ContX IQ: With User node as a subject, retrieve all properties of a resource.
Implement wildcard property retrievals within the scope of a policy with a user as subject.
Use case
In this case, a user access token is sent and introspected.
Then we are going to fetch one property of a node LicenseNumber, all properties of a resource node Car and all properties of a relationship OWNS.
Requirements
- ServiceAccount credentials created in the IndyKite Hub for your organization.
- AppAgent credentials created in the IndyKite Hub, using the REST endpoints or using Terraform for your Project / Application.
- Access token for a Person node
User Access token is sent in CIQ Execution in Headers: key:Authorization, value:Bearer token.
Steps
1. Using the AppAgent credential as API Key (name: X-IK-ClientKey), ingest data in your IKG (IndyKite Knowledge Graph) using the script provided.
2. Using the ServiceAccount credential as Bearer token, create a CIQ Policy which designates the Subject node, the cypher, the nodes allowed to be upserted and the nodes allowed to be read.
3. Using the ServiceAccount credential as Bearer token, create a CIQ Query in the context of the policy to retrieve one property of a node LicenseNumber, all properties of a resource node Car and all properties of a relationship OWNS.
4. Using the AppAgent credential as API Key (name: X-IK-ClientKey), run a CIQ Execution to read the data.
Step 1
Ingest the nodes needed for this use case.
{
"nodes": [
{
"external_id": "alice",
"type": "Person",
"is_identity": true,
"properties": [
{
"type": "email",
"value": "alice@email.com"
},
{
"type": "name",
"value": "Alice Smith"
}
]
},
{
"external_id": "satchmo",
"type": "Person",
"is_identity": true,
"properties": [
{
"type": "email",
"value": "satchmo@demo.com"
},
{
"type": "name",
"value": "Louis Armstrong"
}
]
},
{
"external_id": "karel",
"type": "Person",
"is_identity": true,
"properties": [
{
"type": "email",
"value": "karel@demo.com"
},
{
"type": "name",
"value": "Karel Plihal"
}
]
},
{
"external_id": "kitt",
"type": "Car",
"is_identity": false,
"properties": [
{
"type": "manufacturer",
"value": "pontiac"
},
{
"type": "model",
"value": "Firebird"
}
]
},
{
"external_id": "caddilacv16",
"type": "Car",
"is_identity": false,
"properties": [
{
"type": "manufacturer",
"value": "Caddilac"
},
{
"type": "model",
"value": "V-16"
}
]
},
{
"external_id": "harmonika",
"type": "Bus",
"is_identity": false,
"properties": [
{
"type": "manufacturer",
"value": "Ikarus"
},
{
"type": "model",
"value": "280"
}
]
},
{
"external_id": "ln-xxx",
"type": "LicenseNumber",
"is_identity": false,
"properties": [
{
"type": "license",
"value": "ln-xxx-value"
}
]
},
{
"external_id": "ln-yyy",
"type": "LicenseNumber",
"is_identity": false,
"properties": [
{
"type": "license",
"value": "ln-yyy-value"
}
]
},
{
"external_id": "ln-zzz",
"type": "LicenseNumber",
"is_identity": false,
"properties": [
{
"type": "license",
"value": "ln-zzz-value"
}
]
}
]
}Ingest the relationships needed for this use case.
{
"relationships": [
{
"source": {
"external_id": "alice",
"type": "Person"
},
"target": {
"external_id": "kitt",
"type": "Car"
},
"type": "OWNS",
"properties": [
{
"type": "weight",
"value": 1
}
]
},
{
"source": {
"external_id": "alice",
"type": "Person"
},
"target": {
"external_id": "caddilacv16",
"type": "Car"
},
"type": "OWNS",
"properties": [
{
"type": "weight",
"value": 2
}
]
},
{
"source": {
"external_id": "satchmo",
"type": "Person"
},
"target": {
"external_id": "caddilacv16",
"type": "Car"
},
"type": "OWNS"
},
{
"source": {
"external_id": "karel",
"type": "Person"
},
"target": {
"external_id": "harmonika",
"type": "Bus"
},
"type": "OWNS"
},
{
"source": {
"external_id": "kitt",
"type": "Car"
},
"target": {
"external_id": "ln-xxx",
"type": "LicenseNumber"
},
"type": "HAS",
"properties": [
{
"type": "weight",
"value": 3
}
]
},
{
"source": {
"external_id": "caddilacv16",
"type": "Car"
},
"target": {
"external_id": "ln-zzz",
"type": "LicenseNumber"
},
"type": "HAS"
},
{
"source": {
"external_id": "harmonika",
"type": "Bus"
},
"target": {
"external_id": "ln-yyy",
"type": "LicenseNumber"
},
"type": "HAS"
}
]
}Step 2
Create a CIQ Policy which designates the Subject node, the cypher, the nodes allowed to be upserted and the nodes allowed to be read.
{
"meta": {
"policy_version": "1.0-ciq"
},
"subject": {
"type": "Person"
},
"condition": {
"cypher": "MATCH (subject:Person)-[owns:OWNS]->(car:Car)-[:HAS]->(ln:LicenseNumber)",
"filter": [
{
"app": "app1",
"operator": "AND",
"operands": [
{
"operator": "=",
"attribute": "subject.external_id",
"value": "$subject_external_id"
},
{
"attribute": "$token.sub",
"operator": "=",
"value": "$token_sub"
}
]
}
]
},
"allowed_reads": {
"nodes": [
"car",
"ln",
"car.*",
"ln.property.license"
],
"relationships": [
"owns.*"
]
},
"allowed_upserts": {
"nodes": {
"existing_nodes": [
"car"
]
}
}
}Request to create the CIQ Policy configuration using REST.
{
"project_id": "your_project_gid",
"description": "description of policy",
"display_name": "policy name",
"name": "policy-name",
"policy": "{\"meta\":{\"policy_version\":\"1.0-ciq\"},\"subject\":{\"type\":\"Person\"},\"condition\":{\"cypher\":\"MATCH (subject:Person)-[owns:OWNS]->(car:Car)-[:HAS]->(ln:LicenseNumber)\",\"filter\":[{\"app\":\"app1\",\"operator\":\"AND\",\"operands\":[{\"operator\":\"=\",\"attribute\":\"subject.external_id\",\"value\":\"$subject_external_id\"},{\"attribute\":\"$token.sub\",\"operator\":\"=\",\"value\":\"$token_sub\"}]}]},\"allowed_reads\":{\"nodes\":[\"car\",\"ln\",\"car.*\",\"ln.property.license\"],\"relationships\":[\"owns.*\"]},\"allowed_upserts\":{\"nodes\":{\"existing_nodes\":[\"car\"]}}}",
"status": "ACTIVE",
"tags": []
}Request to read the CIQ Policy configuration using REST.
{
"id": "your_policy_configuration_gid"
}Step 3
Create a CIQ Query in the context of the policy to retrieve the designated properties.
{
"nodes": [
"car.property.*",
"ln.property.license"
],
"relationships": [
"owns.*"
],
"filter": {
"attribute": "ln.property.license",
"operator": "=",
"value": "$ln_value"
}
}Request to create a CIQ Query configuration using REST.
{
"project_id": "your_project_gid",
"description": "description of knowledge query",
"display_name": "knowledge query name",
"name": "knowledge-query-name",
"policy_id": "your_policy_gid",
"query": "{\"nodes\":[\"car.property.*\",\"ln.property.license\"],\"relationships\":[\"owns.*\"],\"filter\":{\"attribute\":\"ln.property.license\",\"operator\":\"=\",\"value\":\"$ln_value\"}}",
"status": "ACTIVE"
}Read the CIQ Query Configuration.
{
"id": "your_knowledge_query_configuration_gid"
}Step 4
Run a CIQ Execution to get the designated information.
{
"id": "knowledge_query_gid",
"input_params": {
"ln_value": "ln-xxx-value",
"subject_external_id": "alice",
"token_sub": "alice_user_external_id"
},
"page_token": 1
}CIQ Execution response.
{
"data": [
{
"nodes": {
"car.property.*": [
{
"type": "manufacturer",
"value": "pontiac"
},
{
"type": "model",
"value": "Firebird"
}
],
"ln.property.license": "ln-xxx-value"
},
"relationships": {
"owns.*": {
"create_time": "2025-09-26T20:41:30.318Z",
"id": "Wb01b9HYQgKbGkpQl4FDeA",
"type": "OWNS",
"update_time": "2025-09-26T20:41:30.318Z",
"weight": 1
}
}
}
]
}