Neo4j is a popular graph database that offers two versions: an enterprise edition and a community edition . The enterprise edition offers customizable Role-based Access Control features through custom developed procedures , while the community edition does not offer any access control support. Being a graph database, Neo4j appears to be a natural application for Relationship-Based Access Control (ReBAC), an access control paradigm where authorization decisions are based on relationships between subjects and resources in the system (i.e., an authorization graph). In this article, we present AReBAC, an attribute-supporting ReBAC model for Neo4j that provides finer-grained access control by operating over resources instead of procedures. AReBAC employs Nano-Cypher, a declarative policy language based on Neo4j’s Cypher query language, the result of which allows us to weave database queries with access control policies and evaluate both simultaneously. Evaluating the combined query and policy produces a result that (i) matches the search criteria, and (ii) the requesting subject is authorized to access. AReBAC is accompanied by the algorithms and their implementation required for the realization of the presented ideas, including GP-Eval, a query evaluation algorithm. We also introduce Live-End Backjumping (LBJ), a backtracking scheme that provides a significant performance boost over conflict-directed backjumping for evaluating queries. As demonstrated in our previous work, the original version of GP-Eval already performs significantly faster than the Neo4j’s Cypher evaluation engine. The optimized version of GP-Eval , which employs LBJ, further improves the performance significantly, thereby demonstrating the capabilities of the technique.

中文翻译：

---

支持属性的 ReBAC 模型中图数据库查询的有效授权

Neo4j 是一个流行的图形数据库，它提供两个版本：一个企业版和一个社区版. 企业版通过定制开发提供可定制的基于角色的访问控制功能程序，而社区版不提供任何访问控制支持。作为一个图数据库，Neo4j 似乎是基于关系的访问控制 (ReBAC) 的自然应用程序，这是一种访问控制范式，其中授权决策基于系统中主体和资源之间的关系（即授权图）。在本文中，我们介绍了 AReBAC，这是一个支持 Neo4j 的属性的 ReBAC 模型，它通过操作资源而不是过程来提供更细粒度的访问控制。AReBAC 采用 Nano-Cypher，这是一种基于 Neo4j 的 Cypher 查询语言的声明性策略语言，其结果允许我们将数据库查询与访问控制策略结合起来并同时评估两者。评估组合查询和策略会产生 (i) 匹配搜索条件的结果，(ii) 请求主体被授权访问。AReBAC 伴随着实现所提出的想法所需的算法及其实现，包括GP-评估，查询评估算法。我们还介绍了 Live-End Backjumping (LBJ)，这是一种回溯方案，与用于评估查询的冲突导向回跳相比，它提供了显着的性能提升。正如我们之前的工作所证明的，原始版本的GP评估已经比 Neo4j 的 Cypher 评估引擎快得多。的优化版本GP评估，它采用了 LBJ，进一步显着提高了性能，从而展示了该技术的能力。