Object Tree, Users, Privilege Query

mburbidg · November 1, 2019, 2:25pm

Discoverable%20Assets

In our system, objects are organized into single rooted hierarchies (trees). In the diagram, the gray circles represent objects. An edge, named CHILD represents the child objects of a parent object.

User’s are given access privilege to specific objects in the tree. Users in the diagram are represented by pink circles. An access privilege is represented by an edge named CAN_ACCESS from a user to an object.

Access privileges in our system are inherited.

I’m trying to write a query that would find the objects a given user has access privilege to, but does not have access privilege to an ancestor.

In the example diagram for the user U2, the query should result in [b, c]. U2 does have access to f, but f should be excluded from the results because U2 has access to b, which is an ancestor of f.

thanks,
Michael-

mburbidg · November 10, 2019, 2:09pm

Just bumping this to the top. Any suggestions on a query that would do what I described?

mburbidg · November 10, 2019, 10:53pm

It’s relatively trivial to list the objects U2 has a grant on using this query.

{
assets(func: eq(name, “U2”)) {
name
grant {
name
}
}
}

What I can’t figure out how to do is filter out “f” from the results, due to the fact that “f” has an ancestor “b” to which U2 also has a grant on. It seems like I’d need to @filter on grant but also recurse.

pawan · November 11, 2019, 11:01pm

Hey @mburbidg, I used the following data-set to recreate the graph that you have here.

{
    set {
        _:root <child> _:b .
        _:root <child> _:a .
        _:a <child> _:c .
        _:b <child> _:d .
        _:b <child> _:e .
        _:e <child> _:f .
        _:u2 <can_access> _:f .
        _:u2 <can_access> _:b .
        _:u2 <can_access> _:c .

        _:root <name> "root" .
        _:b <name> "b" .
        _:c <name> "c" .
        _:d <name> "d" .
        _:e <name> "e" .
        _:f <name> "f" .
        _:u2 <name> "U2" .
    }
}

After that the following query gives us what you are looking for.

{
  # Store accessible nodes for U2 in a variable.
  var(func: eq(name, "U2")) {
    accessible as can_access
  }
  
  # Start from the accessible nodes and recursively find all their children. Store them in another variable.
  var(func: uid(accessible)) @recurse {
    allChildren as child
  }
  
  # Filter out all accessible nodes which are also children of another accessible node.
  me(func: uid(accessible)) @filter(NOT uid(allChildren)) {
    uid
    name
  }
}

Let us know if that works for you.

mburbidg · November 12, 2019, 12:04am

Thanks Pawan. That works and gives me a better idea for constructing future queries.

Topic		Replies	Views
Excluding from a Predicate Object in a Query Dgraph dgraph	6	459	January 16, 2023
Evaluating expression inside query and expose in the final output Dgraph	2	325	March 19, 2020
Filter parent-child edges Dgraph	3	1721	April 17, 2018
Filter out node based on connected node values Dgraph	9	910	July 25, 2020
Bugs or missuse - Querying from several "root" nodes Users	3	735	October 11, 2017

Object Tree, Users, Privilege Query

Related Topics