Role-based access control for Perspectives and Scenes

Enterprise Edition

As mentioned in Storage and sharing, when the Bloom server plugin is used, Perspectives are stored in a persistent Neo4j database. This means that not only can Perspectives and Scenes be shared between users, but also that administrators can control user-access to them by configuring RBAC on the database where the Perspective is stored.

To learn about access control, including role management, see Operations Manual → RBAC and fine-grained privileges.

For a user to be able to create and/or edit a Perspective, they need to have write privileges to the _Bloom_Perspective_ label. To be able to create and/or edit Scenes, they need write privileges to the _Bloom_Scene_ label. Note that since the privilege is only needed to these two labels specifically, not the entire database, the write privilege can be specified accordingly. See the example below for more information on which write privileges are needed.

Remember that all roles with Bloom access need to be authorized in the neo4j.conf file, using the neo4j.bloom.authorization.role(with Neo4j 4.x) or dbms.bloom.authorization_role (with Neo4j 5). See step 5 in Installing server plugin for more information.

You can grant WRITE access on the entire graph to a role, or you can create a custom role with more limited access. If you want to limit a role’s access to only Perspectives and /or Scenes, you need to use a combination of the CREATE and the SET PROPERTY privileges to the _Bloom_Perspective_ and the _Bloom_Scene_ labels. By explicitly granting these, instead of the universal WRITE, administrators can limit access to just creating new nodes and/or update properties in a Perspective or a Scene. See the example further on for an example on how to create a custom role with limited access.

If a user lacks appropriate access, applicable functionality is hidden in Bloom. For example, if a user has not been granted write privileges to a Perspective, they are not able to see the Create option in the Perspective gallery, they are not able to edit saved Cypher, and they are excluded from any modifications of the Perspective. Accordingly, if a user has not been granted write privileges to a Scene, they are not able to see the Add new Scene option in the Scene drawer.

If a user lacks write privileges to Scenes, their access is restricted to a Temporary Scene. This allows for styling and editing of the Scene, but the changes can’t be saved and the Scene is lost at the end of the session.

Below is an example of how to create a role, custom, with write access to a Scene. The custom role is created as a copy of the built-in reader role, and enhanced with additional priviliges. For more information about built-in roles, see Operations Manual → Built-in roles. Users with this role can use a Scene fully, without having WRITE access to the database.

If you want to restrict access to read-only without the possibility of making any changes, you can grant the reader role without any additional privileges. Note that this also prevents the user from performing any updates to the database through Bloom, such as adding nodes and relationships, or editing properties.