Re: [Neo4j] ACL schema with Neo4j, data in MySQL/MongoDB

[Benjamin Makus]

So... here is the Graph 
Gist: http://gist.neo4j.org/?github-benneq%2Fgists%2F%2Fmeta%2FSimple.adoc
And the PDF (from the previous 
post): http://www.docdroid.net/er3w/acl-cheat-sheet.pdf.html

*The permission resolution algorithm:*

   1. Look if the User has a direct Permission relation to the Object
   2. Look if the User has a relation to some parent of the Object (find 
   first parent in the hierarchy)
   3. Look at the Roles (here it get's a bit complicated):
      - Find all Permission relations from a Role to the Object *and *its 
      parents.
      - If one of these Permission relations says "true", return "true, 
      else return "false"
   

*Example #1:*

   - User has a Permission relation to the Object
   - Group (where user is member of) has Permission relation to the Object
   - -> Take the Permission relation of the User

*Example #2:*

   - User has a Permission relation to one (or more) of the Object's parents
   - Some of the User's Groups has a direct Permission relation to the 
   Object
   - -> Ignore the Group permissions! Take the Permission relation between 
   the User and the closest found parent of the Object

*Example #3:*

   - User has *no *Permission relation to the Object or one of its parents
   - Any of the User's Groups have a direct Permission relation to the 
   Object
   - -> Return "true", if some of the Group's Permission relations says 
   "true", else return "false"

*Example #4:*

   - User has *no *Permission relation to the Object or one of its parents
   - Some of the User's Groups have a direct Permission relation to the 
   Object *and *some have a direct relation to any of the Object's parents
   - -> Return "true", if some of the Group's Permission relations says 
   "true", else return "false"

*Example #5:*

   - User has *no *Permission relation to the Object or one of its parents
   - There's no direct Permission relation from any of the User's Groups to 
   the Object *and *but some have a direct relation to any of the Object's 
   parents
   - -> Return "true", if some of the Group's Permission relations says 
   "true", else return "false"


I hope, now the requirements are clear :)

-- 
You received this message because you are subscribed to the Google Groups 
"Neo4j" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to neo4j+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.