<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-15 -->
<p>The <strong>Security and Compliance</strong> category provides comprehensive guidance on securing Geode deployments and meeting regulatory requirements. From authentication and encryption to audit logging and privacy compliance, these resources help you build and maintain secure, compliant graph database systems.</p>
<h3 id="security-architecture" class="position-relative d-flex align-items-center group">
<span>Security Architecture</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="security-architecture"
aria-haspopup="dialog"
aria-label="Share link: Security Architecture">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>Geode implements defense-in-depth security with multiple layers protecting your data at every point in its lifecycle. Security is not an add-on but a fundamental aspect of Geode’s architecture, with mandatory encryption, comprehensive access controls, and detailed audit capabilities built into the core system.</p>
<h4 id="security-layers" class="position-relative d-flex align-items-center group">
<span>Security Layers</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="security-layers"
aria-haspopup="dialog"
aria-label="Share link: Security Layers">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Network Security</strong>: All client-server communication uses QUIC protocol with mandatory TLS 1.3 encryption. There is no plaintext fallback - encryption is always enabled, protecting data in transit against eavesdropping and tampering.</p>
<p><strong>Authentication</strong>: Verify identity before granting any access using username/password, certificate-based authentication, or integration with external identity providers.</p>
<p><strong>Authorization</strong>: Control what authenticated users can do through role-based access control (RBAC) and Row-Level Security (RLS) policies that filter data based on user attributes.</p>
<p><strong>Encryption</strong>: Protect data at rest with Transparent Data Encryption (TDE) for all database files and Field-Level Encryption (FLE) for sensitive attributes requiring application-controlled keys.</p>
<p><strong>Audit Logging</strong>: Record all database operations, authentication attempts, and authorization decisions for compliance, forensics, and threat detection.</p>
<p><strong>Data Integrity</strong>: ACID transactions with cryptographic checksums ensure data cannot be corrupted, whether by bugs, hardware failures, or malicious actors.</p>
<h3 id="authentication" class="position-relative d-flex align-items-center group">
<span>Authentication</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="authentication"
aria-haspopup="dialog"
aria-label="Share link: Authentication">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="user-authentication" class="position-relative d-flex align-items-center group">
<span>User Authentication</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="user-authentication"
aria-haspopup="dialog"
aria-label="Share link: User Authentication">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode supports multiple authentication mechanisms:</p>
<p><strong>Username and Password</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">geode_client</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">def</span> <span class="nf">connect_with_password</span><span class="p">():</span>
</span></span><span class="line"><span class="cl"> <span class="n">client</span> <span class="o">=</span> <span class="n">geode_client</span><span class="o">.</span><span class="n">open_database</span><span class="p">(</span><span class="s2">"quic://localhost:3141"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">auth</span> <span class="o">=</span> <span class="n">geode_client</span><span class="o">.</span><span class="n">AuthClient</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="n">session</span> <span class="o">=</span> <span class="k">await</span> <span class="n">auth</span><span class="o">.</span><span class="n">login</span><span class="p">(</span><span class="s2">"alice"</span><span class="p">,</span> <span class="s2">"secure_password"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">session</span>
</span></span></code></pre></div><p><strong>Certificate-Based Authentication</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">geode_client</span><span class="o">.</span><span class="n">Client</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="n">host</span><span class="o">=</span><span class="s2">"localhost"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">port</span><span class="o">=</span><span class="mi">3141</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">ca_cert</span><span class="o">=</span><span class="s2">"/path/to/ca.crt"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">client_cert</span><span class="o">=</span><span class="s2">"/path/to/client-cert.pem"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">client_key</span><span class="o">=</span><span class="s2">"/path/to/client-key.pem"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span></code></pre></div><p><strong>Token-Based Authentication</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">async</span> <span class="k">def</span> <span class="nf">login_and_store_token</span><span class="p">():</span>
</span></span><span class="line"><span class="cl"> <span class="n">client</span> <span class="o">=</span> <span class="n">geode_client</span><span class="o">.</span><span class="n">open_database</span><span class="p">(</span><span class="s2">"quic://localhost:3141"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">auth</span> <span class="o">=</span> <span class="n">geode_client</span><span class="o">.</span><span class="n">AuthClient</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="n">session</span> <span class="o">=</span> <span class="k">await</span> <span class="n">auth</span><span class="o">.</span><span class="n">login</span><span class="p">(</span><span class="s2">"alice"</span><span class="p">,</span> <span class="s2">"secure_password"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">session</span><span class="o">.</span><span class="n">token</span>
</span></span></code></pre></div>
<h4 id="managing-users" class="position-relative d-flex align-items-center group">
<span>Managing Users</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="managing-users"
aria-haspopup="dialog"
aria-label="Share link: Managing Users">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">PASSWORD</span><span class="w"> </span><span class="err">'</span><span class="py">secure_password</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Drop</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DROP</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="password-policies" class="position-relative d-flex align-items-center group">
<span>Password Policies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="password-policies"
aria-haspopup="dialog"
aria-label="Share link: Password Policies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Configure password requirements for security:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password_policy</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">min_length</span><span class="p">:</span><span class="w"> </span><span class="m">12</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_uppercase</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_lowercase</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_digits</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_special_chars</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_age_days</span><span class="p">:</span><span class="w"> </span><span class="m">90</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prevent_reuse</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="authorization" class="position-relative d-flex align-items-center group">
<span>Authorization</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="authorization"
aria-haspopup="dialog"
aria-label="Share link: Authorization">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="role-based-access-control-rbac" class="position-relative d-flex align-items-center group">
<span>Role-Based Access Control (RBAC)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="role-based-access-control-rbac"
aria-haspopup="dialog"
aria-label="Share link: Role-Based Access Control (RBAC)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Define roles with specific privileges:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">privileges</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_engineer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">PRIVILEGES</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">users</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="p">,</span><span class="w"> </span><span class="py">bob</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Privilege Types</strong>:</p>
<ul>
<li><code>SELECT</code> - Read data</li>
<li><code>INSERT</code> - Create nodes and relationships</li>
<li><code>UPDATE</code> - Modify existing data</li>
<li><code>DELETE</code> - Remove data</li>
<li><code>INDEX</code> - Create and drop indexes</li>
<li><code>ADMIN</code> - Administrative operations</li>
</ul>
<h4 id="row-level-security-rls" class="position-relative d-flex align-items-center group">
<span>Row-Level Security (RLS)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="row-level-security-rls"
aria-haspopup="dialog"
aria-label="Share link: Row-Level Security (RLS)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Implement fine-grained access control with policies that filter data based on user context:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">user_data_policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ON</span><span class="w"> </span><span class="py">User</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">()</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_department</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Enable</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">label</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">LABEL</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">ENABLE</span><span class="w"> </span><span class="py">ROW</span><span class="w"> </span><span class="py">LEVEL</span><span class="w"> </span><span class="py">SECURITY</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">writes</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">user_update_policy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ON</span><span class="w"> </span><span class="py">User</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">UPDATE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">())</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">CHECK</span><span class="w"> </span><span class="p">(</span><span class="py">id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Policy Examples</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Multi</span><span class="err">-</span><span class="py">tenant</span><span class="w"> </span><span class="py">isolation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ON</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">LABELS</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_tenant_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Hierarchical</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="p">(</span><span class="py">manager</span><span class="w"> </span><span class="py">sees</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">reports</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">manager_access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ON</span><span class="w"> </span><span class="py">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">()</span><span class="w"> </span><span class="py">OR</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">manager_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_id</span><span class="p">()</span><span class="w"> </span><span class="py">OR</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">EXISTS</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">e</span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nc">current_user_id</span><span class="p">()})</span><span class="err">-</span><span class="p">[:</span><span class="nc">MANAGES</span><span class="err">*</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">emp</span><span class="p">:</span><span class="nc">Employee</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">emp</span><span class="err">.</span><span class="py">id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">id</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Time</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">business_hours</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ON</span><span class="w"> </span><span class="py">SensitiveData</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">current_time</span><span class="p">()</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">TIME</span><span class="w"> </span><span class="err">'</span><span class="py">09</span><span class="p">:</span><span class="nc">00</span><span class="p">:</span><span class="nc">00</span><span class="err">'</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">TIME</span><span class="w"> </span><span class="err">'</span><span class="py">17</span><span class="p">:</span><span class="nc">00</span><span class="p">:</span><span class="nc">00</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">current_day_of_week</span><span class="p">()</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">1</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p>Python client example:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">geode_client</span><span class="o">.</span><span class="n">open_database</span><span class="p">(</span><span class="s2">"quic://localhost:3141"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">auth</span> <span class="o">=</span> <span class="n">geode_client</span><span class="o">.</span><span class="n">AuthClient</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="n">auth</span><span class="o">.</span><span class="n">login</span><span class="p">(</span><span class="s2">"alice"</span><span class="p">,</span> <span class="s2">"password"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># RLS automatically filters results based on policies</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">conn</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"""
</span></span></span><span class="line"><span class="cl"><span class="s2"> MATCH (u:User)
</span></span></span><span class="line"><span class="cl"><span class="s2"> RETURN u.name, u.department
</span></span></span><span class="line"><span class="cl"><span class="s2"> """</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># Alice only sees users she's authorized to view</span>
</span></span></code></pre></div>
<h3 id="encryption" class="position-relative d-flex align-items-center group">
<span>Encryption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="encryption"
aria-haspopup="dialog"
aria-label="Share link: Encryption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="transparent-data-encryption-tde" class="position-relative d-flex align-items-center group">
<span>Transparent Data Encryption (TDE)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="transparent-data-encryption-tde"
aria-haspopup="dialog"
aria-label="Share link: Transparent Data Encryption (TDE)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>TDE encrypts all database files at rest:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Initialize encryption</span>
</span></span><span class="line"><span class="cl">./geode init-encryption --key-file /secure/path/master.key
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Start server with TDE</span>
</span></span><span class="line"><span class="cl">./geode serve --tde-enabled --tde-key-file /secure/path/master.key
</span></span></code></pre></div><p><strong>TDE protects</strong>:</p>
<ul>
<li>Data files</li>
<li>Index files</li>
<li>WAL (Write-Ahead Log) files</li>
<li>Backup files</li>
<li>Temporary files</li>
</ul>
<p><strong>TDE does NOT protect</strong>:</p>
<ul>
<li>Data in memory</li>
<li>Data in transit (use TLS for that)</li>
<li>Data in query results sent to clients</li>
</ul>
<h4 id="field-level-encryption-fle" class="position-relative d-flex align-items-center group">
<span>Field-Level Encryption (FLE)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="field-level-encryption-fle"
aria-haspopup="dialog"
aria-label="Share link: Field-Level Encryption (FLE)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Encrypt specific sensitive fields with application-controlled keys:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode_client</span> <span class="kn">import</span> <span class="n">FieldEncryption</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Initialize encryption</span>
</span></span><span class="line"><span class="cl"><span class="n">encryption</span> <span class="o">=</span> <span class="n">FieldEncryption</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">encryption_key</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Encrypt data before storing</span>
</span></span><span class="line"><span class="cl"><span class="n">encrypted_ssn</span> <span class="o">=</span> <span class="n">encryption</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="s2">"123-45-6789"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="n">client</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">"""
</span></span></span><span class="line"><span class="cl"><span class="s2"> CREATE (p:Person {
</span></span></span><span class="line"><span class="cl"><span class="s2"> name: $name,
</span></span></span><span class="line"><span class="cl"><span class="s2"> ssn: $ssn
</span></span></span><span class="line"><span class="cl"><span class="s2"> })
</span></span></span><span class="line"><span class="cl"><span class="s2">"""</span><span class="p">,</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="s2">"name"</span><span class="p">:</span> <span class="s2">"Alice"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="s2">"ssn"</span><span class="p">:</span> <span class="n">encrypted_ssn</span>
</span></span><span class="line"><span class="cl"><span class="p">})</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Decrypt when reading</span>
</span></span><span class="line"><span class="cl"><span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"MATCH (p:Person {name: $name}) RETURN p.ssn"</span><span class="p">,</span> <span class="p">{</span><span class="s2">"name"</span><span class="p">:</span> <span class="s2">"Alice"</span><span class="p">})</span>
</span></span><span class="line"><span class="cl"><span class="n">ssn</span> <span class="o">=</span> <span class="n">encryption</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">result</span><span class="o">.</span><span class="n">rows</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="s2">"p.ssn"</span><span class="p">])</span>
</span></span></code></pre></div><p><strong>FLE Use Cases</strong>:</p>
<ul>
<li>Social Security Numbers</li>
<li>Credit card numbers</li>
<li>Health records</li>
<li>Personally Identifiable Information (PII)</li>
<li>Trade secrets</li>
</ul>
<h4 id="key-management" class="position-relative d-flex align-items-center group">
<span>Key Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="key-management"
aria-haspopup="dialog"
aria-label="Share link: Key Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Best practices for encryption keys</strong>:</p>
<ol>
<li><strong>Never hardcode keys</strong>: Store in environment variables or key management systems</li>
<li><strong>Use key rotation</strong>: Periodically change encryption keys</li>
<li><strong>Separate keys by purpose</strong>: Different keys for TDE, FLE, backups</li>
<li><strong>Hardware Security Modules (HSM)</strong>: Use HSM for production key storage</li>
<li><strong>Backup keys securely</strong>: Encrypted backups require corresponding keys</li>
</ol>
<p>Integration with key management systems:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tde</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kms_provider</span><span class="p">:</span><span class="w"> </span><span class="l">aws_kms</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kms_key_id</span><span class="p">:</span><span class="w"> </span><span class="l">arn:aws:kms:us-east-1:123456789:key/abc-def</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fle</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kms_provider</span><span class="p">:</span><span class="w"> </span><span class="l">hashicorp_vault</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vault_address</span><span class="p">:</span><span class="w"> </span><span class="l">https://vault.example.com</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vault_token_path</span><span class="p">:</span><span class="w"> </span><span class="l">/run/secrets/vault-token</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="audit-logging" class="position-relative d-flex align-items-center group">
<span>Audit Logging</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="audit-logging"
aria-haspopup="dialog"
aria-label="Share link: Audit Logging">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Comprehensive audit logging tracks all database activity for compliance, security monitoring, and forensic analysis.</p>
<h4 id="enabling-audit-logs" class="position-relative d-flex align-items-center group">
<span>Enabling Audit Logs</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="enabling-audit-logs"
aria-haspopup="dialog"
aria-label="Share link: Enabling Audit Logs">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./geode serve <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --enable-audit-log <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --audit-log-path /var/log/geode/audit.log <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --audit-log-format json
</span></span></code></pre></div>
<h4 id="audit-log-contents" class="position-relative d-flex align-items-center group">
<span>Audit Log Contents</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="audit-log-contents"
aria-haspopup="dialog"
aria-label="Share link: Audit Log Contents">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Each entry includes:</p>
<ul>
<li><strong>Timestamp</strong>: When the event occurred</li>
<li><strong>User</strong>: Who performed the action</li>
<li><strong>Action</strong>: What was done (query, authentication, authorization check)</li>
<li><strong>Result</strong>: Success or failure</li>
<li><strong>Query</strong>: GQL query executed (if applicable)</li>
<li><strong>Duration</strong>: How long the operation took</li>
<li><strong>Client IP</strong>: Source of the request</li>
<li><strong>Session ID</strong>: Unique session identifier</li>
</ul>
<p>Example audit entry:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"timestamp"</span><span class="p">:</span> <span class="s2">"2026-01-24T10:30:45.123Z"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"event_type"</span><span class="p">:</span> <span class="s2">"query_execution"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"user"</span><span class="p">:</span> <span class="s2">"alice"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"client_ip"</span><span class="p">:</span> <span class="s2">"192.168.1.100"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"session_id"</span><span class="p">:</span> <span class="s2">"sess_abc123"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"query"</span><span class="p">:</span> <span class="s2">"MATCH (u:User) WHERE u.department = 'Engineering' RETURN u.name"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"parameters"</span><span class="p">:</span> <span class="p">{</span><span class="nt">"department"</span><span class="p">:</span> <span class="s2">"Engineering"</span><span class="p">},</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"result"</span><span class="p">:</span> <span class="s2">"success"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"rows_returned"</span><span class="p">:</span> <span class="mi">42</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"duration_ms"</span><span class="p">:</span> <span class="mi">15</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"rls_policies_applied"</span><span class="p">:</span> <span class="p">[</span><span class="s2">"tenant_isolation"</span><span class="p">,</span> <span class="s2">"department_access"</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span></code></pre></div>
<h4 id="querying-audit-logs" class="position-relative d-flex align-items-center group">
<span>Querying Audit Logs</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="querying-audit-logs"
aria-haspopup="dialog"
aria-label="Share link: Querying Audit Logs">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">View</span><span class="w"> </span><span class="py">recent</span><span class="w"> </span><span class="py">failed</span><span class="w"> </span><span class="py">authentication</span><span class="w"> </span><span class="py">attempts</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">timestamp</span><span class="p">,</span><span class="w"> </span><span class="py">user</span><span class="p">,</span><span class="w"> </span><span class="py">client_ip</span><span class="p">,</span><span class="w"> </span><span class="py">error_message</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">audit_log</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">event_type</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">authentication</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">result</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">failure</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">24</span><span class="err">'</span><span class="w"> </span><span class="py">HOUR</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Identify</span><span class="w"> </span><span class="py">users</span><span class="w"> </span><span class="py">accessing</span><span class="w"> </span><span class="py">sensitive</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">user</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="err">*</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">access_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">audit_log</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="kd">query</span><span class="w"> </span><span class="nc">LIKE</span><span class="w"> </span><span class="err">'%</span><span class="py">SensitiveData</span><span class="err">%'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">7</span><span class="err">'</span><span class="w"> </span><span class="py">DAY</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GROUP</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">access_count</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="compliance" class="position-relative d-flex align-items-center group">
<span>Compliance</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="compliance"
aria-haspopup="dialog"
aria-label="Share link: Compliance">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="gdpr-compliance" class="position-relative d-flex align-items-center group">
<span>GDPR Compliance</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="gdpr-compliance"
aria-haspopup="dialog"
aria-label="Share link: GDPR Compliance">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode provides features to support GDPR requirements:</p>
<p><strong>Right to Access</strong>: Export all data for a specific user</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nv">$user_id</span><span class="p">})</span><span class="err">-</span><span class="p">[</span><span class="nc">r</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">related</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">u</span><span class="p">,</span><span class="w"> </span><span class="py">r</span><span class="p">,</span><span class="w"> </span><span class="py">related</span><span class="w">
</span></span></span></code></pre></div><p><strong>Right to Erasure (Right to be Forgotten)</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Delete</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">related</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nv">$user_id</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nc">DETACH</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">u</span><span class="w">
</span></span></span></code></pre></div><p><strong>Data Minimization</strong>: Use RLS to limit data access to what’s necessary</p>
<p><strong>Consent Management</strong>: Track and enforce consent</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">CREATE</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nc">123</span><span class="p">,</span><span class="w"> </span><span class="py">email</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">alice</span><span class="nd">@example</span><span class="err">.</span><span class="py">com</span><span class="err">'</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="p">(</span><span class="py">c</span><span class="p">:</span><span class="nc">Consent</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">user_id</span><span class="p">:</span><span class="w"> </span><span class="nc">123</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">purpose</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">marketing</span><span class="err">'</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">granted</span><span class="p">:</span><span class="w"> </span><span class="nc">true</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">timestamp</span><span class="p">:</span><span class="w"> </span><span class="nc">current_timestamp</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">consent</span><span class="w"> </span><span class="py">before</span><span class="w"> </span><span class="py">processing</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nv">$user_id</span><span class="p">})</span><span class="err">-</span><span class="p">[:</span><span class="nc">HAS_CONSENT</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="nc">c</span><span class="p">:</span><span class="nc">Consent</span><span class="w"> </span><span class="p">{</span><span class="py">purpose</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">marketing</span><span class="err">'</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">c</span><span class="err">.</span><span class="py">granted</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">u</span><span class="w">
</span></span></span></code></pre></div><p><strong>Data Retention</strong>: Automatically delete old data</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Delete</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">older</span><span class="w"> </span><span class="py">than</span><span class="w"> </span><span class="py">retention</span><span class="w"> </span><span class="py">period</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">d</span><span class="p">:</span><span class="nc">Data</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">d</span><span class="err">.</span><span class="py">created</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">7</span><span class="err">'</span><span class="w"> </span><span class="py">YEAR</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DELETE</span><span class="w"> </span><span class="py">d</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="hipaa-compliance" class="position-relative d-flex align-items-center group">
<span>HIPAA Compliance</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="hipaa-compliance"
aria-haspopup="dialog"
aria-label="Share link: HIPAA Compliance">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>For healthcare applications:</p>
<ul>
<li><strong>Encryption</strong>: TDE and FLE for Protected Health Information (PHI)</li>
<li><strong>Audit Logging</strong>: Comprehensive access logs</li>
<li><strong>Access Controls</strong>: RLS for minimum necessary access</li>
<li><strong>Data Integrity</strong>: ACID guarantees prevent unauthorized modifications</li>
</ul>
<h4 id="soc-2-compliance" class="position-relative d-flex align-items-center group">
<span>SOC 2 Compliance</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="soc-2-compliance"
aria-haspopup="dialog"
aria-label="Share link: SOC 2 Compliance">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode supports SOC 2 requirements:</p>
<ul>
<li><strong>Security</strong>: Encryption, authentication, authorization</li>
<li><strong>Availability</strong>: High availability configurations, backup/restore</li>
<li><strong>Processing Integrity</strong>: ACID transactions, checksums</li>
<li><strong>Confidentiality</strong>: Encryption, access controls</li>
<li><strong>Privacy</strong>: RLS, data retention policies</li>
</ul>
<h3 id="security-best-practices" class="position-relative d-flex align-items-center group">
<span>Security Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="security-best-practices"
aria-haspopup="dialog"
aria-label="Share link: Security Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="production-deployment" class="position-relative d-flex align-items-center group">
<span>Production Deployment</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="production-deployment"
aria-haspopup="dialog"
aria-label="Share link: Production Deployment">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ol>
<li><strong>Enable TLS</strong>: Always use encrypted connections</li>
<li><strong>Use strong passwords</strong>: Enforce password policies</li>
<li><strong>Principle of least privilege</strong>: Grant minimum necessary permissions</li>
<li><strong>Enable audit logging</strong>: Track all database activity</li>
<li><strong>Regular backups</strong>: Encrypted backups stored securely</li>
<li><strong>Update promptly</strong>: Apply security patches quickly</li>
<li><strong>Network isolation</strong>: Use firewalls and private networks</li>
<li><strong>Monitor continuously</strong>: Alert on suspicious activity</li>
</ol>
<h4 id="development-best-practices" class="position-relative d-flex align-items-center group">
<span>Development Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="development-best-practices"
aria-haspopup="dialog"
aria-label="Share link: Development Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ol>
<li><strong>Never commit secrets</strong>: Use environment variables or secrets management</li>
<li><strong>Use parameterized queries</strong>: Prevent GQL injection</li>
<li><strong>Validate input</strong>: Sanitize all user input</li>
<li><strong>Handle errors securely</strong>: Don’t expose sensitive information in error messages</li>
<li><strong>Test security</strong>: Include security testing in CI/CD</li>
<li><strong>Review dependencies</strong>: Keep client libraries updated</li>
<li><strong>Document security architecture</strong>: Maintain security documentation</li>
</ol>
<h4 id="query-security" class="position-relative d-flex align-items-center group">
<span>Query Security</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="query-security"
aria-haspopup="dialog"
aria-label="Share link: Query Security">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Prevent GQL injection by using parameters:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># UNSAFE - vulnerable to injection</span>
</span></span><span class="line"><span class="cl"><span class="n">user_input</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s2">"name"</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"><span class="n">query</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">"MATCH (u:User </span><span class="se">{{</span><span class="s2">name: '</span><span class="si">{</span><span class="n">user_input</span><span class="si">}</span><span class="s2">'</span><span class="se">}}</span><span class="s2">) RETURN u"</span>
</span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="n">client</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="n">query</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># SAFE - uses parameters</span>
</span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="n">client</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="s2">"MATCH (u:User {name: $name}) RETURN u"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="p">{</span><span class="s2">"name"</span><span class="p">:</span> <span class="n">user_input</span><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span></code></pre></div>
<h3 id="incident-response" class="position-relative d-flex align-items-center group">
<span>Incident Response</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="incident-response"
aria-haspopup="dialog"
aria-label="Share link: Incident Response">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="detecting-security-issues" class="position-relative d-flex align-items-center group">
<span>Detecting Security Issues</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="detecting-security-issues"
aria-haspopup="dialog"
aria-label="Share link: Detecting Security Issues">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Monitor for:</p>
<ul>
<li>Repeated failed authentication attempts</li>
<li>Unusual query patterns</li>
<li>Access to sensitive data outside normal hours</li>
<li>Large data exports</li>
<li>Privilege escalation attempts</li>
</ul>
<h4 id="responding-to-incidents" class="position-relative d-flex align-items-center group">
<span>Responding to Incidents</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="responding-to-incidents"
aria-haspopup="dialog"
aria-label="Share link: Responding to Incidents">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ol>
<li><strong>Isolate</strong>: Disconnect affected systems</li>
<li><strong>Investigate</strong>: Review audit logs</li>
<li><strong>Contain</strong>: Revoke compromised credentials</li>
<li><strong>Remediate</strong>: Patch vulnerabilities</li>
<li><strong>Recover</strong>: Restore from clean backups if needed</li>
<li><strong>Document</strong>: Record incident details</li>
<li><strong>Learn</strong>: Update security policies</li>
</ol>
<h3 id="related-topics" class="position-relative d-flex align-items-center group">
<span>Related Topics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="related-topics"
aria-haspopup="dialog"
aria-label="Share link: Related Topics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/tags/authentication/"
>Authentication</a>
- User authentication methods</li>
<li><a
href="/tags/encryption/"
>Encryption</a>
- Data encryption techniques</li>
<li><a
href="/tags/row-level-security/"
>Row-Level Security</a>
- Fine-grained access control</li>
<li><a
href="/tags/audit-logging/"
>Audit Logging</a>
- Activity tracking</li>
<li><a
href="/tags/compliance/"
>Compliance</a>
- Regulatory requirements</li>
<li><a
href="/tags/tde/"
>TDE</a>
- Transparent Data Encryption</li>
<li><a
href="/tags/fle/"
>FLE</a>
- Field-Level Encryption</li>
</ul>
<h3 id="further-reading" class="position-relative d-flex align-items-center group">
<span>Further Reading</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="further-reading"
aria-haspopup="dialog"
aria-label="Share link: Further Reading">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/docs/architecture/security-architecture/"
>Security Architecture</a>
- Detailed security design</li>
<li><a
href="/docs/deployment/deployment-patterns/"
>Deployment Patterns</a>
- Production deployment and hardening</li>
<li><a
href="/guides/backup-restore/"
>Backup and Restore</a>
- Secure backup practices</li>
<li><a
href="/docs/security/overview/"
>Security Overview</a>
- Security features and best practices</li>
</ul>
Category
1 article
Category: Security and Compliance
Comprehensive security and compliance documentation for Geode including authentication, authorization, encryption, audit logging, Row-Level Security, GDPR compliance, and security best practices.