Link Search Menu Expand Document
Start for Free

Virtual Graph Security

This page discusses security for the virtual-graph resource type in Stardog’s security model. We discuss how to manage and access virtual graphs. For more information on what virtual graphs are and how they work please see the chapter dedicated to Virtual Graphs.

Page Contents
  1. Managing Virtual Graphs
  2. Accessing Virtual Graphs

Managing Virtual Graphs

To manage virtual graphs, the user must be granted access to the virtual-graph security resource type (see here).

  • create permission is required to add a virtual graph

     $ stardog-admin user grant -a create 'virtual-graph:*' theUser

  • delete permission is needed to either remove or add a virtual graph with the -o or --overwrite option

     $ stardog-admin user grant -a delete 'virtual-graph:virtual://dept' theUser

  • read permission is required for all other management commands such as virtual options or virtual mappings.

     $ stardog-admin user grant -a read 'virtual-graph:virtual://dept' theUser

Accessing Virtual Graphs

Accessing virtual graphs is controlled the same way as regular named graphs as explained in the Named Graph Security section:

  • If named graph security is not enabled for a database, all registered virtual graphs in the server will be accessible through that database.
  • If named graph security is enabled for a database, then users will be able to query only the virtual graphs for which they have been granted access.

If the virtual graphs contain any sensitive information, then it is recommended to enable named graph security globally by setting security.named.graphs=true in stardog.properties. Otherwise creating a new database without proper configuration would allow users to access those virtual graphs.

The Named Graph Security settings apply to virtual graphs regardless of the manner in which they are accessed. The following three queries are identical with the one exception that attempts to access a virtual graph using the SERVICE keyword result in an error when there are insufficient permissions while queries that use the GRAPH or FROM keywords will treat the virtual graphs as empty and return no results but without error.

SELECT * {
   GRAPH <virtual://dept> {
      ?person a emp:Employee ;
           emp:name "SMITH"
   }
}

SELECT * FROM <virtual://dept> {
   ?person a emp:Employee ;
        emp:name "SMITH"
}

SELECT * {
   SERVICE <virtual://dept> {
      ?person a emp:Employee ;
           emp:name "SMITH"
   }
}