Graph access control

Moved from GitHub dgraph/5167

Posted by emregency:

Experience Report

Note: Feature requests are judged based on user experience and modeled on Go Experience Reports. These reports should focus on the problems: they should not focus on and need not propose solutions.

What you wanted to do

I was considering to evaluate the Enterprise License as it includes ACL. I wanted to know if I can
limit a user seeing the projects of another user.

What you actually did

I went to the Enterprise Features section of the documentation to see how ACL is handled.

Why that wasn’t great, with examples

The documentation mentions an ACL implementation at predicate-level, maybe similar to an ABAC. It would have been enough if dGraph was not a graph dB. However, as far as I understand from the documentation, lateral movement is possible with queries and need to know principle cannot be enforced with this sort of ACL.

Any external references to support your case

A paper on the topic
neo4j 4.0 new security model