RBAC for specific nodes on a graph

hi,

I am trying to grant a role traverse access on a graph for only one type of node.
if i try...

GRANT TRAVERSE
ON GRAPH test
NODE example
TO TestRole.

The user in that role can still see the other nodes. If i use the deny * command and try and override it with a single grant for one node the user cant see any nodes.

There are too many types of nodes for me to go through and deny them individually is there anyway to achieve what im trying to do?

Any help is greatly appreciated!!!!!

Are you creating the role from scratch? Or are you copying permissions from another role? If you just want them to be able to see that one node (but not read its properties) you should do something like:

CREATE ROLE TestRole;
GRANT ACCESS ON DATABASE traverse TO TestRole;
GRANT TRAVERSE ON GRAPH test NODE example TO TestRole;

To verify that everything went through correctly, you can use:
SHOW ROLE test PRIVILEGES

This should tell you what privileges the role has on nodes, relationships, etc. All you should see is that role with access to the test graph and traverse privileges on the example node.

Now if you want the role to also be able to read the properties on the node, you should grant it read (or better yet match). This page has a good description of each at the top: https://neo4j.com/docs/cypher-manual/current/access-control/privileges-reads/

1 Like