Hi,

Problem

We're playing with the roles and permission. We have a database with three graphs, namely, graph1, graph2, graph3, we want to create a user with read permission over all the three graphs, as well as write permission to graph1 and graph2.

| action  | resource_type   | resource  | remove   |
|---------|-----------------|-----------|----------|
|  READ   |        *        |     myDB  |        x | 
|  WRITE  |named-graph      |    graph1 |        x | 
|  WRITE  |named-graph      |    graph2 |        x | 
|  READ   |named-graph      |    graph3 |        x | 
|  ALL    |metadata         |     myDB  |        x | 

We tried the above setting using the Studio, but when we try to write in a graph like graph1, we get the following error

User does not have write permissions for the index.  User identification "username"; index  name "myDB"

Question

How we can achieve it through actions and permissions to create a user with read permission over all the three graphs, as well as write permission to graph1 and graph2 but not write permission for graph1?

Thank you

Hi,

A) You would need to ensure that security.named.graphs is set to true for myDB.
B) Your user does not have WRITE permission for myDB
C) named-graph resources need a database name specified, e.g., [WRITE, named-graph:myDB\graph1]
D) Currently you need to specify READ/WRITE access for every named graph explicitly. You could probably get away with granting the user [ALL, named-graph:myDB\graph1], [ALL, named-graph:myDB\graph2], and then [READ, named-graph:myDB\graph3], though I suppose in production that could have unintended consequences if your user has malicious intent