Share via

Cosmos DB Graph attribute based access control

Sharat Koya 1 Reputation point
2021-08-09T18:00:38.907+00:00

Is it possible to force Cosmos DB Graph APIs (germlin) and others to check for attributes on vertices and edges such that we can use it as an attribute based permissioning model?

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,543 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Oury Ba-MSFT 18,021 Reputation points Microsoft Employee
    2021-08-13T20:21:46.153+00:00

    Hi @Sharat Koya Schema validation is not supported yet but you can use ChangeFeed to handle the validation as post facto (after the write).

    Regards,
    Oury

    0 comments
  2. Sharat Koya 1 Reputation point
    2021-08-16T07:59:42.89+00:00

    hi attribute based access control is not the same as schema validation.

    Lets say a node or edge on the graph contains a property that states "superAccessOnly".
    When a user logs in to any make a query via gremlin, if the user's AAD token/principle contains the value "superAccessOnly" then any nodes or edges with this property will return. Users without "superAccessOnly" will not see, be able to navigate or get to the properties of the nodes or edges. i.e. something on the gremlin server side filters them out so that the client application/gremlin API user will never see them. This is a common technique to limit access to data at a very fine grain level. I don't think Gremlin/CosmosDB has such a feature?