Skip to content

Instantly share code, notes, and snippets.

@davidfauth

davidfauth/neo4j_rbac_example.cql

Created October 12, 2020 15:58
Show Gist options
  • Save davidfauth/2c75f78b21cb5b578eeb86de83f8dc5d to your computer and use it in GitHub Desktop.
Save davidfauth/2c75f78b21cb5b578eeb86de83f8dc5d to your computer and use it in GitHub Desktop.
Download ZIP
neo4j_4.0_rbac_example
Raw
neo4j_rbac_example.cql
// RBAC Example
// Nodes -> Person / Phone / Email / Account
// Relationships -> :HAS_PHONE / :HAS_EMAIL / :HAS_ACCOUNT
// Roles -> Manager / ServiceRep / NoAccount
// Users -> John / Sally / George
// Code
:USE system
CREATE DATABASE rbac;
CREATE ROLE Manager IF NOT EXISTS;
CREATE ROLE ServiceRep IF NOT EXISTS;
CREATE ROLE NoAccount IF NOT EXISTS;
CREATE ROLE Neo4jDBA IF NOT EXISTS;
CREATE OR REPLACE USER John SET PASSWORD 'john123' SET PASSWORD CHANGE NOT REQUIRED;
CREATE OR REPLACE USER Sally SET PASSWORD 'sally123' SET PASSWORD CHANGE NOT REQUIRED;
CREATE OR REPLACE USER George SET PASSWORD 'george123' SET PASSWORD CHANGE NOT REQUIRED;
CREATE OR REPLACE USER DaveDBA SET PASSWORD 'dave123' SET PASSWORD CHANGE NOT REQUIRED;
GRANT ROLE Manager TO John;
GRANT ROLE ServiceRep TO Sally;
GRANT ROLE NoAccount TO George;
GRANT ROLE Neo4jDBA TO DaveDBA;
SHOW USERS;
// Grant Deny access to databases
GRANT ACCESS ON DATABASE rbac TO Manager;
GRANT ACCESS ON DATABASE rbac TO ServiceRep;
GRANT ACCESS ON DATABASE rbac TO NoAccount;
GRANT ACCESS ON DATABASE rbac TO Neo4jDBA;
DENY ACCESS ON DATABASE neo4j TO NoAccount;
DENY ACCESS ON DATABASE neo4j TO Neo4jDBA;
// Grant right to create new labels, relationship types or property names
GRANT NAME MANAGEMENT ON DATABASE rbac to Manager, ServiceRep;
// Specify RBAC privileges
GRANT ALL GRAPH PRIVILEGES ON GRAPH rbac TO Manager;
GRANT ALL GRAPH PRIVILEGES ON GRAPH rbac TO ServiceRep;
DENY WRITE ON GRAPH rbac TO NoAccount;
DENY CREATE ON GRAPH rbac TO NoAccount;
DENY SET PROPERTY { * } ON GRAPH * NODES * TO NoAccount;
DENY DELETE ON GRAPH * RELATIONSHIPS * TO NoAccount;
DENY DELETE ON GRAPH * NODES * TO NoAccount;
DENY TRAVERSE ON GRAPH rbac NODES Account,Address TO NoAccount;
DENY TRAVERSE ON GRAPH rbac RELATIONSHIPS HAS_ACCOUNT, HAS_ADDRESS TO NoAccount;
DENY READ { age } ON GRAPH rbac NODES Person TO NoAccount;
GRANT TRAVERSE ON GRAPH rbac NODES Person, Email, Phone TO NoAccount;
GRANT TRAVERSE ON GRAPH rbac RELATIONSHIPS HAS_EMAIL, HAS_PHONE TO NoAccount;
GRANT READ {*} ON GRAPH rbac NODES * to NoAccount;
// DBA Capabilities
DENY ACCESS ON DATABASE neo4j to Neo4jDBA;
GRANT START ON DATABASE rbac TO Neo4jDBA;
GRANT STOP ON DATABASE rbac TO Neo4jDBA;
GRANT CREATE INDEX ON DATABASE rbac TO Neo4jDBA;
GRANT DROP INDEX ON DATABASE rbac TO Neo4jDBA;
GRANT USER MANAGEMENT ON DBMS to Neo4jDBA;
// Data
:use rbac
CREATE (p1:Person {name:'dave', age:54})
CREATE (p2:Person {name:'nancy', age:47})
CREATE (ph1:Phone {phoneNumber:'5551212'})
CREATE (ph2:Phone {phoneNumber:'5551213'})
CREATE (e1:Email {emailAddress:'[email protected]'})
CREATE (e2:Email {emailAddress:'[email protected]'})
CREATE (a1:Account {accountID:'13811'})
CREATE (a2:Account {accountID:'273111'})
CREATE (p1)-[:HAS_PHONE]->(ph1)
CREATE (p2)-[:HAS_PHONE]->(ph2)
CREATE (p1)-[:HAS_EMAIL]->(e1)
CREATE (p2)-[:HAS_PHONE]->(e2)
CREATE (p1)-[:HAS_ACCOUNT]->(a1)
CREATE (p2)-[:HAS_PHONE]->(a2)
CREATE (p2)-[:HAS_PHONE]->(a1);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment