Proper way to implement multi-tenancy on Neo4j

cypher

(Guilherme Junqueira) #1

Guys,

First of all, good move on bringing the knowledge database from slack to here! :slight_smile:

I would like to know the following: how would you recommend implementing multi tenancy on Neo4j?

Would you connect all nodes of a tenant with a :Tenant node or would you mark all the nodes with an additional label? Is there another option?

Thanks in advance!


(M. David Allen) #2

The most popular option does seem to be to apply a certain label to all nodes within a sub-graph. In this way, the app layer (by applying that label to all queries) may restrict what data can possibly come back to be just items from a particular tenant.

Some folks differ though in how they define subgraphs. You might also need relationship properties so that paths and such can be filtered down to relationships that exist only in one particular graph. Depends on the use case.

In the future, other features are coming in neo4j which will permit multi-graph storage without a label work-around like this, but I'm not certain on timeline.


(Wparton) #3

Hi David,
Could you please provide further insight into the multi-graph storage you mention in your final paragraph? What's on the roadmap?

I am looking at a slighty different but related issue. We instantiate an abstract model of an organisation as a graph. We currently don't have any restrictions on what area(s) of a model a user can observe but need to add this capability (i.e. someone in HR can only see HR related nodes/edges, someone in the US division can see US nodes/edges and nodes/edges in the core division that are also relevant..). In graph theory I'm trying to control visibility to induced subgraphs within the complete graph. Ideally each user might view a different (i.e. unique) subgraph, though in reality there will be multiple users looking at the same subgraph (most of HR will likely see the same subgraph). So I'm looking at options for how to do this as efficiently as possible in Neo4j. I've had a look through the community pages but not found anything on the subject. I'm interested to know if there are any product roadmap items that might assist.

Thanks
Will


(M. David Allen) #4

I'm sorry -- can't give you many details about the multi-graph storage. I'll see if I can ask one of our PMs to follow up on this thread and maybe there's more they can say about timeline and features there.

On the topic of sub-graph access restrictions, this is currently possible. There's a section in the operations manual that takes you through each of the steps about how to do this:

https://neo4j.com/docs/operations-manual/current/security/authentication-authorization/subgraph-access-control/

Hope this helps!