Updated on 2024-01-03 GMT+08:00

Configuring Granular Permissions

GES graph instances support granular permission control. You can set the traverse, read, and write permissions for specific properties of specific labels. You are allowed to manage these permissions of a specific label or property of a graph and grant them to a user group.

  • This function allows you to set granular permissions for graphs of version 2.2.21 or later. You can upgrade a graph of an earlier version to 2.2.21 or a later version and then set granular permissions.
  • Configuring fine-grained permissions for the graph requires IAM user viewing permissions and GES Manager or higher permissions. If there is no IAM user viewing permission, refer to User Details to import IAM users.

Procedure

  1. Before setting granular permissions, configure the user group first. For details, see Configuring a User Group.
  2. In the navigation pane, choose Granular Permissions > Permission Configuration.
  3. On the Permission Configuration page, you can view the graph name, permission status, enabling time, and operations that can be performed on a graph in the Running status.
    1. Only graphs in the Running status are displayed on this page.
    2. You can set permissions only when its status is Disabled.
    3. You can search for graphs by their names in the upper right corner of the page.
  4. Select the graph for which you want to set permission and click Set in the Operation column. The Set Permission page is displayed. You can create metadata permissions and granular permissions on this page.
  5. Click Create under Metadata Write Permission to create permission. After the metadata write permission is created, all labels of the metadata can be modified.
  6. Click Create Policy under Granular Permission Policy to set granular permissions for a graph. You can set label- and property-level graph permissions and grant them to user groups.
    • Policy Name: You can set a name or use the default name.
    • View: You can configure permissions in form or code view.
    • Permissions: You can select labels whose traversal permission will be granted to a certain group of users. You can set read and write permissions of the label properties.

      To use the Cypher query function, you need to configure the metadata permission and select the read and write permissions for all labels (including the default label __DEFAULT__) when configuring the graph permission.

  7. Click Save. The Set Permission page is displayed. You can view the created permission policy in the Granular Permission Policy pane.

    In this case, the Associate User Group in the Operation column is unavailable. You need to enable granular permissions before associating the policy with a user group.

  8. Click Enable Permissions in the upper right corner of the page to enable fine-grained permissions for the graph. Alternatively, you can return to the Permission Configuration page, locate the graph for which the fine-grained permission has been set, and click Enable in the Operation column. The permission status changes to Enabled.
  9. Click Set in the Operation column to associate the created granular permission with a user group.
  10. Click OK. On the Granular Permission Policy pane, you can view the number of users who have been granted the permission.