Object Tree, Users, Privilege Query

(Michael Burbidge) #1


In our system, objects are organized into single rooted hierarchies (trees). In the diagram, the gray circles represent objects. An edge, named CHILD represents the child objects of a parent object.

User’s are given access privilege to specific objects in the tree. Users in the diagram are represented by pink circles. An access privilege is represented by an edge named CAN_ACCESS from a user to an object.

Access privileges in our system are inherited.

I’m trying to write a query that would find the objects a given user has access privilege to, but does not have access privilege to an ancestor.

In the example diagram for the user U2, the query should result in [b, c]. U2 does have access to f, but f should be excluded from the results because U2 has access to b, which is an ancestor of f.


(Michael Burbidge) #2

Just bumping this to the top. Any suggestions on a query that would do what I described?

(Michael Burbidge) #3

It’s relatively trivial to list the objects U2 has a grant on using this query.

assets(func: eq(name, “U2”)) {
grant {

What I can’t figure out how to do is filter out “f” from the results, due to the fact that “f” has an ancestor “b” to which U2 also has a grant on. It seems like I’d need to @filter on grant but also recurse.