Unable to control access to virtual graphs

Yan_Marques · June 22, 2026, 5:06pm

Hi all,

I am struggling to understand how to control access to virtual graphs per user.

I have successfully created a JDBC PostgreSQL data source (rdbms_company) and a virtual graph (<virtual://users>) that connects to it.

Default database configuration

With default config, I can go to the Workspace in Stardog Studio and successfully query the virtual graph, e.g.

SELECT ?s WHERE {
   GRAPH <virtual://users> {
       ?s ?p ?o . 
   }
} LIMIT 5

returns what I expected. Likewise, if I create a new user (anon) with the single permission READ db mydb, I can also query the virtual graph via the HTTP API, as above, and get the same results.

Virtual graph security

To simulate preventing access to the virtual graph for anon, I then enabled in the database configuration the following options: Named Graph Security, Virtual Graph Transparency and Query All Graphs, while retanining the single permission above. After that, I could no longer get results from the query above via the HTTP API (like I expected).

However, even after assigning the following permissions to anon, I cannot go back to the scenario where the query produced results:

READ virtual-graph virtual://users
READ named-graph virtual://users
READ data-source data-source://rdbms_company

Similarly, I can no longer get results running the query with my original user in Stardog Studio, even after assigning these new permissions (irrespective of the choice of named graph in the UI, i.e. leaving it empty, choosing stardog:context:all, stardog:context:default, etc.).

I am probably missing some very basic point, but would really appreciate some help.

Joe_Fagan · June 22, 2026, 8:10pm

From Named Graph Security | Stardog Documentation Latest
For querying a virtual graph with named graph security enabled, the important permission is READ on the virtual graph as a named graph in that database. The database name and graph IRI are separated by \.
If you are using the CLI you will enter
stardog-admin user grant -a read -o 'named-graph:mydb\virtual://users' anon

I think the key point is that, once named graph security is enabled, querying a virtual graph is controlled through named-graph permissions, and the named-graph permission must be database-qualified.

The READ virtual-graph permission lets the user see/list/get options or mappings for the virtual graph; READ data-source lets them inspect the data source. Those are management/metadata permissions, but they are not what authorises query access to the triples exposed by GRAPH virtual://users.

Also, returning no rows rather than an auth error is expected. With named graph security, unauthorised graphs are silently dropped from the query dataset, so GRAPH/FROM queries will just look empty.

Please try the above suggestion and revert back if there are still issues.

Joe

Yan_Marques · June 23, 2026, 12:56pm

It worked, thanks a lot.

Yes, this was clear from the docs and was also what I expected. Sorry if it came across the other way.

Topic		Replies	Views
Bug/issue with assigning user permissions for Virtual Graphs Bug	10	684	May 16, 2019
Fine grain security Support	12	756	April 28, 2019
User does not have permissions to update the named graph DEFAULT Support	4	284	September 14, 2023
Debugging "User can't modify some of the graphs in the query" in Stardog 4 Support	5	678	June 21, 2017
Disallowing writes to default graph Support	4	404	March 1, 2022

Unable to control access to virtual graphs

Default database configuration

Virtual graph security

Related topics