Access control: Managing groups
Role-based access control
Linkurious Enterprise relies on a role-based access control model:
- Users are associated with one or multiple roles (called "groups" in Linkurious Enterprise).
- Each group has a set of access-rights.
- A user's access-rights are the combination of their groups' access-rights.
- Groups assigned to users in Linkurious Enterprise are on a datasource level. For example, if a user can 'read only' on Datasource A it does not necessarily mean that they have access on Datasource B. For the user to have access on datasource B, they would have to be assigned to any group on that datasource.
Group management page
This page is accessed via Admin > Users & Groups in the main menu.
This page lists:
- Built-in groups: these groups are pre-defined when installing Linkurious Enterprise (they are listed after Custom groups).
- Custom groups: these groups are created by the Administrators.
Group management operations available to the Administrators are the following:
- Create a custom group.
- Edit a custom group.
- Delete a custom group.
Built-in groups rights
- Admin: User in this group has all possible rights on all the sources, including adding and deleting users, managing groups, and adding or removing data-sources.
- Source Manager: User in this group has administration rights on the current source, including adding and editing users and managing groups, as well as all possible rights on the data (Read/Edit/Delete)
- Read/Edit/Delete: User in this group has all possible rights on the data (Read/Edit/Delete nodes, edges and properties, as well as the ability to create new alerts, custom actions and read/write queries.
- Read/Edit: User in this group cannot delete existing nodes and edges. He can process alerts, create custom actions and write queries.
- Read And Run Queries: User in this group can display and explore existing nodes and edges. He can also run queries and custom actions.
- Read Only: User in this group can display and explore existing nodes and edges.
Creating a group
Creating a group is a 2-step process:
- "General & Admin rights": define access-rights on the features.
- "Access-rights": define access-rights on the data.
General & Admin rights
Features access-rights description
Queries access-rights
No access
: the user group cannot execute queries (and cannot create them).Can run queries
: the user group can execute read and write queries it was shared with, but cannot create them.Can create read-only queries and run queries
:- The user group can create queries that cannot alter the data in the database.
- The user group can execute read and write queries it created, or it was shared with.
Can create read/write queries and run queries
:- The user group can create queries that can read from database or write in the database.
- The user group can execute read and write queries it created, or it was shared with.
Write queries are identified by keywords in their code:
- Cypher:
SET
,CREATE
,MERGE
,DELETE
,REMOVE
,FOREACH
,LOAD
,DROP
,CALL
- Gremlin:
addProperty
,property
,addE
,addV
,drop
,remove
,clear
- Cypher:
Custom actions access-rights
No access
: the user group cannot execute custom actions (and cannot create them).Can run custom actions
: the user group can execute custom action it was shared with but cannot create them.Can create and run custom actions
:- The user group can create custom actions.
- The user group can execute custom actions it was shared with.
Alert access-rights
No access
: the user group cannot access the Alerts (and cannot create them).Process alerts
: the user group can access the Alerts, process the cases but cannot create new Alerts.Create and process alerts
: the user group can process existing Alerts and can create new Alerts.
IMPORTANT
Please note that users who don’t have access to specific node categories and/ or edge types (see Queries access rights) can still create/access queries that return such information and display it in the case columns/attributes. They will not see the node and/ or edges in the visualization/case view but the data will still be displayed in the alert columns.
Admin access-rights
Users and groups
Manage users & groups
: the user group can create and edit users and manage groups and their permissions.
Data-source
Manage data-source schema
: the user group can enrich and edit the schema, and to switch to strict-mode.Manage data-source default styles
: the user group can change the default styles that are applied to all new visualizations across users.Re-index the data-source
: the user group can launch a re-index of the database. If handled without care, re-indexing might overload the database as indexing is a costly process.Re-connect the data-source
: the user group can initiate a connection sequence when the connection has been interrupted.
Resource management
Manage spaces
: the user group can create, edit, and delete spaces.
Access-rights with multiple groups
For users that belong to multiple groups, access-rights are cumulative. In other words, a user can do something if at least one of their groups allows them to do it.
For example if user belongs to 2 groups: one having No access
and the
other Process Alerts
for the Alert rights, then they have the right
to Process Alerts
because one of their groups allows them to do so.
Access-rights on the data
There are 2 available options. You can read about them in their dedicated sections:
- Standard access-rights: the default option, access-rights are defined at the node category / edge type level.
- Property-level access-rights: offers, on top of standard access-rights, the ability to tune access-rights at the property-level.