All versions of this manual
X
Welcome to Linkurious administration manual v4.1.1. Use the menu to access other documentations.
  1. Introduction
  2. FAQ
  3. Getting started
    1. Version support policy
    2. Release notes
    3. Client requirements
    4. Graph DB Feature Map
  4. Deploying on premise
    1. Technical requirements
    2. Downloading
    3. Installing
    4. Starting Linkurious
    5. Stopping Linkurious
  5. Configuring
  6. Troubleshooting
    1. Checking Linkurious status
    2. Reading the logs
    3. Getting support
    4. Managing licenses
    5. Vulnerabilities
  7. Importing graph data
    1. Neo4j
    2. Memgraph
    3. Amazon Neptune
    4. Cosmos DB
    5. Updating your graph data
  8. Updating Linkurious
    1. Checking for updates
    2. Backing up your data
    3. Update procedure
  9. Configuring data-sources
    1. Neo4j
    2. Amazon Neptune
    3. Memgraph
    4. Cosmos DB
    5. Alternative IDs
    6. Merging data-sources
    7. Advanced settings
  10. Resource management
    1. Managing spaces
  11. Search index
    1. Search Option Comparison
    2. Neo4j Search
    3. Elasticsearch
    4. OpenSearch for Amazon Neptune
    5. Azure Search
    6. Incremental Indexing
    7. Numerical/Date search
  12. User-data store
    1. Migrating to an external database
    2. Backing-up your store
  13. Web server
  14. Authentication
    1. Getting started
    2. LDAP / Active Directory
    3. SSO with Azure AD
    4. SSO with Google
    5. SSO with OpenID Connect
    6. SSO with SAML2 / ADFS
    7. Configuration
  15. Access control
    1. Managing users
    2. Managing groups
    3. Standard access-rights
    4. Property-key access-rights
  16. Guest mode
    1. Guest mode
  17. Data Schema
    1. Property types
    2. Hiding data
    3. Strict mode
  18. Alerts
    1. Configuration
  19. Email Notifications
    1. Configuration
  20. Visualizations appearance
    1. Default styles
    2. Default captions
    3. Default properties order
    4. Geographic tiles
  21. Audit trail
    1. Log format
  22. Webhooks
  23. Observability
  24. Plugins
  25. Deep link
 

Access control: Managing groups

Role-based access control

Linkurious Enterprise relies on a role-based access control model:

  • Users are associated with one or multiple roles (called "groups" in Linkurious Enterprise).
  • Each group has a set of access-rights.
  • A user's access-rights are the combination of their groups' access-rights.
  • Groups assigned to users in Linkurious Enterprise are on a datasource level. For example, if a user can 'read only' on Datasource A it does not necessarily mean that they have access on Datasource B. For the user to have access on datasource B, they would have to be assigned to any group on that datasource.

Group management page

This page is accessed via Admin > Users & Groups in the main menu.

This page lists:

  • Built-in groups: these groups are pre-defined when installing Linkurious Enterprise (they are listed after Custom groups).
  • Custom groups: these groups are created by the Administrators.

Group management operations available to the Administrators are the following:

  • Create a custom group.
  • Edit a custom group.
  • Delete a custom group.

Listing groups

Built-in groups rights

Built-in group Description
Admin User in this group can manage all datasources, users and groups. They have the ability to create, read, edit and delete nodes and edges. They can also manage all spaces, alerts, and grouping rules, as well as queries and custom actions that are not private.
Source Manager User in this group can manage this datasource and its users and groups. They have the ability to create, read, edit and delete nodes and edges. They can also manage all spaces, alerts, and grouping rules, as well as queries and custom actions that are not private.
Read/Edit/Delete User in this group has the ability to read, edit, and delete nodes, edges, and properties. They can also create new alerts, queries, custom actions and node grouping rules.
Read/Edit User in this group has the ability to read and edit existing nodes and edges, but not to delete them. They can also process alerts, create read-only queries, custom actions and node grouping rules.
Read And Run Queries User in this group has the ability to display and explore existing nodes and edges. They can also process alerts, queries, custom actions and apply node grouping rules.
Read Only User in this group can only view and explore existing nodes and edges.

Creating a group

Creating a group is a 2-step process:

  1. "General & Admin rights": define access-rights on the features.
  2. "Access-rights": define access-rights on the data.

Editing a group

General & Admin rights

Features access-rights description

Queries access-rights

  • No access: the user group cannot execute queries (and cannot create them).
  • Can run queries: the user group can execute read and write queries it was shared with, but cannot create them.
  • Can create read-only queries and run queries:
    • The user group can create queries that cannot alter the data in the database.
    • The user group can execute read and write queries it created, or it was shared with.
  • Can create read/write queries and run queries:
    • The user group can create queries that can read from database or write in the database.
    • The user group can execute read and write queries it created, or it was shared with.
  • Can manage, create read/write queries and run queries:
    • The user group can manage (edit or delete) any non-private query (shared with the source or at least 1 group).
    • The user group can create queries that can read from database or write in the database.
    • The user group can execute read and write queries it created, or it was shared with.

      Write queries are identified by keywords in their code:

      • Cypher: SET, CREATE, MERGE, DELETE, REMOVE, FOREACH, LOAD, DROP, CALL
      • Gremlin: addProperty, property, addE, addV, drop, remove, clear

Custom actions access-rights

  • No access: the user group cannot execute custom actions (and cannot create them).
  • Can run custom actions: the user group can execute custom action it was shared with but cannot create them.
  • Can create and run custom actions:
    • The user group can create custom actions.
    • The user group can execute custom actions it was shared with.
  • Can manage, create and run custom actions:
    • The user group can manage (edit or delete) any non-private custom action (shared with the source or at least 1 group).
    • The user group can create custom actions.
    • The user group can execute custom actions it was shared with.

Node grouping access-rights

  • No access: the user group cannot enable a group rule, they can see in their visualization groups from group rules activated by another user.
  • Can apply node grouping rule: the user group can apply node grouping rules they have access to.
  • Can create and apply node grouping rules:
    • The user group can create node grouping rules.
    • The user group can apply node grouping rules in visualizations.
  • Can manage, create and apply node grouping rules:
    • The user group can manage (edit or delete) any node grouping rules.
    • The user group can create node grouping rules.
    • The user group can apply node grouping rules in visualizations.

Alert access-rights

  • No access: The user group cannot access the Alerts (and cannot create them).
  • Process alerts: The user group can access the Alerts, process the cases but cannot create new Alerts.
  • Create and process alerts:
    • The user group can create new Alerts.
    • The user group can process existing Alerts.
  • Can manage, create and process alerts:
    • The user group can manage (edit or delete) any Alerts (private, shared with the source or at least 1 group).
    • The user group can create new Alerts.
    • The user group can process existing Alerts.

IMPORTANT

Please note that users who don’t have access to specific node categories and/ or edge types (see Queries access rights) can still create/access queries that return such information and display it in the case columns/attributes. They will not see the node and/ or edges in the visualization/case view but the data will still be displayed in the alert columns.


Admin access-rights

Users and groups

  • Manage users & groups: the user group can create and edit users and manage groups and their permissions.

Data-source

  • Manage data-source schema: the user group can enrich and edit the schema, and to switch to strict-mode.
  • Manage data-source default styles: the user group can change the default styles that are applied to all new visualizations across users.
  • Re-index the data-source: the user group can launch a re-index of the database. If handled without care, re-indexing might overload the database as indexing is a costly process.
  • Re-connect the data-source: the user group can initiate a connection sequence when the connection has been interrupted.

Resource management

  • Manage spaces: the user group can create, edit, and delete spaces.

Access-rights with multiple groups

For users that belong to multiple groups, access-rights are cumulative. In other words, a user can do something if at least one of their groups allows them to do it.

For example if user belongs to 2 groups: one having No access and the other Process Alerts for the Alert rights, then they have the right to Process Alerts because one of their groups allows them to do so.

Access-rights on the data

There are 2 available options. You can read about them in their dedicated sections: