Authorization

Authorization is the process of mapping a user to a set of specific permissions. GraphDB implements Spring security for authorization. Spring security acts as an interceptor and filter. Each permission, therefore, can be treated as a set of intercepted urls that are grouped logically for ease of visualization.

User roles and permissions

GraphDB implements the minimal Role Based Access Control (RBAC1) model with role hierarchy support. The model defines 4 entities:

  • User - every user regardless if it is a anonymous or authenticated user;

  • Session - the current session connections; every session always works in the context of a specific user;

  • Roles - a group of permissions associated with a role; the roles may be organized in hierarchies i.e. Admin role give you all other roles without explicitly defining them;

  • Permission - gives rights to execute a specific operation.

The roles defined in GraphDB security model follow a hierarchy:

Role name

Associated permissions

Admin

Perform any server operations i.e. the security never rejects an operation

Repo Manager

Full read and write permissions to all repositories.

User

Can save SPARQL queries, graph visualizations or user specific server side settings (“Setup” > “My settings”)

Each user may only be either a regular user, an admin or a repository manager. However, users can have multiple READ/WRITE roles.

Permissions

User

Repo Manager

Admin

Granted read access to a repository

yes

yes

yes

Granted read/write access to a repository

yes

yes

yes

Read and write all repositories

no

yes

yes

Create, edit and delete repositories

no

yes

yes

Access monitoring

no

yes

yes

Manage Connectors

no

yes

yes

Manage Users and Access

no

no

yes

Manage the cluster

no

no

yes

Attach remote locations

no

no

yes

View system information

no

no

yes

Built-in users and roles

GraphDB has three special internal users that cannot be deleted and are needed for the functioning of the database.

User name

Enabled by default

Associated roles

Description

Admin

yes

ROLE_ADMIN

Default username and password in the local security database. Requires HTTP basic authentication.

<cluster user>

yes

ROLE_CLUSTER READ_REPO_* WRITE_REPO_*

The communication mechanisms in the cluster, where every request is signed with a special header “Authorization: GDB-Signature token”

<free access user>

no

none

The default user associated with anonymous user if anonymous access is enabled