Authorization

Function

GES graph instances support granular permission control. The granularity is refined to the traverse, read, and write permissions set for specific properties of specific labels. The following table describes the GES granular permission control data model. This API is used to grant permissions to a user.

• The granular permission control APIs are available only when RBAC is enabled for the created graph instance. For details, see Creating a Graph. You need to add the enableRBAC parameter and set it to true when you call the graph creation API.
• To authorize granular permission, you must be a . To call the granular permission APIs, the token obtained for accessing a domain is required..
• Users with the traverse permission can view all vertices and edges with the same label, but cannot view the properties of these vertices and edges.

URI

• URI format

  POST /ges/v1.0/{project_id}/graphs/{graph_name}/rbac/action?action_id=grant

• Parameter description

  Table 1 URI parameter description

  Parameter	Mandatory	Type	Description
  project_id	Yes	String	Project ID. For details about how to obtain the project ID, see Obtaining a Project ID.
  graph_name	Yes	String	Graph name

Request

• Request example

  POST http://{SERVER_URL}/ges/v1.0/{project_id}/graphs/{graph_name}/rbac/action?action_id=grant
  {
  
  	"userId": "test1",
  	"acl": [{
  		"type": "read",
  		"detail": [{
  			"label": "person",
  			"properties": ["crime", "Occupation"]
  		}, {
  			"label": "inmate"
  		}]
  	}, {
  		"type": "write",
  		"detail": [{
  			"label": "person",
  			"properties": ["crime", "Occupation"]
  		}, {
  			"label": "inmate"
  		}, {
  			"label": "Leader"
  		}, {
  			"label": "Friend"
  		}, {
  			"label": "Colleague"
  		}, {
  			"label": "QQGroup"
  		}, {
  			"label": "QQ_owner"
  		}, {
  			"label": "QQ"
  		}, {
  			"label": "phone"
  		}, {
  			"label": "Phone_owner"
  		}]
  	}, {
  		"type": "traverse",
  		"detail": [{
  			"label": "person"
  		}, {
  			"label": "inmate"
  		}, {
  			"label": "Leader"
  		}, {
  			"label": "Friend"
  		}, {
  			"label": "Colleague"
  		}]
  	}]
  }

  

  SERVER_URL: Address for accessing a graph. For details about its value, see Using Service Plane APIs.

• Request body parameter description

  Table 2 Request body parameter description

  Parameter	Mandatory	Type	Description
  graph_name	Yes	String	Graph name
  userId	Yes	String	ID of the authorized user.
  acl	Yes	JsonArray	Authorization details
  type	Yes	String	Permission type. The value can be read, write, traverse, or schema.
  detail	Yes	JsonArray	Permission details
  label	Yes	String	Label name
  properties	No	List	Properties

Response

• Parameter description

  Table 3 Parameter description

  Parameter	Mandatory	Type	Description
  errorMessage	No	String	System prompt. If execution succeeds, this parameter may be left blank. If execution fails, this parameter is used to display the error message.
  errorCode	No	String	System prompt. If execution succeeds, this parameter may be left blank. If execution fails, this parameter is used to display the error code.

• Response example (successful request)

  Http Status Code: 200

• Response example (failed request)

  Status code: 400

  Example response (failed request)

  Http Status Code: 400
  {
      "errorMessage": "grant acl is null",
      "errorCode": "GES.8503"
  }

Status Code

Error Code

See Error Code.