Role-based access control (RBAC)
You can manage access to composite databases and their constituents using the same RBAC features as for standard databases. However, there are some differences in how RBAC works for composite databases compared to standard databases.
Database access control
Database access is defined for both the composite database and its constituents.
Access to constituents must be explicitly granted.
See The database ACCESS privilege for more information on granting database access.
Role-based access control
It is not supported to define role-based access control over all constituents of a composite database. Instead, the following is true:
-
Privileges need to be defined for the databases targeted by a constituent.
-
If a constituent is a remote alias, the RBAC rules applied are those of the user connecting to the remote DBMS.
Example
The following example illustrates how to manage access control and role-based access control for a composite database.
You will create a composite database cineasts with two constituents: a local database cineasts.latest, and a remote database cineasts.upcoming.
Then, you will create a user and define the necessary access privileges for that user to access both the local and remote constituents as a target of a USE clause.
Finally, you will restrict access to movies with the label PG18 for users with the role minor on the local constituent and for the user remoteUser on the remote constituent.
Create the composite database and its constituents
-
Create the composite database
cineasts:CREATE COMPOSITE DATABASE cineasts -
Create a constituent
cineasts.latestfor a local database:CREATE ALIAS cineasts.latest FOR DATABASE `movies-latest` -
Create a constituent
cineasts.upcomingfor a remote database:CREATE ALIAS cineasts.upcoming FOR DATABASE upcoming AT 'neo4j+s://location:7687' USER remoteUser PASSWORD 'password'
Create the user alice and grant access privileges
Create a user and grant it the necessary roles to access the constituents as a target of a USE clause.
-
Create a user
aliceto access the composite database and its constituents:CREATE USER alice SET PASSWORD 'password' CHANGE NOT REQUIRED; -
Create a role required for accessing the local constituent
cineasts.latest, and grant it to the useralice:CREATE ROLE localAccess; GRANT ROLE localAccess TO alice; GRANT ACCESS ON DATABASE cineasts TO localAccess; GRANT ACCESS ON DATABASE `movies-latest` TO localAccess; -
Create a role required for accessing the remote constituent
cineasts.upcoming, and grant it to the useralice:CREATE ROLE remoteAccess; GRANT ROLE remoteAccess TO alice; GRANT ACCESS ON DATABASE cineasts TO remoteAccess; GRANT ACCESS ON DATABASE cineasts.upcoming TO remoteAccess;
Create a user remoteUser on the remote DBMS and grant access privileges
Additionally, create a different user on the remote constituent, and grant that user access to the target database or database alias on the remote DBMS.
The following steps need to be performed on the remote DBMS located at neo4j+s://location:7687.
-
Create a user
remoteUseron the remote DBMS:CREATE USER remoteUser SET PASSWORD 'password' CHANGE NOT REQUIRED; -
Create a role required for accessing the remote constituent
cineasts.upcoming, and grant it to the userremoteUseron the remote DBMS:CREATE ROLE remoteRole; GRANT ROLE remoteRole TO remoteUser; GRANT ACCESS ON DATABASE upcoming TO remoteRole;
Restrict privileges on the constituents of the composite database
Restrict any user with the role localAccess from reading movies with the label PG18:
DENY MATCH { description } ON GRAPH `movies-latest` NODES PG18 TO localAccess
Restrict privileges on the remote constituent of the composite database
Restrict the user remoteUser from reading movies with the label PG18 by restricting access of the role remoteRole on the remote database upcoming:
DENY MATCH { description } ON GRAPH upcoming NODES PG18 TO remoteRole
The rules applying to remoteUser apply to any user accessing cineasts.upcoming on the local DBMS.
Use the composite database
Now, the user alice can access the composite database cineasts and its constituents cineasts.latest and cineasts.upcoming as a target of a USE clause.
However, alice will not be able to read movies with the label PG18 from both constituents due to the restrictions defined on the local and remote databases for the role localAccess and the user remoteUser, respectively.
USE cineasts.latest
MATCH (movie:Movie)
RETURN movie.title AS title
UNION
USE cineasts.upcoming
MATCH (movie:Movie)
RETURN movie.title AS title
The query above will return the titles of all movies from both constituents, except for movies with the label PG18.