Authorization

<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-28 --> <h2 id="authorization" class="position-relative d-flex align-items-center group"> <span>Authorization</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization" aria-haspopup="dialog" aria-label="Share link: Authorization"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h2><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> <i class="fa-solid fa-xmark"></i> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> <i class="fa-duotone fa-clipboard" aria-hidden="true"></i> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> <i class="fa-brands fa-twitter me-2"></i>Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> <i class="fa-brands fa-linkedin me-2"></i>LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> <i class="fa-brands fa-facebook me-2"></i>Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script><p>Authorization (AuthZ) determines what authenticated users can access and perform in Geode. This guide covers role-based access control (RBAC), attribute-based access control (ABAC), row-level security (RLS), and fine-grained permissions.</p> <h3 id="overview" class="position-relative d-flex align-items-center group"> <span>Overview</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="overview" aria-haspopup="dialog" aria-label="Share link: Overview"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Geode provides layered authorization mechanisms:</p> <table> <thead> <tr> <th>Layer</th> <th>Mechanism</th> <th>Granularity</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>RBAC</td> <td>Role-based</td> <td>User groups, job functions</td> </tr> <tr> <td>2</td> <td>ABAC</td> <td>Attribute-based</td> <td>Dynamic policies, context-aware</td> </tr> <tr> <td>3</td> <td>RLS</td> <td>Row-level</td> <td>Multi-tenancy, data isolation</td> </tr> </tbody> </table> <p><strong>Authorization Flow</strong>:</p> <ol> <li>User authenticates (see <a href="/docs/security/authentication/" >Authentication</a> )</li> <li>System evaluates RBAC permissions</li> <li>ABAC policies filter accessible resources</li> <li>RLS policies filter accessible rows</li> <li>Query executes with filtered scope</li> </ol> <h3 id="role-based-access-control-rbac" class="position-relative d-flex align-items-center group"> <span>Role-Based Access Control (RBAC)</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="role-based-access-control-rbac" aria-haspopup="dialog" aria-label="Share link: Role-Based Access Control (RBAC)"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>RBAC assigns permissions to roles, then roles to users.</p> <h4 id="built-in-roles" class="position-relative d-flex align-items-center group"> <span>Built-in Roles</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="built-in-roles" aria-haspopup="dialog" aria-label="Share link: Built-in Roles"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Geode includes predefined roles:</p> <table> <thead> <tr> <th>Role</th> <th>Description</th> <th>Permissions</th> </tr> </thead> <tbody> <tr> <td><code>admin</code></td> <td>Full system access</td> <td>All operations</td> </tr> <tr> <td><code>dba</code></td> <td>Database administration</td> <td>Schema, users, backup</td> </tr> <tr> <td><code>developer</code></td> <td>Development access</td> <td>Read, write, schema (non-prod)</td> </tr> <tr> <td><code>analyst</code></td> <td>Read-only analytics</td> <td>Read, execute procedures</td> </tr> <tr> <td><code>reader</code></td> <td>Read-only access</td> <td>Read only</td> </tr> <tr> <td><code>writer</code></td> <td>Read and write access</td> <td>Read, write</td> </tr> </tbody> </table> <h4 id="creating-custom-roles" class="position-relative d-flex align-items-center group"> <span>Creating Custom Roles</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="creating-custom-roles" aria-haspopup="dialog" aria-label="Share link: Creating Custom Roles"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_scientist</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">description</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">compliance_officer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">COMMENT</span><span class="w"> </span><span class="err">&#39;</span><span class="py">Audit</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">compliance</span><span class="w"> </span><span class="py">access</span><span class="err">&#39;;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">List</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">ROLES</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">details</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DESCRIBE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_scientist</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Drop</span><span class="w"> </span><span class="py">role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DROP</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_scientist</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="granting-permissions" class="position-relative d-flex align-items-center group"> <span>Granting Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="granting-permissions" aria-haspopup="dialog" aria-label="Share link: Granting Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p><strong>Permission Types</strong>:</p> <table> <thead> <tr> <th>Permission</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>SELECT</code></td> <td>Read data (MATCH queries)</td> </tr> <tr> <td><code>INSERT</code></td> <td>Create nodes/relationships</td> </tr> <tr> <td><code>UPDATE</code></td> <td>Modify existing data</td> </tr> <tr> <td><code>DELETE</code></td> <td>Remove nodes/relationships</td> </tr> <tr> <td><code>EXECUTE</code></td> <td>Run stored procedures</td> </tr> <tr> <td><code>CREATE</code></td> <td>Create schema objects</td> </tr> <tr> <td><code>ALTER</code></td> <td>Modify schema objects</td> </tr> <tr> <td><code>DROP</code></td> <td>Delete schema objects</td> </tr> <tr> <td><code>GRANT</code></td> <td>Delegate permissions</td> </tr> <tr> <td><code>ADMIN</code></td> <td>Administrative operations</td> </tr> </tbody> </table> <p><strong>Grant Examples</strong>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">read</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">graph</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">write</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">node</span><span class="w"> </span><span class="kd">type</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nc">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="err">.</span><span class="py">Person</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">writer</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">operations</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">,</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">,</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">developer</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="kd">schema</span><span class="w"> </span><span class="py">modification</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">CREATE</span><span class="p">,</span><span class="w"> </span><span class="py">ALTER</span><span class="p">,</span><span class="w"> </span><span class="py">DROP</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="kc">SCHEMA</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">dba</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">procedure</span><span class="w"> </span><span class="py">execution</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">EXECUTE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">PROCEDURE</span><span class="w"> </span><span class="py">analytics</span><span class="err">.*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">data_scientist</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">grant</span><span class="w"> </span><span class="py">option</span><span class="w"> </span><span class="p">(</span><span class="py">can</span><span class="w"> </span><span class="py">delegate</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">team_lead</span><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">GRANT</span><span class="w"> </span><span class="py">OPTION</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="revoking-permissions" class="position-relative d-flex align-items-center group"> <span>Revoking Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="revoking-permissions" aria-haspopup="dialog" aria-label="Share link: Revoking Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">permission</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="err">.</span><span class="py">Person</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">writer</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">object</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">developer</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">user</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">cascade</span><span class="w"> </span><span class="p">(</span><span class="py">revoke</span><span class="w"> </span><span class="py">delegated</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">too</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">team_lead</span><span class="w"> </span><span class="py">CASCADE</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="assigning-roles-to-users" class="position-relative d-flex align-items-center group"> <span>Assigning Roles to Users</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="assigning-roles-to-users" aria-haspopup="dialog" aria-label="Share link: Assigning Roles to Users"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">user</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">multiple</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="p">,</span><span class="w"> </span><span class="py">reader</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">bob</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">ROLES</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">user</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="role-hierarchy" class="position-relative d-flex align-items-center group"> <span>Role Hierarchy</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="role-hierarchy" aria-haspopup="dialog" aria-label="Share link: Role Hierarchy"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Create role hierarchies for inheritance:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">hierarchy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">senior_analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">senior_analyst</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Inherits</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Add</span><span class="w"> </span><span class="py">additional</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">EXECUTE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">PROCEDURE</span><span class="w"> </span><span class="py">analytics</span><span class="err">.*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">senior_analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Assign</span><span class="w"> </span><span class="py">hierarchy</span><span class="w"> </span><span class="py">role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">senior_analyst</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">charlie</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">charlie</span><span class="w"> </span><span class="py">now</span><span class="w"> </span><span class="py">has</span><span class="p">:</span><span class="w"> </span><span class="nc">analyst</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">procedure</span><span class="w"> </span><span class="py">execution</span><span class="w"> </span></span></span></code></pre></div> <h3 id="attribute-based-access-control-abac" class="position-relative d-flex align-items-center group"> <span>Attribute-Based Access Control (ABAC)</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="attribute-based-access-control-abac" aria-haspopup="dialog" aria-label="Share link: Attribute-Based Access Control (ABAC)"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>ABAC provides dynamic, context-aware authorization using attributes.</p> <h4 id="policy-components" class="position-relative d-flex align-items-center group"> <span>Policy Components</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="policy-components" aria-haspopup="dialog" aria-label="Share link: Policy Components"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>ABAC policies evaluate:</p> <ul> <li><strong>Subject attributes</strong>: User properties (department, clearance, location)</li> <li><strong>Resource attributes</strong>: Data properties (classification, owner, type)</li> <li><strong>Action</strong>: Operation being performed (SELECT, INSERT, etc.)</li> <li><strong>Environment</strong>: Context (time, IP address, device)</li> </ul> <h4 id="creating-abac-policies" class="position-relative d-flex align-items-center group"> <span>Creating ABAC Policies</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="creating-abac-policies" aria-haspopup="dialog" aria-label="Share link: Creating ABAC Policies"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Policy</span><span class="p">:</span><span class="w"> </span><span class="nc">Only</span><span class="w"> </span><span class="py">Data</span><span class="w"> </span><span class="py">Science</span><span class="w"> </span><span class="py">department</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">ML</span><span class="w"> </span><span class="py">models</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">ml_model_access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">MLModel</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHEN</span><span class="w"> </span><span class="py">current_user</span><span class="err">.</span><span class="py">department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">Data</span><span class="w"> </span><span class="py">Science</span><span class="err">&#39;;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Policy</span><span class="p">:</span><span class="w"> </span><span class="nc">Clearance</span><span class="w"> </span><span class="py">level</span><span class="w"> </span><span class="py">requirement</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">classified_data_access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Document</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHEN</span><span class="w"> </span><span class="py">current_user</span><span class="err">.</span><span class="py">clearance_level</span><span class="w"> </span><span class="err">&gt;</span><span class="p">=</span><span class="w"> </span><span class="py">resource</span><span class="err">.</span><span class="py">classification_level</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Policy</span><span class="p">:</span><span class="w"> </span><span class="nc">Time</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">business_hours_only</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">FinancialData</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHEN</span><span class="w"> </span><span class="py">current_time</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="err">&#39;</span><span class="py">09</span><span class="p">:</span><span class="nc">00</span><span class="p">:</span><span class="nc">00</span><span class="err">&#39;</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="err">&#39;</span><span class="py">17</span><span class="p">:</span><span class="nc">00</span><span class="p">:</span><span class="nc">00</span><span class="err">&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">current_day</span><span class="w"> </span><span class="py">NOT</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">(</span><span class="err">&#39;</span><span class="py">Saturday</span><span class="err">&#39;</span><span class="p">,</span><span class="w"> </span><span class="err">&#39;</span><span class="py">Sunday</span><span class="err">&#39;</span><span class="p">)</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Policy</span><span class="p">:</span><span class="w"> </span><span class="nc">Geographic</span><span class="w"> </span><span class="py">restriction</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">us_data_residency</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHEN</span><span class="w"> </span><span class="py">resource</span><span class="err">.</span><span class="py">country</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">US</span><span class="err">&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">current_user</span><span class="err">.</span><span class="py">location_country</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">US</span><span class="err">&#39;;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="policy-functions" class="position-relative d-flex align-items-center group"> <span>Policy Functions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="policy-functions" aria-haspopup="dialog" aria-label="Share link: Policy Functions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Built-in functions for policy evaluation:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">context</span><span class="w"> </span><span class="py">functions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">current_user</span><span class="err">.</span><span class="py">username</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Current</span><span class="w"> </span><span class="py">username</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">current_user</span><span class="err">.</span><span class="py">roles</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="err">&#39;</span><span class="py">s</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span><span class="p">(</span><span class="py">array</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">current_user</span><span class="err">.</span><span class="py">department</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">department</span><span class="w"> </span><span class="py">attribute</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">current_user</span><span class="err">.</span><span class="py">clearance_level</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">clearance</span><span class="w"> </span><span class="py">level</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">has_role</span><span class="p">(</span><span class="err">&#39;</span><span class="py">admin</span><span class="err">&#39;</span><span class="p">)</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">if</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">has</span><span class="w"> </span><span class="py">role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Session</span><span class="w"> </span><span class="py">context</span><span class="w"> </span><span class="py">functions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">current_session</span><span class="err">.</span><span class="py">ip_address</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Client</span><span class="w"> </span><span class="py">IP</span><span class="w"> </span><span class="py">address</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">current_session</span><span class="err">.</span><span class="py">created_at</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Session</span><span class="w"> </span><span class="py">start</span><span class="w"> </span><span class="py">time</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">current_session</span><span class="err">.</span><span class="py">mfa_verified</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">MFA</span><span class="w"> </span><span class="py">status</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Time</span><span class="w"> </span><span class="py">functions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">current_time</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Current</span><span class="w"> </span><span class="py">time</span><span class="w"> </span><span class="p">(</span><span class="py">HH</span><span class="p">:</span><span class="nc">MM</span><span class="p">:</span><span class="nc">SS</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">current_date</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Current</span><span class="w"> </span><span class="py">date</span><span class="w"> </span><span class="p">(</span><span class="py">YYYY</span><span class="err">-</span><span class="py">MM</span><span class="err">-</span><span class="py">DD</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">current_timestamp</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Current</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">current_day</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Day</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">week</span><span class="w"> </span><span class="py">name</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Resource</span><span class="w"> </span><span class="py">functions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">resource</span><span class="err">.&lt;</span><span class="py">property</span><span class="err">&gt;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Access</span><span class="w"> </span><span class="py">resource</span><span class="w"> </span><span class="py">property</span><span class="w"> </span></span></span></code></pre></div> <h4 id="combining-policies" class="position-relative d-flex align-items-center group"> <span>Combining Policies</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="combining-policies" aria-haspopup="dialog" aria-label="Share link: Combining Policies"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Multiple policies combine with AND logic:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Policy</span><span class="w"> </span><span class="py">1</span><span class="p">:</span><span class="w"> </span><span class="nc">Department</span><span class="w"> </span><span class="py">check</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">dept_policy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">SensitiveData</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHEN</span><span class="w"> </span><span class="py">current_user</span><span class="err">.</span><span class="py">department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">resource</span><span class="err">.</span><span class="py">owning_department</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Policy</span><span class="w"> </span><span class="py">2</span><span class="p">:</span><span class="w"> </span><span class="nc">Clearance</span><span class="w"> </span><span class="py">check</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">clearance_policy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">SensitiveData</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHEN</span><span class="w"> </span><span class="py">current_user</span><span class="err">.</span><span class="py">clearance_level</span><span class="w"> </span><span class="err">&gt;</span><span class="p">=</span><span class="w"> </span><span class="py">resource</span><span class="err">.</span><span class="py">classification</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Both</span><span class="w"> </span><span class="py">policies</span><span class="w"> </span><span class="py">must</span><span class="w"> </span><span class="py">pass</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">must</span><span class="w"> </span><span class="py">be</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">correct</span><span class="w"> </span><span class="py">department</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">have</span><span class="w"> </span><span class="py">sufficient</span><span class="w"> </span><span class="py">clearance</span><span class="w"> </span></span></span></code></pre></div> <h4 id="policy-management" class="position-relative d-flex align-items-center group"> <span>Policy Management</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="policy-management" aria-haspopup="dialog" aria-label="Share link: Policy Management"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">List</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">policies</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">POLICIES</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">policies</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="kd">type</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nc">SHOW</span><span class="w"> </span><span class="py">POLICIES</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Person</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Enable</span><span class="err">/</span><span class="py">disable</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DISABLE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">dept_policy</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ENABLE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">dept_policy</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Drop</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DROP</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">ml_model_access</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="row-level-security-rls" class="position-relative d-flex align-items-center group"> <span>Row-Level Security (RLS)</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="row-level-security-rls" aria-haspopup="dialog" aria-label="Share link: Row-Level Security (RLS)"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>RLS provides fine-grained access control at the row (node/relationship) level.</p> <h4 id="rls-overview" class="position-relative d-flex align-items-center group"> <span>RLS Overview</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="rls-overview" aria-haspopup="dialog" aria-label="Share link: RLS Overview"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>RLS policies are <strong>transparent</strong> to applications:</p> <ul> <li>Automatically applied to all queries</li> <li>No query rewriting needed</li> <li>Users see only permitted data</li> <li>Violations return empty results (not errors)</li> </ul> <h4 id="creating-rls-policies" class="position-relative d-flex align-items-center group"> <span>Creating RLS Policies</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="creating-rls-policies" aria-haspopup="dialog" aria-label="Share link: Creating RLS Policies"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p><strong>SELECT Policies</strong> (control visibility):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Multi</span><span class="err">-</span><span class="py">tenant</span><span class="w"> </span><span class="py">isolation</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Person</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_tenant_id</span><span class="p">())</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Data</span><span class="w"> </span><span class="py">ownership</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">owner_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Document</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">owner_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="err">.</span><span class="py">id</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">is_public</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">has_role</span><span class="p">(</span><span class="err">&#39;</span><span class="py">admin</span><span class="err">&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Classification</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">classification_filter</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Record</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">classification</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">(</span><span class="err">&#39;</span><span class="py">public</span><span class="err">&#39;</span><span class="p">,</span><span class="w"> </span><span class="err">&#39;</span><span class="py">internal</span><span class="err">&#39;</span><span class="p">)</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">classification</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">confidential</span><span class="err">&#39;</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">has_role</span><span class="p">(</span><span class="err">&#39;</span><span class="py">manager</span><span class="err">&#39;</span><span class="p">))</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">classification</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">secret</span><span class="err">&#39;</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">has_role</span><span class="p">(</span><span class="err">&#39;</span><span class="py">executive</span><span class="err">&#39;</span><span class="p">))</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div><p><strong>INSERT Policies</strong> (control creation):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Users</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">create</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">tenant</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_insert</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Person</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_tenant_id</span><span class="p">())</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Validate</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">insert</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">valid_classification</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Document</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">classification</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">(</span><span class="err">&#39;</span><span class="py">public</span><span class="err">&#39;</span><span class="p">,</span><span class="w"> </span><span class="err">&#39;</span><span class="py">internal</span><span class="err">&#39;</span><span class="p">,</span><span class="w"> </span><span class="err">&#39;</span><span class="py">confidential</span><span class="err">&#39;</span><span class="p">))</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div><p><strong>UPDATE Policies</strong> (control modification):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Users</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">update</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">own</span><span class="w"> </span><span class="py">data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">owner_update</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Profile</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">owner_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="err">.</span><span class="py">id</span><span class="p">)</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Prevent</span><span class="w"> </span><span class="py">modification</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">archived</span><span class="w"> </span><span class="py">data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">no_archive_update</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Document</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">status</span><span class="w"> </span><span class="p">!=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">archived</span><span class="err">&#39;</span><span class="p">)</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div><p><strong>DELETE Policies</strong> (control deletion):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Only</span><span class="w"> </span><span class="py">owners</span><span class="w"> </span><span class="py">or</span><span class="w"> </span><span class="py">admins</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">delete</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">owner_delete</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Document</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">owner_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user</span><span class="err">.</span><span class="py">id</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">has_role</span><span class="p">(</span><span class="err">&#39;</span><span class="py">admin</span><span class="err">&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Soft</span><span class="w"> </span><span class="py">delete</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="p">(</span><span class="py">prevent</span><span class="w"> </span><span class="py">hard</span><span class="w"> </span><span class="py">delete</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">soft_delete_only</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">AuditRecord</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">false</span><span class="p">)</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Always</span><span class="w"> </span><span class="py">deny</span><span class="w"> </span><span class="py">hard</span><span class="w"> </span><span class="py">delete</span><span class="w"> </span></span></span></code></pre></div> <h4 id="rls-for-relationships" class="position-relative d-flex align-items-center group"> <span>RLS for Relationships</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="rls-for-relationships" aria-haspopup="dialog" aria-label="Share link: RLS for Relationships"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Relationship</span><span class="w"> </span><span class="py">visibility</span><span class="w"> </span><span class="py">based</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">node</span><span class="w"> </span><span class="py">access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">relationship_visibility</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">KNOWS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">must</span><span class="w"> </span><span class="py">be</span><span class="w"> </span><span class="py">able</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">both</span><span class="w"> </span><span class="py">endpoints</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">EXISTS</span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">this</span><span class="p">]</span><span class="err">-&gt;</span><span class="p">(</span><span class="py">b</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">can_access</span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">can_access</span><span class="p">(</span><span class="py">b</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Tenant</span><span class="w"> </span><span class="py">isolation</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">relationships</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">relationship_tenant</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">WORKS_AT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">start_node</span><span class="err">.</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_tenant_id</span><span class="p">()</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">end_node</span><span class="err">.</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_tenant_id</span><span class="p">()</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="rls-context-variables" class="position-relative d-flex align-items-center group"> <span>RLS Context Variables</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="rls-context-variables" aria-haspopup="dialog" aria-label="Share link: RLS Context Variables"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Set session context for RLS evaluation:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Set</span><span class="w"> </span><span class="py">session</span><span class="w"> </span><span class="py">variables</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">session</span><span class="err">.</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">tenant</span><span class="err">-</span><span class="py">123</span><span class="err">&#39;;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">session</span><span class="err">.</span><span class="py">user_department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">Engineering</span><span class="err">&#39;;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">session</span><span class="err">.</span><span class="py">clearance_level</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">3</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Use</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">policies</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_filter</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="err">*</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">session</span><span class="err">.</span><span class="py">tenant_id</span><span class="p">)</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div><p><strong>Client-Side Context Setting</strong>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="c1">// Go client example </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="nx">ctx</span> <span class="o">:=</span> <span class="nx">context</span><span class="p">.</span><span class="nf">WithValue</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="s">&#34;tenant_id&#34;</span><span class="p">,</span> <span class="s">&#34;tenant-123&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nx">client</span><span class="p">.</span><span class="nf">Query</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="s">&#34;MATCH (n) RETURN n&#34;</span><span class="p">)</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># Python client example</span> </span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">session</span><span class="p">(</span><span class="n">tenant_id</span><span class="o">=</span><span class="s2">&#34;tenant-123&#34;</span><span class="p">)</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="n">session</span><span class="o">.</span><span class="n">run</span><span class="p">(</span><span class="s2">&#34;MATCH (n) RETURN n&#34;</span><span class="p">)</span> </span></span></code></pre></div> <h4 id="rls-performance" class="position-relative d-flex align-items-center group"> <span>RLS Performance</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="rls-performance" aria-haspopup="dialog" aria-label="Share link: RLS Performance"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>RLS policies are optimized for performance:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">View</span><span class="w"> </span><span class="kd">query</span><span class="w"> </span><span class="nc">plan</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">EXPLAIN</span><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">p</span><span class="p">:</span><span class="nc">Person</span><span class="p">)</span><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">age</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="py">30</span><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">p</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Output</span><span class="w"> </span><span class="py">shows</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">filter</span><span class="w"> </span><span class="py">integration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="nc">IndexScan</span><span class="w"> </span><span class="p">(</span><span class="py">Person</span><span class="p">,</span><span class="w"> </span><span class="py">age</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="py">30</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">Filter</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">tenant</span><span class="err">-</span><span class="py">123</span><span class="err">&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="py">Return</span><span class="w"> </span></span></span></code></pre></div><p><strong>Best Practices for RLS Performance</strong>:</p> <ol> <li>Index columns used in RLS policies</li> <li>Use simple equality checks when possible</li> <li>Avoid complex subqueries in policies</li> <li>Test with EXPLAIN to verify index usage</li> </ol> <h3 id="permission-inheritance" class="position-relative d-flex align-items-center group"> <span>Permission Inheritance</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="permission-inheritance" aria-haspopup="dialog" aria-label="Share link: Permission Inheritance"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="graph-level-permissions" class="position-relative d-flex align-items-center group"> <span>Graph-Level Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="graph-level-permissions" aria-haspopup="dialog" aria-label="Share link: Graph-Level Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Permission</span><span class="w"> </span><span class="py">hierarchy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="nc">DATABASE</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="py">LABEL</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="py">PROPERTY</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">database</span><span class="w"> </span><span class="p">(</span><span class="py">all</span><span class="w"> </span><span class="py">graphs</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">DATABASE</span><span class="w"> </span><span class="py">geodedb</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">graph</span><span class="w"> </span><span class="p">(</span><span class="py">all</span><span class="w"> </span><span class="py">labels</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">label</span><span class="w"> </span><span class="p">(</span><span class="py">all</span><span class="w"> </span><span class="py">properties</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="err">.</span><span class="py">Person</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">property</span><span class="w"> </span><span class="p">(</span><span class="py">specific</span><span class="w"> </span><span class="py">columns</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="p">(</span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">email</span><span class="p">)</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="err">.</span><span class="py">Person</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="default-permissions" class="position-relative d-flex align-items-center group"> <span>Default Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="default-permissions" aria-haspopup="dialog" aria-label="Share link: Default Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Configure default permissions for new objects:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">authorization</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default_permissions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">new_graphs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;SELECT&#34;</span><span class="p">]</span><span class="w"> </span><span class="c"># Default for new graphs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">new_users</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;reader&#34;</span><span class="p">]</span><span class="w"> </span><span class="c"># Default role for new users</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">public_schema</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Allow public schema</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">permissions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;SELECT&#34;</span><span class="p">]</span><span class="w"> </span><span class="c"># Public schema permissions</span><span class="w"> </span></span></span></code></pre></div> <h3 id="effective-permissions" class="position-relative d-flex align-items-center group"> <span>Effective Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="effective-permissions" aria-haspopup="dialog" aria-label="Share link: Effective Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="viewing-effective-permissions" class="position-relative d-flex align-items-center group"> <span>Viewing Effective Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="viewing-effective-permissions" aria-haspopup="dialog" aria-label="Share link: Viewing Effective Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">effective</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">current</span><span class="w"> </span><span class="py">user</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">GRANTS</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">user</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">object</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Detailed</span><span class="w"> </span><span class="py">permission</span><span class="w"> </span><span class="py">check</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">EXPLAIN</span><span class="w"> </span><span class="py">SECURITY</span><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">p</span><span class="p">:</span><span class="nc">Person</span><span class="p">)</span><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">p</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Output</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="nc">Permission</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">for</span><span class="p">:</span><span class="w"> </span><span class="nc">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">p</span><span class="p">:</span><span class="nc">Person</span><span class="p">)</span><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">p</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="p">:</span><span class="w"> </span><span class="nc">alice</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Roles</span><span class="p">:</span><span class="w"> </span><span class="nc">analyst</span><span class="p">,</span><span class="w"> </span><span class="py">reader</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">RBAC</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="p">[</span><span class="nc">ALLOW</span><span class="p">]</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="w"> </span><span class="p">(</span><span class="py">via</span><span class="w"> </span><span class="py">role</span><span class="p">:</span><span class="w"> </span><span class="nc">analyst</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">ABAC</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="p">[</span><span class="nc">ALLOW</span><span class="p">]</span><span class="w"> </span><span class="py">dept_policy</span><span class="p">:</span><span class="w"> </span><span class="nc">user</span><span class="err">.</span><span class="py">department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">Analytics</span><span class="err">&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">RLS</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="p">[</span><span class="nc">FILTER</span><span class="p">]</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="p">:</span><span class="w"> </span><span class="nc">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">tenant</span><span class="err">-</span><span class="py">123</span><span class="err">&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Effective</span><span class="p">:</span><span class="w"> </span><span class="nc">ALLOW</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">filter</span><span class="w"> </span></span></span></code></pre></div> <h4 id="permission-precedence" class="position-relative d-flex align-items-center group"> <span>Permission Precedence</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="permission-precedence" aria-haspopup="dialog" aria-label="Share link: Permission Precedence"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><ol> <li><strong>Explicit DENY</strong> takes precedence over ALLOW</li> <li><strong>More specific</strong> permissions override general permissions</li> <li><strong>Multiple ALLOW</strong> permissions are combined (OR logic)</li> <li><strong>RLS policies</strong> are always applied after RBAC/ABAC</li> </ol> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Explicit</span><span class="w"> </span><span class="py">deny</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">This</span><span class="w"> </span><span class="py">overrides</span><span class="w"> </span><span class="py">any</span><span class="w"> </span><span class="py">ALLOW</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">inheritance</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">cannot</span><span class="w"> </span><span class="py">delete</span><span class="w"> </span><span class="py">even</span><span class="w"> </span><span class="py">if</span><span class="w"> </span><span class="py">parent</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">allows</span><span class="w"> </span><span class="py">it</span><span class="w"> </span></span></span></code></pre></div> <h3 id="audit-and-compliance" class="position-relative d-flex align-items-center group"> <span>Audit and Compliance</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-and-compliance" aria-haspopup="dialog" aria-label="Share link: Audit and Compliance"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="authorization-audit-events" class="position-relative d-flex align-items-center group"> <span>Authorization Audit Events</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization-audit-events" aria-haspopup="dialog" aria-label="Share link: Authorization Audit Events"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">audit</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">authorization_events</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">permission_granted</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">permission_revoked</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">role_created</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">role_dropped</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">role_assigned</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">role_revoked</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">policy_created</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">policy_dropped</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">access_denied</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">rls_filter_applied</span><span class="w"> </span></span></span></code></pre></div><p><strong>Sample Audit Log</strong>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;timestamp&#34;</span><span class="p">:</span> <span class="s2">&#34;2026-01-28T14:30:00.123Z&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;event_type&#34;</span><span class="p">:</span> <span class="s2">&#34;access_denied&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;user&#34;</span><span class="p">:</span> <span class="s2">&#34;bob&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;action&#34;</span><span class="p">:</span> <span class="s2">&#34;DELETE&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;resource&#34;</span><span class="p">:</span> <span class="s2">&#34;SocialNetwork.Person&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;reason&#34;</span><span class="p">:</span> <span class="s2">&#34;insufficient_privileges&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;required&#34;</span><span class="p">:</span> <span class="s2">&#34;DELETE&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;actual&#34;</span><span class="p">:</span> <span class="s2">&#34;SELECT, INSERT&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;trace_id&#34;</span><span class="p">:</span> <span class="s2">&#34;abc123...&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div> <h4 id="compliance-reports" class="position-relative d-flex align-items-center group"> <span>Compliance Reports</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="compliance-reports" aria-haspopup="dialog" aria-label="Share link: Compliance Reports"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate access report</span> </span></span><span class="line"><span class="cl">geode admin access-report <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --user alice <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --output access-report.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Generate permission matrix</span> </span></span><span class="line"><span class="cl">geode admin permission-matrix <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --graph SocialNetwork <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --output permissions.csv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Audit permission changes</span> </span></span><span class="line"><span class="cl">geode admin audit-log <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --event-type permission_* <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --since <span class="s2">&#34;2026-01-01&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --output audit.json </span></span></code></pre></div> <h3 id="configuration-reference" class="position-relative d-flex align-items-center group"> <span>Configuration Reference</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="configuration-reference" aria-haspopup="dialog" aria-label="Share link: Configuration Reference"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="complete-authorization-configuration" class="position-relative d-flex align-items-center group"> <span>Complete Authorization Configuration</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="complete-authorization-configuration" aria-haspopup="dialog" aria-label="Share link: Complete Authorization Configuration"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">authorization</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Default deny (require explicit grants)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default_deny</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Cache settings</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ttl_seconds</span><span class="p">:</span><span class="w"> </span><span class="m">300</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_entries</span><span class="p">:</span><span class="w"> </span><span class="m">10000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># RBAC settings</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rbac</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">role_hierarchy</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Enable role inheritance</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_roles_per_user</span><span class="p">:</span><span class="w"> </span><span class="m">20</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># ABAC settings</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">abac</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">policy_evaluation_order</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;most_specific_first&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default_policy</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;deny&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># RLS settings</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rls</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bypass_roles</span><span class="p">:</span><span class="w"> </span><span class="c"># Roles that bypass RLS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">admin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">dba</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default_policy</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;deny&#34;</span><span class="w"> </span><span class="c"># Deny if no policy matches</span><span class="w"> </span></span></span></code></pre></div> <h3 id="best-practices" class="position-relative d-flex align-items-center group"> <span>Best Practices</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="best-practices" aria-haspopup="dialog" aria-label="Share link: Best Practices"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="rbac-best-practices" class="position-relative d-flex align-items-center group"> <span>RBAC Best Practices</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="rbac-best-practices" aria-haspopup="dialog" aria-label="Share link: RBAC Best Practices"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><ol> <li><strong>Use roles, not user-specific permissions</strong>: Easier to manage and audit</li> <li><strong>Create role hierarchy</strong>: Inherit common permissions</li> <li><strong>Principle of least privilege</strong>: Grant minimum required permissions</li> <li><strong>Regular access reviews</strong>: Audit permissions quarterly</li> <li><strong>Document role purposes</strong>: Use COMMENT on role creation</li> </ol> <h4 id="abac-best-practices" class="position-relative d-flex align-items-center group"> <span>ABAC Best Practices</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="abac-best-practices" aria-haspopup="dialog" aria-label="Share link: ABAC Best Practices"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><ol> <li><strong>Keep policies simple</strong>: Complex policies are hard to debug</li> <li><strong>Use meaningful attribute names</strong>: Clear naming improves maintainability</li> <li><strong>Test policies thoroughly</strong>: Verify behavior with different contexts</li> <li><strong>Monitor policy performance</strong>: Avoid expensive computations</li> <li><strong>Document policy rationale</strong>: Explain why each policy exists</li> </ol> <h4 id="rls-best-practices" class="position-relative d-flex align-items-center group"> <span>RLS Best Practices</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="rls-best-practices" aria-haspopup="dialog" aria-label="Share link: RLS Best Practices"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><ol> <li><strong>Index RLS columns</strong>: Performance critical for large datasets</li> <li><strong>Use tenant isolation for multi-tenancy</strong>: Standard pattern</li> <li><strong>Test with multiple users</strong>: Verify isolation works correctly</li> <li><strong>Consider performance impact</strong>: Simple policies perform better</li> <li><strong>Combine with RBAC</strong>: RLS filters what RBAC allows</li> </ol> <h3 id="troubleshooting" class="position-relative d-flex align-items-center group"> <span>Troubleshooting</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="troubleshooting" aria-haspopup="dialog" aria-label="Share link: Troubleshooting"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="permission-denied" class="position-relative d-flex align-items-center group"> <span>Permission Denied</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="permission-denied" aria-haspopup="dialog" aria-label="Share link: Permission Denied"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check effective permissions</span> </span></span><span class="line"><span class="cl">geode query <span class="s2">&#34;SHOW GRANTS FOR USER alice&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Explain security check</span> </span></span><span class="line"><span class="cl">geode query <span class="s2">&#34;EXPLAIN SECURITY MATCH (p:Person) RETURN p&#34;</span> --as alice </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check role membership</span> </span></span><span class="line"><span class="cl">geode query <span class="s2">&#34;SHOW ROLES FOR USER alice&#34;</span> </span></span></code></pre></div> <h4 id="rls-not-filtering" class="position-relative d-flex align-items-center group"> <span>RLS Not Filtering</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="rls-not-filtering" aria-haspopup="dialog" aria-label="Share link: RLS Not Filtering"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Verify RLS is enabled</span> </span></span><span class="line"><span class="cl">geode admin show-config <span class="p">|</span> grep rls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check policy exists</span> </span></span><span class="line"><span class="cl">geode query <span class="s2">&#34;SHOW POLICIES ON Person&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Verify session context</span> </span></span><span class="line"><span class="cl">geode query <span class="s2">&#34;SELECT session.tenant_id&#34;</span> </span></span></code></pre></div> <h4 id="policy-conflicts" class="position-relative d-flex align-items-center group"> <span>Policy Conflicts</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="policy-conflicts" aria-haspopup="dialog" aria-label="Share link: Policy Conflicts"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># List all policies affecting type</span> </span></span><span class="line"><span class="cl">geode query <span class="s2">&#34;SHOW POLICIES ON :Person VERBOSE&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check policy evaluation order</span> </span></span><span class="line"><span class="cl">geode admin policy-debug --type Person --action SELECT </span></span></code></pre></div> <h3 id="related-documentation" class="position-relative d-flex align-items-center group"> <span>Related Documentation</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="related-documentation" aria-haspopup="dialog" aria-label="Share link: Related Documentation"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><ul> <li><strong><a href="/docs/security/authentication/" >Authentication</a> </strong> - Authentication mechanisms</li> <li><strong><a href="/docs/security/overview/" >Security Overview</a> </strong> - Complete security architecture</li> <li><strong><a href="/docs/ops/audit-logging/" >Audit Logging</a> </strong> - Authorization audit trail</li> <li><strong><a href="/docs/security/session-management/" >Session Management</a> </strong> - Session-based context</li> <li><strong><a href="/docs/guides/multi-datacenter/" >Multi-Datacenter Guide</a> </strong> - Distributed authorization</li> </ul>