Being new to Cypher and Neo4j, I am having trouble constructing my query for my use-case. I am building a simple ACL (access control list) and am looking for a path through permission relationships an up a hierarchy as well. A picture may better explain it:
Key:
Users -> Blue
Groups -> Yellow, Green
Resource Tree -> Red
Now I want to see if a path exists from Bob to the eVar 33 resource where Bob has update access. Because there is a direct path, I can get what I am looking for by running
MATCH p =(usr:Usr)-[:AXO {update: true}]->(aco:ACO)
WHERE usr.name = 'Bob' AND aco.name = 'eVar 33'
RETURN p
But now, Bob is also a member of the Media Mgmt group which grants him read access to the Conversion resource. And because Conversion is further up the resource tree than eVar 33, eVar 33 should inherit this permission. But when I run the same query looking for {read: true}
instead, no path is found. I know this is because I am not allowing traversal through the :IN
and :HAS
relationships, but how can I do this?
I have tried:
MATCH p =(usr:Usr)-[:IN|:HAS|:AXO {read: true}]->(aco:ACO)
WHERE usr.name = 'Bob' AND aco.name = 'eVar 33'
RETURN p
thinking this would allow those relationships to be traversed, but it still does not find a path (because I am not allowing more than a depth of 1?).
So here are my needs:
And no, I do not work for Nike. Just an example use-case here :)
Does this do what you want?
MATCH (bob:User { name:"Bob" })-[:IN*0..]->(group)-[:AXO { read:true }]->(res1)-[:HAS*0..]->(res2 { name:"eVar 33" })
RETURN count(*)
I take this query to mean something like: "Give me user Bob, and any [:AXO{read:true}]
relationship that he has to resource eVar 33. You may go to through zero or more [:IN]
to access the resource through Bob's groups, and through zero or more [:HAS]
, since resources inherit permissions".
>1
means read access, 0
means not.
If your [:IN]
or [:HAS]
trees are very complex you may want to cap depth.
Edit
Wrt comment about optimizing by returning on first path found, it's not always obvious how to control query execution this way, sometimes you have to know when and how Cypher is lazy. Limiting result to 1 may suffice, but in this case reformulating the query slightly may be more to the point, something like: "Give me user Bob if he has any [:AXO{read:true}]
relationship to resource eVar 33. You may go through..."
Now the path from Bob to resource is a predicate on which the Bobs in your MATCH
clause are filtered. In Cypher, something like
MATCH (bob:User { name:"Bob" })
WHERE bob-[:IN*0..]->()-[:AXO { read:true }]->()-[:HAS*0..]->({ name:"eVar 33" })
RETURN true
This will not return anything if the path predicate evaluates false. If you want to determine permission based on what is returned rather than whether something is returned, don't use WHERE
but just return a count of the predicate, or better an assertion that the count of the predicate is 1. Since the pattern is not part of the MATCH
clause it will not expand your result, so counting will be 0 or 1 (if there is only one Bob).
MATCH (bob:User { name:"Bob" })
RETURN 1 = count (bob-[:IN*0..]->()-[:AXO { read:true }]->()-[:HAS*0..]->({ name:"eVar 33" }))
It may 'feel' like counting the path predicate would mean counting the paths, but it doesn't. Try removing {read:true}
to get a path pattern with more than one matches in the graph–counting it as a predicate still gives 1.
MATCH (bob:User { name:"Bob" })
RETURN 1 = count (bob-[:IN*0..]->()-[:AXO]->()-[:HAS*0..]->({ name:"eVar 33" }))
Try profiling such a query and compare to the first query with a LIMIT 1
to see which execution plan makes most sense.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With