Access to a graph is restricted by access control for the database objects that make up the graph. Access restrictions are set using the confidentiality management feature of Fujitsu Enterprise Postgres. Since graphs have a one-to-one correspondence with schema objects, you can allow or deny access to a graph by specifying access rights for that schema using the confidentiality management feature as follows:
Refer to the "Confidentiality Management" in the Security Operations Guide to define confidentiality management role, confidentiality matrix, confidentiality level, and confidentiality group.
Grant confidentiality privilege on the schema to the confidentiality group.
SELECT pgx_grant_confidential_privilege('rag_matrix', 'level1', 'group1', '{"schema":["USAGE"]}');Add the schema corresponding to the graph as a confidentiality object to the confidentiality level.
SELECT pgx_add_object_to_confidential_level ('rag_matrix', 'level1',
'[{
"type":"schema",
"object":[
{
"schema":"new_graph"
}
]
}]');Add roles to the confidentiality group you created to set access rights to the graph.
SELECT pgx_add_role_to_confidential_group('rag_matrix', 'group1', '["rag_user"]');If you want to set fine-grained access privileges, such as allowing only searches of graphs but not updating them, you can use SQL statements to directly set access privileges for database objects such as the tables that make up the graph.
The privileges required to access a graph are as follows:
Privileges required to create a graph
CREATE privilege for the database
Privileges required to create and delete new nodes and edges
CREATE and USAGE privilege for the schema with the same name as the graph name
When adding a node, ownership of the _ag_label_vertex table under the schema with the same name as the graph name
When adding an edge, ownership of the _ag_label_edge table under the schema with the same name as the graph name
UPDATE privilege for _label_id_seq under the schema with the same name as the graph name
Privileges required to create and delete nodes and edges that use existing labels
USAGE privilege for the schema with the same name as the graph name
When adding a node, privileges under the schema with the same name as the graph name
INSERT privilege (to create), SELECT privilege, and UPDATE privilege (to delete) for the _ag_label_vertex table or a table with the same name as the label name to be added
USAGE privilege for the _ag_label_vertex_id_seq sequence or a sequence with the same name as the label name to be added
Privileges when adding an edge
INSERT (create), SELECT, and UPDATE (delete) privileges for the _ag_label_edge table under the schema with the same name as the graph name or the table with the same name as the label name to be added.
USAGE privilege for the _ag_label_edge_id_seq sequence or the sequence with the same name as the label name to be added.
Privileges required to search graphs.
USAGE privilege for the ag_catalog schema.
USAGE privilege for the schema with the same name as the graph name.
SELECT privilege for the table object in the schema with the same name as the graph name.
Information
Graph data structures do not have the concept of rows and columns, so PostgreSQL's row-level security and column-based access control features cannot be applied.