This section describes how to configure property-level access control in Neo4j.
Ths section describes the following:
You can use role-based, database-wide, property blacklists to limit which properties a user can read.
The table below lists the configuration parameters that control this feature:
|Parameter name||Default value||Description|
Enable property level access control.
An authorization mapping for property level access for roles. The map should be formatted as a semicolon-separated list of key-value pairs, where the key is the role name and the value is a comma-separated list of blacklisted properties. The blacklisted properties for a given user is the union of the blacklist for all the roles that user is part of.
The property blacklist prevents users from reading properties. A user querying for a blacklisted property will get the same results as if the property did not exist on the node/relationship.
Blacklisting a property will only affect the reading of that property, not the writing.
It is therefore recommended to only add users that are assigned the
reader role to roles that have a property blacklist.
All properties with a name corresponding to the ones in the blacklist will be affected. This is regardless of whether it is associated with a node or a relationship, and regardless of node labels and relationship types.
To enable this feature, the following steps must be taken:
dbms.security.property_level.blacklistto restrict specific roles from reading the named properties.
First, we enable property-level access control and create the blacklist:
dbms.security.property_level.enabled=true dbms.security.property_level.blacklist=\ roleX=propertyA;\ roleY=propertyB,propertyC
Then, we create the custom roles and assign users to them:
CALL dbms.security.createRole('roleX') CALL dbms.security.createRole('roleY') CALL dbms.security.addRoleToUser('roleX', 'user-1') CALL dbms.security.addRoleToUser('roleY', 'user-2') CALL dbms.security.addRoleToUser('roleX', 'user-3') CALL dbms.security.addRoleToUser('roleY', 'user-3')
This will have the following effects:
user-1will be unable to read the property
user-2will be unable to read the properties
user-3will be unable to read the properties