Object Tree, Users, Privilege Query


In our system, objects are organized into single rooted hierarchies (trees). In the diagram, the gray circles represent objects. An edge, named CHILD represents the child objects of a parent object.

User’s are given access privilege to specific objects in the tree. Users in the diagram are represented by pink circles. An access privilege is represented by an edge named CAN_ACCESS from a user to an object.

Access privileges in our system are inherited.

I’m trying to write a query that would find the objects a given user has access privilege to, but does not have access privilege to an ancestor.

In the example diagram for the user U2, the query should result in [b, c]. U2 does have privilege grant to f, but f should be excluded from the results because U2 has access to b, which is an ancestor of f.


This is what I came up with. It seems to work.

MATCH (user:User{name:"U2"})-[:GRANT]->(asset:Asset)
WHERE NOT(EXISTS((asset)<-[:CHILD*]-(:Asset)<-[:GRANT]-(user)))
return asset