<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-28 --> <p>Authorization in Geode provides comprehensive control over who can access your graph data and what operations they can perform. Building on authentication (verifying identity), authorization determines what authenticated users are permitted to do within the database. Geode implements a multi-layered authorization system combining role-based access control (RBAC), object-level permissions, and row-level security (RLS) to deliver enterprise-grade access management.</p> <h3 id="authorization-architecture" class="position-relative d-flex align-items-center group"> <span>Authorization Architecture</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization-architecture" aria-haspopup="dialog" aria-label="Share link: Authorization Architecture"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> <i class="fa-solid fa-xmark"></i> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> <i class="fa-duotone fa-clipboard" aria-hidden="true"></i> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> <i class="fa-brands fa-twitter me-2"></i>Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> <i class="fa-brands fa-linkedin me-2"></i>LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> <i class="fa-brands fa-facebook me-2"></i>Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script><p>Geode&rsquo;s authorization system operates at multiple levels to provide defense-in-depth:</p> <ul> <li><strong>System Level</strong>: Controls server administration, user management, and global operations</li> <li><strong>Graph Level</strong>: Controls access to entire graphs (create, read, write, delete)</li> <li><strong>Label Level</strong>: Controls access to specific node and relationship types</li> <li><strong>Property Level</strong>: Controls access to individual properties within nodes and relationships</li> <li><strong>Row Level</strong>: Controls access to specific data rows based on runtime conditions</li> </ul> <p>Authorization decisions are evaluated in order, with more specific rules taking precedence over general rules.</p> <h3 id="permission-types" class="position-relative d-flex align-items-center group"> <span>Permission Types</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="permission-types" aria-haspopup="dialog" aria-label="Share link: Permission Types"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Geode supports the following permission types:</p> <h4 id="data-permissions" class="position-relative d-flex align-items-center group"> <span>Data Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="data-permissions" aria-haspopup="dialog" aria-label="Share link: Data Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">SELECT</span><span class="p">:</span><span class="w"> </span><span class="nc">Read</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">nodes</span><span class="p">,</span><span class="w"> </span><span class="py">relationships</span><span class="p">,</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">properties</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">social_network</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">INSERT</span><span class="p">:</span><span class="w"> </span><span class="nc">Create</span><span class="w"> </span><span class="py">new</span><span class="w"> </span><span class="py">nodes</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">relationships</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application_service</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">:</span><span class="w"> </span><span class="nc">Modify</span><span class="w"> </span><span class="py">existing</span><span class="w"> </span><span class="py">properties</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">user_management</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">DELETE</span><span class="p">:</span><span class="w"> </span><span class="nc">Remove</span><span class="w"> </span><span class="py">nodes</span><span class="p">,</span><span class="w"> </span><span class="py">relationships</span><span class="p">,</span><span class="w"> </span><span class="py">or</span><span class="w"> </span><span class="py">properties</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">TempData</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">cleanup_service</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">MERGE</span><span class="p">:</span><span class="w"> </span><span class="nc">Create</span><span class="w"> </span><span class="py">or</span><span class="w"> </span><span class="py">update</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="p">(</span><span class="py">combines</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">MERGE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Session</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">session_manager</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="schema-permissions" class="position-relative d-flex align-items-center group"> <span>Schema Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="schema-permissions" aria-haspopup="dialog" aria-label="Share link: Schema Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">CREATE</span><span class="p">:</span><span class="w"> </span><span class="nc">Create</span><span class="w"> </span><span class="py">new</span><span class="w"> </span><span class="py">graphs</span><span class="p">,</span><span class="w"> </span><span class="py">labels</span><span class="p">,</span><span class="w"> </span><span class="py">or</span><span class="w"> </span><span class="py">constraints</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="kd">schema</span><span class="py">_admin</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">CONSTRAINT</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">developer</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">ALTER</span><span class="p">:</span><span class="w"> </span><span class="nc">Modify</span><span class="w"> </span><span class="kd">schema</span><span class="w"> </span><span class="py">definitions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALTER</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">data_architect</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">DROP</span><span class="p">:</span><span class="w"> </span><span class="nc">Remove</span><span class="w"> </span><span class="kd">schema</span><span class="w"> </span><span class="py">elements</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">DROP</span><span class="w"> </span><span class="py">CONSTRAINT</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="kd">schema</span><span class="py">_admin</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="administrative-permissions" class="position-relative d-flex align-items-center group"> <span>Administrative Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="administrative-permissions" aria-haspopup="dialog" aria-label="Share link: Administrative Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">ADMIN</span><span class="p">:</span><span class="w"> </span><span class="nc">Full</span><span class="w"> </span><span class="py">administrative</span><span class="w"> </span><span class="py">access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ADMIN</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">DATABASE</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">dba_team</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">EXECUTE</span><span class="p">:</span><span class="w"> </span><span class="nc">Execute</span><span class="w"> </span><span class="py">stored</span><span class="w"> </span><span class="py">procedures</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">functions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">EXECUTE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">PROCEDURE</span><span class="w"> </span><span class="py">export_data</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">BACKUP</span><span class="p">:</span><span class="w"> </span><span class="nc">Create</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">restore</span><span class="w"> </span><span class="py">backups</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">BACKUP</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">DATABASE</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">backup_service</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="granting-permissions" class="position-relative d-flex align-items-center group"> <span>Granting Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="granting-permissions" aria-haspopup="dialog" aria-label="Share link: Granting Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Permissions are granted using the <code>GRANT</code> statement. Permissions can be granted to users directly or to roles (recommended).</p> <h4 id="basic-grant-syntax" class="position-relative d-flex align-items-center group"> <span>Basic Grant Syntax</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="basic-grant-syntax" aria-haspopup="dialog" aria-label="Share link: Basic Grant Syntax"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">user</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">customers</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">,</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">customers</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">data_entry</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">multiple</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">at</span><span class="w"> </span><span class="kd">on</span><span class="py">ce</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">,</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">,</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">inventory</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">warehouse_manager</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="granting-with-grant-option" class="position-relative d-flex align-items-center group"> <span>Granting with Grant Option</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="granting-with-grant-option" aria-haspopup="dialog" aria-label="Share link: Granting with Grant Option"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Allow recipients to further grant the permission to others:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Alice</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">grant</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">other</span><span class="w"> </span><span class="py">users</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">customers</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">GRANT</span><span class="w"> </span><span class="py">OPTION</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Team</span><span class="w"> </span><span class="py">lead</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">delegate</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Order</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">team_lead</span><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">GRANT</span><span class="w"> </span><span class="py">OPTION</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="granting-all-permissions" class="position-relative d-flex align-items-center group"> <span>Granting All Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="granting-all-permissions" aria-haspopup="dialog" aria-label="Share link: Granting All Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">graph</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">data_scientist</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">labels</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Product</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Category</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">product_manager</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="denying-permissions" class="position-relative d-flex align-items-center group"> <span>Denying Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="denying-permissions" aria-haspopup="dialog" aria-label="Share link: Denying Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>The <code>DENY</code> statement explicitly prevents access, overriding any granted permissions:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Prevent</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">sensitive</span><span class="w"> </span><span class="py">data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Salary</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">general_employee</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Block</span><span class="w"> </span><span class="py">modification</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">historical</span><span class="w"> </span><span class="py">records</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">,</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">AuditLog</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">application</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Deny</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">property</span><span class="w"> </span><span class="py">access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="p">(</span><span class="py">ssn</span><span class="p">,</span><span class="w"> </span><span class="py">credit_score</span><span class="p">)</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">marketing</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="deny-precedence" class="position-relative d-flex align-items-center group"> <span>Deny Precedence</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="deny-precedence" aria-haspopup="dialog" aria-label="Share link: Deny Precedence"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Deny rules take precedence over grant rules at the same specificity level:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">User</span><span class="w"> </span><span class="py">has</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">broad</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">bob</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">company</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">But</span><span class="w"> </span><span class="py">Bob</span><span class="w"> </span><span class="py">specifically</span><span class="w"> </span><span class="py">cannot</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">salary</span><span class="w"> </span><span class="py">data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="p">(</span><span class="py">salary</span><span class="p">)</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">bob</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Bob</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">read</span><span class="w"> </span><span class="py">employees</span><span class="w"> </span><span class="py">but</span><span class="w"> </span><span class="py">not</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">salaries</span><span class="w"> </span></span></span></code></pre></div> <h3 id="revoking-permissions" class="position-relative d-flex align-items-center group"> <span>Revoking Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="revoking-permissions" aria-haspopup="dialog" aria-label="Share link: Revoking Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Remove previously granted permissions:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">permission</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">customers</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">multiple</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Order</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">data_entry</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">grant</span><span class="w"> </span><span class="py">option</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="p">(</span><span class="py">keeps</span><span class="w"> </span><span class="py">the</span><span class="w"> </span><span class="py">permission</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">GRANT</span><span class="w"> </span><span class="py">OPTION</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">customers</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">user</span><span class="err">/</span><span class="py">role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">consultant</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="label-level-authorization" class="position-relative d-flex align-items-center group"> <span>Label-Level Authorization</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="label-level-authorization" aria-haspopup="dialog" aria-label="Share link: Label-Level Authorization"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Control access to specific node and relationship types:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Different</span><span class="w"> </span><span class="py">teams</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">different</span><span class="w"> </span><span class="py">node</span><span class="w"> </span><span class="kd">type</span><span class="nc">s</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">sales_team</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Product</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">inventory_team</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">hr_team</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Relationship</span><span class="w"> </span><span class="kd">type</span><span class="w"> </span><span class="nc">permissions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">PURCHASED</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analytics</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">FOLLOWS</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">social_features</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Restrict</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">sensitive</span><span class="w"> </span><span class="py">labels</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">InternalMemo</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">external_contractor</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="pattern-based-label-permissions" class="position-relative d-flex align-items-center group"> <span>Pattern-Based Label Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="pattern-based-label-permissions" aria-haspopup="dialog" aria-label="Share link: Pattern-Based Label Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Use wildcards for managing permissions across multiple labels:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">Public</span><span class="err">*</span><span class="w"> </span><span class="py">labels</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Public</span><span class="err">*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">public_api</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">labels</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">namespace</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">hr_</span><span class="err">*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">hr_department</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Deny</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">Internal</span><span class="err">*</span><span class="w"> </span><span class="py">labels</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Internal</span><span class="err">*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">external_user</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="property-level-authorization" class="position-relative d-flex align-items-center group"> <span>Property-Level Authorization</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="property-level-authorization" aria-haspopup="dialog" aria-label="Share link: Property-Level Authorization"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Fine-grained control over individual properties:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">properties</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">(</span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">email</span><span class="p">,</span><span class="w"> </span><span class="py">department</span><span class="p">)</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">directory_service</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Hide</span><span class="w"> </span><span class="py">sensitive</span><span class="w"> </span><span class="py">properties</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="p">(</span><span class="py">salary</span><span class="p">,</span><span class="w"> </span><span class="py">performance_rating</span><span class="p">,</span><span class="w"> </span><span class="py">ssn</span><span class="p">)</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">general_user</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Allow</span><span class="w"> </span><span class="py">updating</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">properties</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">(</span><span class="py">email</span><span class="p">,</span><span class="w"> </span><span class="py">phone</span><span class="p">,</span><span class="w"> </span><span class="py">address</span><span class="p">)</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">self_service</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Block</span><span class="w"> </span><span class="py">modification</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">system</span><span class="w"> </span><span class="py">properties</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">(</span><span class="py">created_at</span><span class="p">,</span><span class="w"> </span><span class="py">created_by</span><span class="p">,</span><span class="w"> </span><span class="py">internal_id</span><span class="p">)</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="err">*</span><span class="w"> </span><span class="nc">TO</span><span class="w"> </span><span class="py">application</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="column-masking" class="position-relative d-flex align-items-center group"> <span>Column Masking</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="column-masking" aria-haspopup="dialog" aria-label="Share link: Column Masking"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Automatically mask sensitive data for unauthorized users:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">masking</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">credit</span><span class="w"> </span><span class="py">cards</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">MASK</span><span class="w"> </span><span class="py">credit_card_mask</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Payment</span><span class="err">.</span><span class="py">card_number</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">CASE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">current_user_has_role</span><span class="p">(</span><span class="err">&#39;</span><span class="py">pci_admin</span><span class="err">&#39;</span><span class="p">)</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">card_number</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="err">&#39;****-****-****-&#39;</span><span class="w"> </span><span class="p">||</span><span class="w"> </span><span class="py">right</span><span class="p">(</span><span class="py">card_number</span><span class="p">,</span><span class="w"> </span><span class="py">4</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">END</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Apply</span><span class="w"> </span><span class="py">masking</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">SSN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">MASK</span><span class="w"> </span><span class="py">ssn_mask</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Person</span><span class="err">.</span><span class="py">ssn</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">CASE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">current_user_has_role</span><span class="p">(</span><span class="err">&#39;</span><span class="py">hr_admin</span><span class="err">&#39;</span><span class="p">)</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">ssn</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="err">&#39;***-**-&#39;</span><span class="w"> </span><span class="p">||</span><span class="w"> </span><span class="py">right</span><span class="p">(</span><span class="py">ssn</span><span class="p">,</span><span class="w"> </span><span class="py">4</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">END</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="graph-level-authorization" class="position-relative d-flex align-items-center group"> <span>Graph-Level Authorization</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="graph-level-authorization" aria-haspopup="dialog" aria-label="Share link: Graph-Level Authorization"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Control access to entire graphs:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">read</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">graph</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">production</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">reporting</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">full</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">development</span><span class="w"> </span><span class="py">graph</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">development</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">developers</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Prevent</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">sensitive</span><span class="w"> </span><span class="py">graph</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">executive_compensation</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">general_employee</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Control</span><span class="w"> </span><span class="py">graph</span><span class="w"> </span><span class="py">management</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">data_architect</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">DROP</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">dba</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="multi-graph-authorization" class="position-relative d-flex align-items-center group"> <span>Multi-Graph Authorization</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="multi-graph-authorization" aria-haspopup="dialog" aria-label="Share link: Multi-Graph Authorization"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>When working with multiple graphs:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">multiple</span><span class="w"> </span><span class="py">graphs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">customers</span><span class="p">,</span><span class="w"> </span><span class="py">orders</span><span class="p">,</span><span class="w"> </span><span class="py">inventory</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">fulfillment</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Different</span><span class="w"> </span><span class="py">permission</span><span class="w"> </span><span class="py">levels</span><span class="w"> </span><span class="py">per</span><span class="w"> </span><span class="py">graph</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">production</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Cross</span><span class="err">-</span><span class="py">graph</span><span class="w"> </span><span class="kd">query</span><span class="w"> </span><span class="nc">permissions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">global_reporting</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="authorization-with-stored-procedures" class="position-relative d-flex align-items-center group"> <span>Authorization with Stored Procedures</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization-with-stored-procedures" aria-haspopup="dialog" aria-label="Share link: Authorization with Stored Procedures"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Control execution of stored procedures and functions:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">execute</span><span class="w"> </span><span class="py">permission</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">EXECUTE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">PROCEDURE</span><span class="w"> </span><span class="py">calculate_recommendations</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">recommendation_engine</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">elevated</span><span class="w"> </span><span class="py">privileges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">PROCEDURE</span><span class="w"> </span><span class="py">admin_task</span><span class="p">()</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SECURITY</span><span class="w"> </span><span class="py">DEFINER</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Runs</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">creator</span><span class="err">&#39;</span><span class="py">s</span><span class="w"> </span><span class="py">privileges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="err">$$</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="p">)</span><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">u</span><span class="err">.</span><span class="py">inactive</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="err">&#39;</span><span class="py">365</span><span class="w"> </span><span class="py">days</span><span class="err">&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">DETACH</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">u</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="err">$$;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">run</span><span class="w"> </span><span class="py">procedures</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">caller</span><span class="err">&#39;</span><span class="py">s</span><span class="w"> </span><span class="py">privileges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">PROCEDURE</span><span class="w"> </span><span class="py">user_report</span><span class="p">(</span><span class="py">user_id</span><span class="p">:</span><span class="w"> </span><span class="nc">STRING</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SECURITY</span><span class="w"> </span><span class="py">INVOKER</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Runs</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">caller</span><span class="err">&#39;</span><span class="py">s</span><span class="w"> </span><span class="py">privileges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="err">$$</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="p">{</span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nv">$user_id</span><span class="p">})</span><span class="w"> </span><span class="nc">RETURN</span><span class="w"> </span><span class="py">u</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="err">$$;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="dynamic-authorization" class="position-relative d-flex align-items-center group"> <span>Dynamic Authorization</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="dynamic-authorization" aria-haspopup="dialog" aria-label="Share link: Dynamic Authorization"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Authorization decisions that depend on runtime context:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Time</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">control</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">business_hours_only</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Transaction</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">standard_user</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">EXTRACT</span><span class="p">(</span><span class="py">HOUR</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">())</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">9</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">17</span><span class="p">)</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Location</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">regional_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">regional_manager</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">c</span><span class="err">.</span><span class="py">region</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">&#39;</span><span class="py">assigned_region</span><span class="err">&#39;</span><span class="p">))</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Data</span><span class="w"> </span><span class="py">classification</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">classification_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Document</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">d</span><span class="err">.</span><span class="py">classification_level</span><span class="w"> </span><span class="err">&lt;</span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">&#39;</span><span class="py">clearance_level</span><span class="err">&#39;</span><span class="p">))</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="authorization-inheritance" class="position-relative d-flex align-items-center group"> <span>Authorization Inheritance</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization-inheritance" aria-haspopup="dialog" aria-label="Share link: Authorization Inheritance"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="role-hierarchy" class="position-relative d-flex align-items-center group"> <span>Role Hierarchy</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="role-hierarchy" aria-haspopup="dialog" aria-label="Share link: Role Hierarchy"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Roles can inherit from other roles:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">base</span><span class="w"> </span><span class="py">role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">employee</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">PublicInfo</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">that</span><span class="w"> </span><span class="py">inherits</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">employee</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">manager</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">employee</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">TeamPerformance</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">manager</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Managers</span><span class="w"> </span><span class="py">automatically</span><span class="w"> </span><span class="py">have</span><span class="w"> </span><span class="py">employee</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">plus</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">own</span><span class="w"> </span></span></span></code></pre></div> <h4 id="permission-inheritance-chain" class="position-relative d-flex align-items-center group"> <span>Permission Inheritance Chain</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="permission-inheritance-chain" aria-haspopup="dialog" aria-label="Share link: Permission Inheritance Chain"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Build</span><span class="w"> </span><span class="py">inheritance</span><span class="w"> </span><span class="py">chain</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">viewer</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">editor</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">viewer</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">editor</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Assign</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">at</span><span class="w"> </span><span class="py">appropriate</span><span class="w"> </span><span class="py">levels</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">main</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">viewer</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">main</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">editor</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">DELETE</span><span class="p">,</span><span class="w"> </span><span class="py">ADMIN</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">main</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">admin</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Admin</span><span class="w"> </span><span class="py">has</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">permissions</span><span class="p">:</span><span class="w"> </span><span class="nc">SELECT</span><span class="p">,</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">,</span><span class="w"> </span><span class="py">DELETE</span><span class="p">,</span><span class="w"> </span><span class="py">ADMIN</span><span class="w"> </span></span></span></code></pre></div> <h3 id="viewing-authorization" class="position-relative d-flex align-items-center group"> <span>Viewing Authorization</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="viewing-authorization" aria-haspopup="dialog" aria-label="Share link: Viewing Authorization"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="check-current-permissions" class="position-relative d-flex align-items-center group"> <span>Check Current Permissions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="check-current-permissions" aria-haspopup="dialog" aria-label="Share link: Check Current Permissions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">current</span><span class="w"> </span><span class="py">user</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">CURRENT</span><span class="w"> </span><span class="py">USER</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">user</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">effective</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="p">(</span><span class="py">including</span><span class="w"> </span><span class="py">inherited</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">EFFECTIVE</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">bob</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="system-views" class="position-relative d-flex align-items-center group"> <span>System Views</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="system-views" aria-haspopup="dialog" aria-label="Share link: System Views"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">View</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">permission</span><span class="w"> </span><span class="py">grants</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">privileges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">grantee</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">analyst</span><span class="err">&#39;;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">View</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">memberships</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_members</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">member</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">alice</span><span class="err">&#39;;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">View</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">deny</span><span class="w"> </span><span class="py">rules</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">privileges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">is_deny</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="authorization-best-practices" class="position-relative d-flex align-items-center group"> <span>Authorization Best Practices</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization-best-practices" aria-haspopup="dialog" aria-label="Share link: Authorization Best Practices"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="1-use-role-based-access-control" class="position-relative d-flex align-items-center group"> <span>1. Use Role-Based Access Control</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="1-use-role-based-access-control" aria-haspopup="dialog" aria-label="Share link: 1. Use Role-Based Access Control"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">DO</span><span class="p">:</span><span class="w"> </span><span class="nc">Grant</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">roles</span><span class="p">,</span><span class="w"> </span><span class="py">assign</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">users</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">report_viewer</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">reports</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">report_viewer</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">report_viewer</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="p">,</span><span class="w"> </span><span class="py">bob</span><span class="p">,</span><span class="w"> </span><span class="py">charlie</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">DON</span><span class="err">&#39;</span><span class="py">T</span><span class="p">:</span><span class="w"> </span><span class="nc">Grant</span><span class="w"> </span><span class="py">directly</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">users</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">reports</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">reports</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">bob</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">reports</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">charlie</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="2-implement-least-privilege" class="position-relative d-flex align-items-center group"> <span>2. Implement Least Privilege</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="2-implement-least-privilege" aria-haspopup="dialog" aria-label="Share link: 2. Implement Least Privilege"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Start</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">no</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">new_analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">what</span><span class="err">&#39;</span><span class="py">s</span><span class="w"> </span><span class="py">needed</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">new_analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">(</span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">email</span><span class="p">,</span><span class="w"> </span><span class="py">department</span><span class="p">)</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">new_analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Review</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">adjust</span><span class="w"> </span><span class="py">as</span><span class="w"> </span><span class="py">needed</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">new_analyst</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="3-use-deny-for-explicit-restrictions" class="position-relative d-flex align-items-center group"> <span>3. Use Deny for Explicit Restrictions</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="3-use-deny-for-explicit-restrictions" aria-haspopup="dialog" aria-label="Share link: 3. Use Deny for Explicit Restrictions"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Broad</span><span class="w"> </span><span class="py">grant</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">deny</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">company</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Salary</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">ExecutiveCompensation</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="4-regular-permission-audits" class="position-relative d-flex align-items-center group"> <span>4. Regular Permission Audits</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="4-regular-permission-audits" aria-haspopup="dialog" aria-label="Share link: 4. Regular Permission Audits"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Find</span><span class="w"> </span><span class="py">users</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">privileges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">grantee</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">privileges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">privilege</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">ADMIN</span><span class="err">&#39;;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Find</span><span class="w"> </span><span class="py">unused</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">grantee</span><span class="p">,</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">privilege</span><span class="p">,</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">object_name</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">privileges</span><span class="w"> </span><span class="py">p</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">LEFT</span><span class="w"> </span><span class="py">JOIN</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">access_log</span><span class="w"> </span><span class="py">a</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">grantee</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">username</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">object_name</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">object_name</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">last_access</span><span class="w"> </span><span class="py">IS</span><span class="w"> </span><span class="py">NULL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">last_access</span><span class="w"> </span><span class="err">&lt;</span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">&#39;</span><span class="py">90</span><span class="w"> </span><span class="py">days</span><span class="err">&#39;;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="5-separate-development-and-production" class="position-relative d-flex align-items-center group"> <span>5. Separate Development and Production</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="5-separate-development-and-production" aria-haspopup="dialog" aria-label="Share link: 5. Separate Development and Production"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Production</span><span class="p">:</span><span class="w"> </span><span class="nc">Minimal</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">production</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Development</span><span class="p">:</span><span class="w"> </span><span class="nc">Broader</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">development</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">developer</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Prevent</span><span class="w"> </span><span class="py">production</span><span class="w"> </span><span class="py">modification</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">dev</span><span class="w"> </span><span class="py">accounts</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">,</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">production</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">developer</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="authorization-configuration" class="position-relative d-flex align-items-center group"> <span>Authorization Configuration</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization-configuration" aria-haspopup="dialog" aria-label="Share link: Authorization Configuration"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="server-level-settings" class="position-relative d-flex align-items-center group"> <span>Server-Level Settings</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="server-level-settings" aria-haspopup="dialog" aria-label="Share link: Server-Level Settings"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Enable authorization enforcement</span> </span></span><span class="line"><span class="cl">geode serve --authorization-enabled<span class="o">=</span><span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Set default deny (no implicit permissions)</span> </span></span><span class="line"><span class="cl">geode serve --default-deny<span class="o">=</span><span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Enable permission caching for performance</span> </span></span><span class="line"><span class="cl">geode serve --permission-cache-size<span class="o">=</span><span class="m">10000</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --permission-cache-ttl<span class="o">=</span>300s </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Log all authorization decisions</span> </span></span><span class="line"><span class="cl">geode serve --log-authorization<span class="o">=</span><span class="nb">true</span> </span></span></code></pre></div> <h4 id="configuration-file" class="position-relative d-flex align-items-center group"> <span>Configuration File</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="configuration-file" aria-haspopup="dialog" aria-label="Share link: Configuration File"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">authorization</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default_deny</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">permission_cache</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">size</span><span class="p">:</span><span class="w"> </span><span class="m">10000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ttl_seconds</span><span class="p">:</span><span class="w"> </span><span class="m">300</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">audit</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log_grants</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log_denies</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log_checks</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="c"># Can be verbose</span><span class="w"> </span></span></span></code></pre></div> <h3 id="troubleshooting-authorization" class="position-relative d-flex align-items-center group"> <span>Troubleshooting Authorization</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="troubleshooting-authorization" aria-haspopup="dialog" aria-label="Share link: Troubleshooting Authorization"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="permission-denied-errors" class="position-relative d-flex align-items-center group"> <span>Permission Denied Errors</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="permission-denied-errors" aria-haspopup="dialog" aria-label="Share link: Permission Denied Errors"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">user</span><span class="err">&#39;</span><span class="py">s</span><span class="w"> </span><span class="py">current</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">current_user</span><span class="p">()</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">effective</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">including</span><span class="w"> </span><span class="py">inheritance</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">EFFECTIVE</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">deny</span><span class="w"> </span><span class="py">rules</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">privileges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">grantee</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">(</span><span class="py">SELECT</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_members</span><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">member</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">&#39;</span><span class="py">alice</span><span class="err">&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">is_deny</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="debugging-authorization" class="position-relative d-flex align-items-center group"> <span>Debugging Authorization</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="debugging-authorization" aria-haspopup="dialog" aria-label="Share link: Debugging Authorization"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Enable verbose authorization logging</span> </span></span><span class="line"><span class="cl">geode serve --authorization-debug<span class="o">=</span><span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Log shows:</span> </span></span><span class="line"><span class="cl"><span class="c1"># [AUTH] User alice checking SELECT on :Customer</span> </span></span><span class="line"><span class="cl"><span class="c1"># [AUTH] Found grant via role analyst</span> </span></span><span class="line"><span class="cl"><span class="c1"># [AUTH] No deny rules match</span> </span></span><span class="line"><span class="cl"><span class="c1"># [AUTH] Authorization: ALLOW</span> </span></span></code></pre></div> <h4 id="common-issues" class="position-relative d-flex align-items-center group"> <span>Common Issues</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="common-issues" aria-haspopup="dialog" aria-label="Share link: Common Issues"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><ol> <li><strong>Inherited deny blocking access</strong>: Check parent roles for deny rules</li> <li><strong>Missing role assignment</strong>: Verify user has required roles</li> <li><strong>Property-level deny</strong>: Check for property restrictions</li> <li><strong>Graph-level restriction</strong>: Verify graph access before label access</li> </ol> <h3 id="authorization-patterns" class="position-relative d-flex align-items-center group"> <span>Authorization Patterns</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization-patterns" aria-haspopup="dialog" aria-label="Share link: Authorization Patterns"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3> <h4 id="multi-tenant-authorization" class="position-relative d-flex align-items-center group"> <span>Multi-Tenant Authorization</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="multi-tenant-authorization" aria-haspopup="dialog" aria-label="Share link: Multi-Tenant Authorization"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Isolate</span><span class="w"> </span><span class="py">tenant</span><span class="w"> </span><span class="py">data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="err">*</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nc">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">application</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">&#39;</span><span class="py">tenant_id</span><span class="err">&#39;</span><span class="p">))</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Tenant</span><span class="w"> </span><span class="py">admins</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">own</span><span class="w"> </span><span class="py">tenant</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_admin_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">User</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">tenant_admin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">&#39;</span><span class="py">tenant_id</span><span class="err">&#39;</span><span class="p">))</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="hierarchical-data-access" class="position-relative d-flex align-items-center group"> <span>Hierarchical Data Access</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hierarchical-data-access" aria-haspopup="dialog" aria-label="Share link: Hierarchical Data Access"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Manager</span><span class="w"> </span><span class="py">sees</span><span class="w"> </span><span class="py">direct</span><span class="w"> </span><span class="py">reports</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">manager_sees_reports</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">manager</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">manager_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">&#39;</span><span class="py">employee_id</span><span class="err">&#39;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">employee_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">&#39;</span><span class="py">employee_id</span><span class="err">&#39;</span><span class="p">))</span><span class="err">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Executive</span><span class="w"> </span><span class="py">sees</span><span class="w"> </span><span class="py">entire</span><span class="w"> </span><span class="py">organization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">executive</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h4 id="time-limited-access" class="position-relative d-flex align-items-center group"> <span>Time-Limited Access</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="time-limited-access" aria-haspopup="dialog" aria-label="Share link: Time-Limited Access"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Temporary</span><span class="w"> </span><span class="py">elevated</span><span class="w"> </span><span class="py">access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">AuditData</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">auditor</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">VALID</span><span class="w"> </span><span class="py">UNTIL</span><span class="w"> </span><span class="err">&#39;</span><span class="py">2026</span><span class="err">-</span><span class="py">03</span><span class="err">-</span><span class="py">31</span><span class="err">&#39;;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Audit</span><span class="err">-</span><span class="py">period</span><span class="w"> </span><span class="py">access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">audit_window</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">FinancialRecord</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">auditor</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">record_date</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="err">&#39;</span><span class="py">2025</span><span class="err">-</span><span class="py">01</span><span class="err">-</span><span class="py">01</span><span class="err">&#39;</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="err">&#39;</span><span class="py">2025</span><span class="err">-</span><span class="py">12</span><span class="err">-</span><span class="py">31</span><span class="err">&#39;</span><span class="p">)</span><span class="err">;</span><span class="w"> </span></span></span></code></pre></div> <h3 id="related-topics" class="position-relative d-flex align-items-center group"> <span>Related Topics</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="related-topics" aria-haspopup="dialog" aria-label="Share link: Related Topics"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><ul> <li><a href="/tags/rbac/" >Role-Based Access Control</a> - RBAC implementation details</li> <li><a href="/tags/rls/" >Row-Level Security</a> - Fine-grained row-level access policies</li> <li><a href="/tags/authentication/" >Authentication</a> - User identity verification</li> <li><a href="/tags/audit-logging/" >Audit Logging</a> - Tracking authorization decisions</li> <li><a href="/tags/compliance/" >Compliance</a> - Regulatory compliance requirements</li> <li><a href="/tags/security/" >Security</a> - Security overview and best practices</li> </ul> <h3 id="further-reading" class="position-relative d-flex align-items-center group"> <span>Further Reading</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="further-reading" aria-haspopup="dialog" aria-label="Share link: Further Reading"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><ul> <li><a href="/docs/architecture/security-architecture/" >Security Architecture</a> - Deep dive into security design</li> <li><a href="/docs/security/authorization/" >Authorization Best Practices</a> - Production deployment guide</li> <li><a href="/docs/security/session-management/" >Session Management</a> - Session and context security</li> <li>Enterprise Security Whitepaper - Comprehensive security documentation</li> </ul>

Related Articles