Databases Reference
In-Depth Information
•
DENIED
forbids administrators from accessing an organizational unit. This permis‐
sion is inherited by children of the parent organizational unit. In the TeleGraph
diagram, this is best illustrated by
Liz
and her permissions with respect to
Big
Co
,
Acquired Ltd
,
Subsidiary
, and
One-Map Shop
. As a result of her membership
of
Group 4
and its
ALLOWED_INHERIT
permission on
Big Co
,
Liz
can manage
Big
Co
. But despite this being an inheritable relationship,
Liz
cannot manage
Acquired
Ltd
or
Subsidiary
; the reason being,
Group 5
, of which
Liz
is a member, is
DE
NIED
access to
Acquired Ltd
and its children (which includes
Subsidiary
).
Liz
can, however, manage
One-Map Shop
, thanks to an
ALLOWED_DO_NOT_INHERIT
per‐
mission granted to
Group 6
, the last group to which
Liz
belongs.
DENIED
takes precedence over
ALLOWED_INHERIT
, but is subordinate to
AL
LOWED_DO_NOT_INHERIT
. Therefore, if an administrator is connected to a company by
way of
ALLOWED_DO_NOT_INHERIT
and
DENIED
,
ALLOWED_DO_NOT_INHERIT
prevails.
Fine-Grained Relationships, or Relationships with Properties?
Notice that the TeleGraph access control data model uses fine-grained relationships
(
ALLOWED_INHERIT
,
ALLOWED_DO_NOT_INHERIT
, and
DENIED
) rather than a single rela‐
tionship type qualified by properties—something like
PERMISSION
with
allowed
and
inherited
boolean properties. TeleGraph performance-tested both approaches and
determined that the fine-grained, property-free approach was nearly twice as fast as the
one using properties. For more details on designing relationships, see
Chapter 4
.
Finding all accessible resources for an administrator
The TeleGraph application uses many different Cypher queries; we'll look at just a few
of them here.
First up is the ability to find all the resources an administrator can access. Whenever an
onsite administrator logs in to the system, he is presented with a browser-based list of
all the employees and employee accounts he can administer. This list is generated based
on the results returned from the following query:
START
admin=
node
:administrator(name=
{administratorName}
)
MATCH
paths=(admin)-[:MEMBER_OF]->()-[:ALLOWED_INHERIT]->()
<-[:CHILD_OF*0..3]-(company)<-[:WORKS_FOR]-(employee)
-[:HAS_ACCOUNT]->(account)
WHERE
NOT
((admin)-[:MEMBER_OF]->()-[:DENIED]->()<-[:CHILD_OF*0..3]-(company))
RETURN
employee.name
AS
employee, account.name
AS
account
UNION
START
admin=
node
:administrator(name=
{administratorName}
)
MATCH
paths=(admin)-[:MEMBER_OF]->()-[:ALLOWED_DO_NOT_INHERIT]->()
