Updated on 2024-06-17 GMT+08:00

Configuring Granular Permissions

GES graph instances support granular permission control. You can set the traverse, read, and write permissions for specific properties of specific labels. You are allowed to manage these permissions of a specific label or property of a graph and grant them to a user group.

  • This function allows you to set granular permissions for memory edition graphs of version 2.2.21 or later and database edition graphs of version 2.4.0 or later. You can upgrade a graph of an earlier version to 2.2.21 or a later version and then set granular permissions.
  • Configuring fine-grained permissions for the graph requires IAM user viewing permissions and GES Manager or higher permissions. If there is no IAM user viewing permission, refer to User Details to import IAM users.

Procedure

  1. Before setting granular permissions, configure the user group first. For details, see Configuring a User Group.
  2. In the navigation pane, choose Granular Permissions > Permission Configuration.
  3. On the Permission Configuration page, you can view the graph name, permission status, latest enabling time, and operations that can be performed on a graph in the Running state.
    Figure 1 Configuring granular permissions
    1. Only graphs in the Running status are displayed on this page.
    2. You can search for graphs by their names in the upper right corner of the page.
  4. Select the graph for which you want to set permission and click Set in the Operation column. The Set Permission page is displayed. You can create metadata permissions and granular permissions on this page.
    Figure 2 Setting permissions
  5. Click Create under Metadata Write Permission to create permission. After the metadata write permission is created, all labels of the metadata can be modified.
    Figure 3 Creating permission
  6. Click Create Policy under Granular Permission Policy to set granular permissions for a graph. You can set label- and property-level graph permissions and grant them to user groups.
    • Policy Name: You can set a name or use the default name.
    • View: You can configure permissions in form or code view.
    • Permissions: You can select labels whose traversal permission will be granted to a certain group of users. You can set read and write permissions of the label properties.

      To use the Cypher query function, you need to configure the metadata permission and select the read and write permissions for all labels (including the default label __DEFAULT__) when configuring the graph permission.

      Figure 4 Configuring permissions
  7. Click Save. The Set Permission page is displayed. You can view the created permission policy in the Granular Permission Policy pane.
    Figure 5 Created policies
  8. Click Set in the Operation column to associate the created granular permission with a user group.
    Figure 6 Associating with a user group
  9. Click OK. On the Granular Permission Policy pane, you can view the number of users who have been granted the permission.
    Figure 7 Users granted the permission