can see in the docs you can only apply permission to a specific Label or Relationship Type Names.

Hey @Xef
As far as I understand we are facing almost the same challenge: define privileges based on node properties.
In our case it's: limiting the visibility of elements by tenant (security trimming) within the same database.

Waiting for the support for privileges based on node properties takes probably too long (see DENY TRAVERSE on neo4j 4.0 EE).

Multi tenancy for our case can be implemented in different ways (see also Proper way to implement multi-tenancy on Neo4j). The most promising one is by using multiple labels (have a dedicated tenant label like "Tenant_1") and grant privileges towards those tenant labels (one label per tenant).

The same approach might be of interest in your case.
Create a role name "team_1_manager" with the RW permission for nodes with label "Team_1" and add the additional label "Team_1" to all Players below the node "Team 1". Now you can control the privileges individually per team. The disadvantage is, that you need to manage those labels individually; means to have as many roles as teams and the privileges need to be kept consistent with the relationship of player to team.