Databases Reference
In-Depth Information
<-[:WORKS_FOR]-(employee)-[:HAS_ACCOUNT]->(account)
RETURN
employee.name
AS
employee, account.name
AS
account
This query sets the template for all the other queries we'll be looking at in this section,
in that it comprises two separate queries joined by a
UNION
operator, which was intro‐
duced with Neo4j 2.0. The query before the
UNION
operator handles
ALLOWED_INHERIT
relationships qualified by any
DENIED
relationships; the query following the
UNION
op‐
erator handles any
ALLOWED_DO_NOT_INHERIT
permissions. This pattern,
ALLOWED_IN
HERIT
minus
DENIED
, followed by
ALLOWED_DO_NOT_INHERIT
, is repeated in all of the
access control example queries that follow.
The first query here, the one before the
UNION
operator, can be broken down as follows:
•
START
finds the logged-in administrator in the
administrator
index, and binds the
result to the
admin
identifier.
•
MATCH
matches all the groups to which this administrator belongs, and from these
groups, all the parent companies connected by way of an
ALLOWED_INHERIT
rela‐
tionship. The
MATCH
then uses a variable-length path (
[:CHILD_OF*0..3]
) to dis‐
cover children of these parent companies, and thereafter the employees and ac‐
counts associated with all matched companies (whether parent company or child).
At this point, the query has matched all companies, employees, and accounts ac‐
cessible by way of
ALLOWED_INHERIT
relationships.
•
WHERE
eliminates matches whose
company
, or parents, are connected by way of
DENIED
relationship to the administrator's groups. This
WHERE
clause is invoked for
each match; if there is a
DENIED
relationship anywhere between the
admin
node and
the
company
node bound by the match, that match is eliminated.
•
RETURN
creates a projection of the matched data in the form of a list of employee
names and accounts.
The second query here, following the
UNION
operator, is a little simpler:
• The
MATCH
clause simply matches companies (plus employees and accounts) that
are directly connected to an administrator's groups by way of an
AL
LOWED_DO_NOT_INHERIT
relationship.
The
UNION
operator joins the results of these two queries together, eliminating any du‐
plicates. Note that the
RETURN
clause in each query must contain the same projection of
the results; in other words, the column names in the results must match.
Figure 5-9
shows how this query matches all accessible resources for
Sarah
in the sample
TeleGraph graph. Note that, because of the
DENIED
relationship from
Group 2
to
Skunk
workz
,
Sarah
cannot administer
Kate
and
Account 7
.