Authorization¶
Authorization is the process of mapping a user to a set of specific permissions. GraphDB implements Spring security for authorization. Spring security acts as an interceptor and filter. Each permission, therefore, can be treated as a set of intercepted urls that are grouped logically for ease of visualization.
User roles and permissions¶
GraphDB implements the minimal Role Based Access Control (RBAC1) model with role hierarchy support. The model defines 4 entities:
- User - every user regardless if it is a anonymous or authenticated user;
- Session - the current session connections; every session always works in the context of a specific user;
- Roles - a group of permissions associated with a role; the roles may be organized in hierarchies i.e. Admin role give you all other roles without explicitly defining them;
- Permission - gives rights to execute a specific operation.
The roles defined in GraphDB security model follow a hierarchy
Role name | Associated permissions |
---|---|
Admin | Perform any server operations i.e. the security never rejects an operation |
Repo Manager | Full read and write permissions to all repositories. |
User | Can save SPARQL queries, graph visualizations or user pecific server side settings (“Setup” > “My settings”) |
Each user may only be either a regular user, an admin or a repository manager. However, users can have multiple READ/WRITE roles.
Permissions | User | Repo Manager | Admin |
---|---|---|---|
Granted read access to a repository | yes | yes | yes |
Granted read/write access to a repository | yes | yes | yes |
Read and write all repositories | no | yes | yes |
Create, edit and delete repositories | no | yes | yes |
Access monitoring | no | yes | yes |
Manage Connectors | no | yes | yes |
Manage Users and Access | no | no | yes |
Manage the cluster | no | no | yes |
Attach remote locations | no | no | yes |
View system information | no | no | yes |
Built-in users and roles¶
GraphDB has three special internal users that cannot be deleted and are needed for the functioning of the database.
User name | Enabled by default | Associated roles | Description |
---|---|---|---|
Admin | yes | ROLE_ADMIN | Default username and password in the local security database. Requires HTTP basic authentication. |
<cluster user> | yes | ROLE_CLUSTER READ_REPO_* WRITE_REPO_* | The communication mechanisms in the cluster, where every request is signed with a special header “Authorization: GDB-Signature token” |
<free access user> | no | none | The default user associated with anonymous user if anonymous access is enabled |