Abstract
The graph data model is increasingly used in practice due to its flexibility in modeling complex real-life data. However, some security features (e.g., access control) are not receiving sufficient attention from researchers since that graph databases are still in their infancy. Existing access control models do not rise to the finest granularity level of data, use expensive methods for data filtering or explicitly enforce access control rules in application code which may lead to several data security breaches. Based on the most popular graph database system Neo4j and its query language Cypher, this paper provides an Attribute-based Access Control (ABAC) support to Neo4j which makes the model more fine-grained and allows to specify more expressive access policies. Next, we provide a rewriting algorithm that transforms an arbitrary Cypher query into a safe one that enforces the underlying access control policy by returning only authorized data. Contrary to most existing solutions that use non-practical query languages, the proposed solution can be integrated easily within the Neo4j database system.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
It is worth noting that our findings can be extended to cover other features of the language as well.
- 4.
An attribute A is accessible depending to the value of an attribute B and vice versa.
- 5.
I.e. node or relationship with no variable attached to it.
- 6.
According to our Cypher syntax, a subquery is any Match statement appearing inside an Exists call.
- 7.
References
Neo4j access control. https://neo4j.com/docs/cypher-manual/current/administration/access-control/. Accessed 10 June 2023
Chabin, J., Ciferri, C.D., Halfeld-Ferrari, M., Hara, C.S., Penteado, R.R.: Role-based access control on graph databases. In: SOFSEM, pp. 519–534 (2021)
Clark, S., Yakovets, N., Fletcher, G., Zannone, N.: Relog: a unified framework for relationship-based access control over graph databases. In: IFIP, pp. 303–315 (2022)
Colombo, P., Ferrari, E.: Efficient enforcement of action-aware purpose-based access control within relational database management systems. IEEE Trans. Knowl. Data Eng. 27, 2134–2147 (2015)
Colombo, P., Ferrari, E.: Towards virtual private NoSQL datastores. In: ICDE, pp. 193–204 (2016)
Elliott, A., Knight, S.: Role explosion: acknowledging the problem. In: Software Engineering Research and Practice, pp. 349–355 (2010)
Fan, W., Chan, C.Y., Garofalakis, M.: Secure xml querying with security views. In: SIGMOD, pp. 587–598 (2004)
Francis, N., et al.: Cypher: an evolving query language for property graphs. In: Proceedings of the 2018 International Conference on Management of Data, pp. 1433–1445 (2018)
Hofer, D., Mohamed, A., Küng, J.: Modifying neo4j’s object graph mapper queries for access control. In: Pardede, E., Delir Haghighi, P., Khalil, I., Kotsis, G. (eds.) Information Integration and Web Intelligence. iiWAS 2022. LNCS, vol. 13635, pp. 421–426. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-21047-1_37
Jin, Y., Kaja, K.: XACML implementation based on graph databases. In: CATA, pp. 65–74 (2019)
Mohamed, A., Auer, D., Hofer, D., Küng, J.: Extended authorization policy for graph-structured data. SN Comput. Sci. 2, 351–369 (2021)
Morgado, C., Baioco, G.B., Basso, T., Moraes, R.: A security model for access control in graph-oriented databases. In: QRS, pp. 135–142 (2018)
Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P.: Extending query rewriting techniques for fine-grained access control. In: SIGMOD, pp. 551–562 (2004)
Rizvi, S.Z.R., Fong, P.W.: Efficient authorization of graph-database queries in an attribute-supporting rebac model. ACM Trans. Priv. Secur. (TOPS) 1–33 (2020)
Valzelli, M., Maurino, A., Palmonari, M.: A fine-grained access control model for knowledge graphs. knowledge graphs. In: ICETE, vol. 2, pp. 595–601 (2020)
You, M., et al.: A knowledge graph empowered online learning framework for access control decision-making. World Wide Web, pp. 827–848 (2023)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bereksi Reguig, A.A., Mahfoud, H., Imine, A. (2024). Towards an Effective Attribute-Based Access Control Model for Neo4j. In: Mosbah, M., Kechadi, T., Bellatreche, L., Gargouri, F. (eds) Model and Data Engineering. MEDI 2023. Lecture Notes in Computer Science, vol 14396. Springer, Cham. https://doi.org/10.1007/978-3-031-49333-1_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-49333-1_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-49332-4
Online ISBN: 978-3-031-49333-1
eBook Packages: Computer ScienceComputer Science (R0)