Cosmos DB Graph attribute based access control

Sharat Koya 6 Reputation points
2021-08-09T18:00:38.907+00:00

Is it possible to force Cosmos DB Graph APIs (germlin) and others to check for attributes on vertices and edges such that we can use it as an attribute based permissioning model?

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,725 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Oury Ba-MSFT 19,996 Reputation points Microsoft Employee
    2021-08-13T20:21:46.153+00:00

    Hi @Sharat Koya Schema validation is not supported yet but you can use ChangeFeed to handle the validation as post facto (after the write).

    Regards,
    Oury

    0 comments No comments

  2. Sharat Koya 6 Reputation points
    2021-08-16T07:59:42.89+00:00

    hi attribute based access control is not the same as schema validation.

    Lets say a node or edge on the graph contains a property that states "superAccessOnly".
    When a user logs in to any make a query via gremlin, if the user's AAD token/principle contains the value "superAccessOnly" then any nodes or edges with this property will return. Users without "superAccessOnly" will not see, be able to navigate or get to the properties of the nodes or edges. i.e. something on the gremlin server side filters them out so that the client application/gremlin API user will never see them. This is a common technique to limit access to data at a very fine grain level. I don't think Gremlin/CosmosDB has such a feature?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.