ABAC #2728
Draft
ABAC #2728
+207
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HannesSandberg
added
team-cypher-operations
phil198
reviewed
Dec 30, 2025
| [[attribute-based-access-control]] | ||
| = Attribute-based access control | ||
|
|
||
| Attribute-based access control, ABAC grants roles based on the evaluation of attributes (or claims) contained in a user's authentication token. |
Contributor
There was a problem hiding this comment.
Suggested change
| Attribute-based access control, ABAC grants roles based on the evaluation of attributes (or claims) contained in a user's authentication token. | |
| Attribute-based access control (ABAC) grants roles based on the evaluation of attributes (or claims) contained in a user's authentication token. |
We could subsequently use "ABAC" throughout?
Contributor
Author
There was a problem hiding this comment.
hmm, do we want to? Yes, if we want people to call it ABAC. No if we want to be clear and use the full name (I hate to stop reading and look up what an acronym stands for).
Contributor
There was a problem hiding this comment.
yes perhaps I am thinking more of how easy it is to keep writing, rather than the readers experience. It would not hurt at all to leave it as Attribute-based access control. I had a look and this is also more consistent with what we do for the other *BACs 😄
Contributor
Author
There was a problem hiding this comment.
do we write it out for the other ones?
| Use the following steps to set up attribute-based access control: | ||
|
|
||
| 1. Enable attribute-based access control in the `neo4j.conf` file by setting the `internal.dbms.feature_flag.attribute_based_access_control` setting to `true`. | ||
| 2. Specify which OIDC provider will be used for attribute-based access control by setting the `internal.dbms.security.abac_enabled_authorization_providers` setting to the appropriate providers. |
Contributor
There was a problem hiding this comment.
Suggested change
| 2. Specify which OIDC provider will be used for attribute-based access control by setting the `internal.dbms.security.abac_enabled_authorization_providers` setting to the appropriate providers. | |
| 2. Specify which OIDC provider(s) will be used for attribute-based access control by setting the `internal.dbms.security.abac_enabled_authorization_providers` setting to the appropriate providers. |
|
|
||
| [NOTE] | ||
| ==== | ||
| No roles with associated deny privileges can be assigned using attribute-based access control. |
Contributor
There was a problem hiding this comment.
Suggested change
| No roles with associated deny privileges can be assigned using attribute-based access control. | |
| No roles with associated deny privileges can be assigned using attribute-based access control. This is to ensure that if a role is unexpectedly not fulfilled (e.g. because a claim is missing from the users auth token) then there can never be an escalation of privileges, only ever a reduction. |
| == Caveats and limitations | ||
|
|
||
| * When evaluating `abac.oidc.user_attribute('<claim_key>')`, if the claim does not exist in the authentication token, it will evaluate to `NULL`. | ||
| * Newly created auth rules are not applied to existing user sessions. Users must re-authenticate to have the new rules applied. |
Contributor
There was a problem hiding this comment.
Suggested change
| * Newly created auth rules are not applied to existing user sessions. Users must re-authenticate to have the new rules applied. | |
| * Newly created auth rules are applied to existing user sessions, but will only have access to the user claims which had rules containing them at the start of the session. So only user claims which are used in pre-existing auth rules at the start of a session are retained. Users must re-authenticate to have new rules applied if the new rules use new claims. |
Contributor
Author
There was a problem hiding this comment.
Applied this, but removed the "So" from " So only user claims..."
| * When evaluating `abac.oidc.user_attribute('<claim_key>')`, if the claim does not exist in the authentication token, it will evaluate to `NULL`. | ||
| * Newly created auth rules are not applied to existing user sessions. Users must re-authenticate to have the new rules applied. | ||
| * Attribute-based access control is only supported for OIDC authentication providers. | ||
| * For troubleshooting ABAC evaluation, enable debug logging for the security log and turn on JWT claims logging at debug level in `neo4j.conf`: `dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled=true` |
Contributor
There was a problem hiding this comment.
Suggested change
| * For troubleshooting ABAC evaluation, enable debug logging for the security log and turn on JWT claims logging at debug level in `neo4j.conf`: `dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled=true` | |
| * For troubleshooting ABAC evaluation, enable debug logging for the security log and debug log, and turn on JWT claims logging at debug level in `neo4j.conf`: `dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled=true` |
modules/ROOT/pages/authentication-authorization/attribute-based-access-control.adoc
Show resolved
Hide resolved
Collaborator
|
This PR includes documentation updates New pages: Updated pages: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.