Virtual Graph Security
This page discusses security for the virtual-graph
resource type in Stardog’s security model. We discuss how to manage and access virtual graphs. For more information on what virtual graphs are and how they work please see the chapter dedicated to Virtual Graphs.
Page Contents
Managing Virtual Graphs
To manage virtual graphs, the user must be granted access to the virtual-graph
security resource type (see here).
-
create
permission is required toadd
a virtual graph$ stardog-admin user grant -a create 'virtual-graph:*' theUser
-
delete
permission is needed to eitherremove
oradd
a virtual graph with the-o
or--overwrite
option$ stardog-admin user grant -a delete 'virtual-graph:virtual://dept' theUser
-
read
permission is required for all other management commands such asvirtual options
orvirtual mappings
.$ stardog-admin user grant -a read 'virtual-graph:virtual://dept' theUser
Accessing Virtual Graphs
Accessing virtual graphs is controlled the same way as regular named graphs as explained in the Named Graph Security section:
- If named graph security is not enabled for a database, all registered virtual graphs in the server will be accessible through that database.
- If named graph security is enabled for a database, then users will be able to query only the virtual graphs for which they have been granted access.
If the virtual graphs contain any sensitive information, then it is recommended to enable named graph security globally by setting security.named.graphs=true
in stardog.properties
. Otherwise creating a new database without proper configuration would allow users to access those virtual graphs.
The Named Graph Security settings apply to virtual graphs regardless of the manner in which they are accessed. The following three queries are identical with the one exception that attempts to access a virtual graph using the SERVICE
keyword result in an error when there are insufficient permissions while queries that use the GRAPH
or FROM
keywords will treat the virtual graphs as empty and return no results but without error.
SELECT * {
GRAPH <virtual://dept> {
?person a emp:Employee ;
emp:name "SMITH"
}
}
SELECT * FROM <virtual://dept> {
?person a emp:Employee ;
emp:name "SMITH"
}
SELECT * {
SERVICE <virtual://dept> {
?person a emp:Employee ;
emp:name "SMITH"
}
}