Role-based access control (RBAC)

You can manage access to composite databases and their constituents using the same RBAC features as for standard databases. However, there are some differences in how RBAC works for composite databases compared to standard databases.

Database access control

Database access is defined for both the composite database and its constituents. Access to constituents must be explicitly granted. See The database ACCESS privilege for more information on granting database access.

Role-based access control

It is not supported to define role-based access control over all constituents of a composite database. Instead, the following is true:

  • Privileges need to be defined for the databases targeted by a constituent.

  • If a constituent is a remote alias, the RBAC rules applied are those of the user connecting to the remote DBMS.

Example

The following example illustrates how to manage access control and role-based access control for a composite database. You will create a composite database cineasts with two constituents: a local database cineasts.latest, and a remote database cineasts.upcoming. Then, you will create a user and define the necessary access privileges for that user to access both the local and remote constituents as a target of a USE clause. Finally, you will restrict access to movies with the label PG18 for users with the role minor on the local constituent and for the user remoteUser on the remote constituent.

Create the composite database and its constituents

  1. Create the composite database cineasts:

    CREATE COMPOSITE DATABASE cineasts

  2. Create a constituent cineasts.latest for a local database:

    CREATE ALIAS cineasts.latest
  FOR DATABASE `movies-latest`

  3. Create a constituent cineasts.upcoming for a remote database:

    CREATE ALIAS cineasts.upcoming
  FOR DATABASE upcoming
  AT 'neo4j+s://location:7687'
  USER remoteUser
  PASSWORD 'password'

Create the user alice and grant access privileges

Create a user and grant it the necessary roles to access the constituents as a target of a USE clause.

  1. Create a user alice to access the composite database and its constituents:

    CREATE USER alice SET PASSWORD 'password' CHANGE NOT REQUIRED;

  2. Create a role required for accessing the local constituent cineasts.latest, and grant it to the user alice:

    CREATE ROLE localAccess;
GRANT ROLE localAccess TO alice;

GRANT ACCESS ON DATABASE cineasts TO localAccess;
GRANT ACCESS ON DATABASE `movies-latest` TO localAccess;

  3. Create a role required for accessing the remote constituent cineasts.upcoming, and grant it to the user alice:

    CREATE ROLE remoteAccess;
GRANT ROLE remoteAccess TO alice;

GRANT ACCESS ON DATABASE cineasts TO remoteAccess;
GRANT ACCESS ON DATABASE cineasts.upcoming TO remoteAccess;

Create a user remoteUser on the remote DBMS and grant access privileges

Additionally, create a different user on the remote constituent, and grant that user access to the target database or database alias on the remote DBMS. The following steps need to be performed on the remote DBMS located at neo4j+s://location:7687.

  1. Create a user remoteUser on the remote DBMS:

    CREATE USER remoteUser SET PASSWORD 'password' CHANGE NOT REQUIRED;

  2. Create a role required for accessing the remote constituent cineasts.upcoming, and grant it to the user remoteUser on the remote DBMS:

    CREATE ROLE remoteRole;
GRANT ROLE remoteRole TO remoteUser;
GRANT ACCESS ON DATABASE upcoming TO remoteRole;

Restrict privileges on the constituents of the composite database

Restrict any user with the role localAccess from reading movies with the label PG18:

DENY MATCH { description } ON GRAPH `movies-latest` NODES PG18 TO localAccess

Restrict privileges on the remote constituent of the composite database

Restrict the user remoteUser from reading movies with the label PG18 by restricting access of the role remoteRole on the remote database upcoming:

DENY MATCH { description } ON GRAPH upcoming NODES PG18 TO remoteRole

The rules applying to remoteUser apply to any user accessing cineasts.upcoming on the local DBMS.

Use the composite database

Now, the user alice can access the composite database cineasts and its constituents cineasts.latest and cineasts.upcoming as a target of a USE clause. However, alice will not be able to read movies with the label PG18 from both constituents due to the restrictions defined on the local and remote databases for the role localAccess and the user remoteUser, respectively.

USE cineasts.latest
MATCH (movie:Movie)
RETURN movie.title AS title
  UNION
USE cineasts.upcoming
MATCH (movie:Movie)
RETURN movie.title AS title

The query above will return the titles of all movies from both constituents, except for movies with the label PG18.