Neo4j 4.0 has just been released with a key feature: graph and sub-graph access control. Access to certain labels or relationship types or properties can now be handled at the database level, resulting in developers not having to deal with complex security logic in their code, and also providing a more consistent and performant solution.
Users connecting directly to Neo4j with their Neo4j user credentials either via the browser, or standalone visualisation tools will only have access to the sub-graph as permitted by the role(s) assigned to them. But what about applications that usually abstract away the database user credentials and connect to Neo4j by supplying pre-configured Neo4j user credentials to the driver? Typically, a single database user is configured, but this won’t work if application users all have different privileges. Since authentication is part of the driver set up, drivers need to know which application user is querying the graph to be able to enforce graph security.
We explored some options that we briefly examine in this blog post.