Hi Rien, The document you linked to explains also that subgraph permissions in 3.1 are only enabled for procedures, not for Cypher. This means that there is no way in 3.1 to control access to label/relationshiptype/property information for users running Cypher queries. So if you want to provide access to only a specific subgraph, you need to create a procedure that accesses that subgraph, and then give users that do not have access (eg. a no-access custom role) specific access to that procedure only. This 'permission boosting' can also be used to give read-only users write access to subgraphs (via custom write-procedures).
Note that even though this feature is not enabled for normal Cypher, you can still embed one of these custom procedures in a normal Cypher query. So a read only user that can run a read only Cypher query could have a procedure that does some specific write action run within that Cypher query. The users permission level will be boosted within the procedure only, while still not allowing the user to perform writes within the Cypher part of the query. Regards, Craig On Mon, Jan 16, 2017 at 10:51 AM, rien rienk <[email protected]> wrote: > Hello everyone, > > It's written in the official and current documentation (3.1 : > http://neo4j.com/docs/operations-manual/current/security/authentication- > authorization/subgraph-access-control/) > that a user can be configured to read, not write nodes labelled > 'something' and / or relationships of type 'somethingelese' > But in fact I couldn't find how to do it. > > Using the "call dbms.procedures()" i see many new functions that can be > used to manage roles and user, but nothing enough fine to concretely > configure the users by type of access and type of objects, as said. ( > http://neo4j.com/docs/operations-manual/current/security/authentication- > authorization/native-user-role-management/procedures/# > user-roles-create-role) > > Can anyone knows how to do it or where is the relevant documentation for > this? > > Thanks > > > -- > You received this message because you are subscribed to the Google Groups > "Neo4j" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Neo4j" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
