Skip to main content

Control access to a graph

Data modeling access control is based on spaces. When you control access to a space, you can control read and write for schemas and instances separately. For each space, you can give some users write access to the schema while allowing others to read the schema and write data instances.

Access control lists (ACLs)

The ACLs used to control access in DMS are:

  • dataModelInstances: controls access to instances (nodes and edges.)

    • READ: allows reading instances.
    • WRITE: allows modifying and deleting instances.
    • WRITE_PROPERTIES: allows writing properties without allowing creation/deletion of instances.

  • dataModels: controls access to schemas (spaces, containers, views, and data models.)

    • READ: allows reading schemas.
    • WRITE: allows modifying schemas.

The ACLs support these two scopes:

  • all: grants access to all resources in all spaces
  • space: grants access to resources in the specified spaces

For example, the capabilities in the example below grant access to:

  • Read instances in all spaces.
  • Modify/delete instances in space1.
  • Write properties to instances in space2 using views/containers you have read access to.
  • Read and modify schemas in all spaces.
- dataModelInstances
    actions: [READ]
    scope:
      all: {}
- dataModelInstances
    actions: [WRITE]
    scope:
      space: [space1]
- dataModelInstances
    actions: [WRITE_PROPERTIES]
    scope:
      space: [space2]
- dataModels:
    actions: [READ, WRITE]
    scope:
      all: {}

Autocreate instances

You can only autocreate instances in spaces you have write access to. Even if you set autoCreateDirectRelations to true when ingesting, the nodes in the spaces you only have read access to must already exist.

Edges and direct relations

You need read access to the target space to point edges and direct relations to nodes in other spaces.

Last updated