Hi, below a reference to the document i referred to : "INCITS 525: Information technology - Next Generation Access Control - Implementation Requirements, Protocols and API Definitions (NGAC-IRPADS)" - https://standards.incits.org/apps/group_public/document.php?document_id=93250
This contains the sample ABAC (Attribute Based Access Control) setup that i turned into a neo4j graph.and now try to use as basis for querying ABAC access decisions.. IMHO this is really interesting stuff to see how a graph database can be used to store and validate Access Policies for ABAC implementation as opposite to the XACML based impementations for which a few commercial products exist I also created a sample graph at : http://console.neo4j.org/?id=q9frmo Which should reflect the setup from the incits 525 document Still trying to write the query to detect presence of multiple paths from different nodes to a set of shared nodes in the middle.. any help is appreciated.. reg koen Op woensdag 3 januari 2018 11:08:24 UTC+1 schreef koen: > > Hi, a cypher question. How can you check if 2 (or more) different nodes in > a graph have relationships to multiple other (shared) nodes in the graph. > > Attached is a graph (the result of below cypher query) that i created > based on the sample provided in the NIST / INCITS NGAC 499 / 525 (Next > Generation Access Control) specification (graph.png). I also included the > diagram of the complete sample graph. > > BLUE --- : u1 is a :User node > GREEN --- a11, a21, l11, l12 are :Object nodes > YELLOW --- branch-constrants, position-constraints are :PolicyClass nodes > GREY --- all other nodes are attribute nodes > > In the sample provided "u1" has a relationship with the 2 policy classes > (branch and position constraints) and it has an ASSOCIATED_TO relation ship > to both "products1" and "accounts" Attribute Nodes > Looking from the :Object side only "a11" has a relationship to both the 2 > PolicyClasses and to the "products1" and "accounts" attribute nodes -- > simular to what u1 has "u1" > > All other Objects (a21, l12 and l11) do not have these 4 relation ships > but only some of these (meaning u1 has no acces to these objects) > > How can i further filter this out in cypher ? So i would like to further > refine the result so that only "u1" and "a11" (meaning user u1 has access > to object a11) are part of the end result set. > > it seems straightforward but it looks like i am running on some > constraints where some nodes are visited only once and no results are > returned (for example going from "a11" you have to visit "accounts1" node > multiple times) > > This is the cypher code used to create the graph as speficied in attached > diagram. > > MATCH p1 = (u:User)-[:ASSIGNED_TO*]->(pc:PolicyClass) > WHERE u.name = "u1" > WITH * > MATCH p2 = > (u)-[:ASSIGNED_TO*]->(a:Attribute)-[:ASSOCIATED_TO]->(a1:Attribute) > WITH * > MATCH p3 = (o:Object)-[:ASSIGNED_TO*]->(pc:PolicyClass) > WITH * > MATCH p4 = (o)-[:ASSIGNED_TO*]->(a1:Attribute) > WITH * > RETURN p1,p2,p3,p4 > > Any help is welcome ! > > Thanks regards Koen > -- You received this message because you are subscribed to the Google Groups "Neo4j" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
