ContX IQ: list authorized resources.
Retrieve all payment methods associated with people who have an active contract for a vehicle, for a given Application.
Use case
An application has an agreement with Company1 which owns vehicules.
The application wants to list the payment methods associated with people who have an active contract for a vehicle.
Requirements
- ServiceAccount credentials created in the IndyKite Hub for your organization.
- AppAgent credentials created in the IndyKite Hub, using the REST endpoints or using Terraform for your Project / Application.
Steps
1. Using the AppAgent credential as API Key (name: X-IK-ClientKey), ingest data in your IKG (IndyKite Knowledge Graph) using the script provided.
2. Using the ServiceAccount credential as Bearer token, create CIQ Policy, with _Application as subject.
When a new Application with new credentials is created, _Application and _AppAgent nodes are created in the IKG.
In order to create a relationship between these nodes and the ingest data, a CIQ write query can be used.
This will allow the use of the _Application as an authenticated subject.
We add a filter with attribute: subject.external_id and value: $_appId (reserved value).
When the subject is _Application, the $_appId input does not need to be provided in the CIQ Execution and is automatically assigned the subject.external_id value.
In this case, a HAS_AGREEMENT_WITH relationship is created between the _Application node and a Company node.
3. Using the ServiceAccount credential as Bearer token, create a CIQ Query.
4. Using the AppAgent credential as API Key (name: X-IK-ClientKey), run a CIQ Execution to link the _Application node.
5. Using the ServiceAccount credential as Bearer token, create a CIQ Policy which designates the nodes which are allowed to read the Payment Methods nodes according to relationships, with _Application as subject.
6. Using the ServiceAccount credential as Bearer token, create a CIQ Query in the context of the policy to retrieve the data.
7. Using the AppAgent credential as API Key (name: X-IK-ClientKey), run a CIQ Execution.
8. Delete your configuration.
Step 1
Ingest the nodes needed for this use case.
POST https://eu.api.indykite.com/capture/v1/nodes/Json
{
"nodes": [
{
"external_id": "alice",
"is_identity": true,
"type": "Person",
"properties": [
{
"type": "email",
"value": "alice@email.com"
},
{
"type": "given_name",
"value": "Alice"
},
{
"type": "last_name",
"value": "Smith"
}
]
},
{
"external_id": "ryan",
"is_identity": true,
"type": "Person",
"properties": [
{
"type": "email",
"value": "ryan@yahoo.co.uk"
},
{
"type": "given_name",
"value": "ryan"
},
{
"type": "last_name",
"value": "mushu"
}
]
},
{
"external_id": "tilda",
"is_identity": true,
"type": "Person",
"properties": [
{
"type": "email",
"value": "tilda@yahoo.co.uk"
},
{
"type": "given_name",
"value": "tilda"
},
{
"type": "last_name",
"value": "mushu"
}
]
},
{
"external_id": "cb123",
"type": "PaymentMethod",
"properties": [
{
"type": "payment_name",
"value": "Credit Card"
}
]
},
{
"external_id": "kl123",
"type": "PaymentMethod",
"properties": [
{
"type": "payment_name",
"value": "Klarna"
}
]
},
{
"external_id": "ct123",
"type": "Contract",
"properties": [
{
"type": "category",
"value": "Insurance"
},
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "hfgrten123",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "ct234",
"type": "Contract",
"properties": [
{
"type": "category",
"value": "Insurance"
},
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "hfgrten234",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "ct985",
"type": "Contract",
"properties": [
{
"type": "category",
"value": "Insurance"
},
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "hfgrten985",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "car1",
"type": "Vehicle",
"properties": [
{
"type": "category",
"value": "Car"
},
{
"type": "is_active",
"value": true
},
{
"type": "vin",
"value": "rtfhcnvjt471"
}
]
},
{
"external_id": "car2",
"type": "Vehicle",
"properties": [
{
"type": "category",
"value": "Car"
},
{
"type": "is_active",
"value": true
},
{
"type": "vin",
"value": "kdcbfrt178"
}
]
},
{
"external_id": "truck1",
"type": "Vehicle",
"properties": [
{
"type": "category",
"value": "Truck"
},
{
"type": "is_active",
"value": true
},
{
"type": "vin",
"value": "sncnrkcldp"
}
]
},
{
"external_id": "license1",
"type": "LicenseNumber",
"properties": [
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "AX123456",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "license2",
"type": "LicenseNumber",
"properties": [
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "OL123456",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "license3",
"type": "LicenseNumber",
"properties": [
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "VN123456",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "company1",
"type": "Company",
"properties": [
{
"type": "name",
"value": "Company1"
},
{
"type": "registration",
"value": "256314523"
}
]
},
{
"external_id": "company2",
"type": "Company",
"properties": [
{
"type": "name",
"value": "Company2"
},
{
"type": "registration",
"value": "942365123"
}
]
},
{
"external_id": "application1",
"type": "Application",
"properties": [
{
"type": "name",
"value": "Application"
}
]
},
{
"external_id": "application2",
"type": "Application",
"properties": [
{
"type": "name",
"value": "Application2"
}
]
}
]
}Ingest the relationships needed for this use case.
POST https://eu.api.indykite.com/capture/v1/relationships/Json
{
"relationships": [
{
"source": {
"external_id": "ryan",
"type": "Person"
},
"target": {
"external_id": "cb123",
"type": "PaymentMethod"
},
"type": "HAS"
},
{
"source": {
"external_id": "tilda",
"type": "Person"
},
"target": {
"external_id": "kl123",
"type": "PaymentMethod"
},
"type": "HAS"
},
{
"source": {
"external_id": "alice",
"type": "Person"
},
"target": {
"external_id": "cb123",
"type": "PaymentMethod"
},
"type": "HAS"
},
{
"source": {
"external_id": "ryan",
"type": "Person"
},
"target": {
"external_id": "ct123",
"type": "Contract"
},
"type": "ACCEPTED"
},
{
"source": {
"external_id": "tilda",
"type": "Person"
},
"target": {
"external_id": "ct234",
"type": "Contract"
},
"type": "ACCEPTED"
},
{
"source": {
"external_id": "alice",
"type": "Person"
},
"target": {
"external_id": "ct985",
"type": "Contract"
},
"type": "ACCEPTED"
},
{
"source": {
"external_id": "ct123",
"type": "Contract"
},
"target": {
"external_id": "car1",
"type": "Vehicle"
},
"type": "COVERS"
},
{
"source": {
"external_id": "ct985",
"type": "Contract"
},
"target": {
"external_id": "car1",
"type": "Vehicle"
},
"type": "COVERS"
},
{
"source": {
"external_id": "ct234",
"type": "Contract"
},
"target": {
"external_id": "truck1",
"type": "Vehicle"
},
"type": "COVERS"
},
{
"source": {
"external_id": "car1",
"type": "Vehicle"
},
"target": {
"external_id": "license1",
"type": "LicenseNumber"
},
"type": "HAS"
},
{
"source": {
"external_id": "truck1",
"type": "Vehicle"
},
"target": {
"external_id": "license2",
"type": "LicenseNumber"
},
"type": "HAS"
},
{
"source": {
"external_id": "car2",
"type": "Vehicle"
},
"target": {
"external_id": "license3",
"type": "LicenseNumber"
},
"type": "HAS"
},
{
"source": {
"external_id": "company1",
"type": "Company"
},
"target": {
"external_id": "car1",
"type": "Vehicle"
},
"type": "OWNS"
},
{
"source": {
"external_id": "company1",
"type": "Company"
},
"target": {
"external_id": "car2",
"type": "Vehicle"
},
"type": "OWNS"
},
{
"source": {
"external_id": "company1",
"type": "Company"
},
"target": {
"external_id": "truck1",
"type": "Vehicle"
},
"type": "OWNS"
},
{
"source": {
"external_id": "application1",
"type": "Application"
},
"target": {
"external_id": "company1",
"type": "Company"
},
"type": "HAS_AGREEMENT_WITH"
},
{
"source": {
"external_id": "application2",
"type": "Application"
},
"target": {
"external_id": "company1",
"type": "Company"
},
"type": "HAS_AGREEMENT_WITH"
}
]
}Step 2
Policy which designates the derived query can create the HAS_AGREEMENT_WITH relationship.
policy.jsonJson
{
"meta": {
"policy_version": "1.0-ciq"
},
"subject": {
"type": "_Application"
},
"condition": {
"cypher": "MATCH (subject:_Application) MATCH (company:Company)-[r2:OWNS]->(vehicle:Vehicle)",
"filter": [
{
"operator": "AND",
"operands": [
{
"attribute": "subject.external_id",
"operator": "=",
"value": "$_appId"
},
{
"attribute": "company.external_id",
"operator": "=",
"value": "$companyID"
}
]
}
]
},
"allowed_upserts": {
"relationships": {
"relationship_types": [
{
"type": "HAS_AGREEMENT_WITH",
"source_node_label": "_Application",
"target_node_label": "Company"
}
]
}
},
"allowed_reads": {
"nodes": [
"company.*",
"subject.*"
]
}
}Request to create a CIQ Policy configuration using REST.
POST https://eu.api.indykite.com/configs/v1/authorization-policiesJson
{
"project_id": "your_project_gid",
"description": "description of policy",
"display_name": "policy name",
"name": "policy-name",
"policy": "{\"meta\":{\"policy_version\":\"1.0-ciq\"},\"subject\":{\"type\":\"_Application\"},\"condition\":{\"cypher\":\"MATCH (subject:_Application) MATCH (company:Company)-[r2:OWNS]->(vehicle:Vehicle)\",\"filter\":[{\"operator\":\"AND\",\"operands\":[{\"attribute\":\"subject.external_id\",\"operator\":\"=\",\"value\":\"$_appId\"},{\"attribute\":\"company.external_id\",\"operator\":\"=\",\"value\":\"$companyID\"}]}]},\"allowed_upserts\":{\"relationships\":{\"relationship_types\":[{\"type\":\"HAS_AGREEMENT_WITH\",\"source_node_label\":\"_Application\",\"target_node_label\":\"Company\"}]}},\"allowed_reads\":{\"nodes\":[\"company.*\",\"subject.*\"]}}",
"status": "ACTIVE",
"tags": []
}Request to read the CIQ Policy configuration using REST.
policy_request.jsonJson
{
"id": "your_policy_configuration_gid"
}Step 3
The CIQ Query designates the relationship to upsert.
knowledge_query.jsonJson
{
"nodes": [
"subject.external_id"
],
"relationships": [
"r1"
],
"upsert_relationships": [
{
"name": "r1",
"source": "subject",
"target": "company",
"type": "HAS_AGREEMENT_WITH"
}
]
}Request to create a CIQ Query configuration using REST.
POST https://eu.api.indykite.com/configs/v1/knowledge-queriesJson
{
"project_id": "your_project_gid",
"description": "description of knowledge query",
"display_name": "knowledge query name",
"name": "knowledge-query-name",
"policy_id": "your_policy_gid",
"query": "{\"nodes\":[\"subject.external_id\"],\"relationships\":[\"r1\"],\"upsert_relationships\":[{\"name\":\"r1\",\"source\":\"subject\",\"target\":\"company\",\"type\":\"HAS_AGREEMENT_WITH\"}]}",
"status": "ACTIVE"
}Read the CIQ Query Configuration.
GET https://eu.api.indykite.com/configs/v1/knowledge-queries/{id}Json
{
"id": "your_knowledge_query_configuration_gid"
}Step 4
CIQ Execution request in json format.
POST https://eu.api.indykite.com/contx-iq/v1/executeJson
{
"id": "ciq_query_gid",
"input_params": {
"companyID": "company1"
}
}CIQ Execution response in json format.
response.jsonJson
{
"data": [
{
"nodes": {
"subject.external_id": "application_external_id"
},
"relationships": {
"r1": {
"Id": 1152932499723124700,
"ElementId": "5:3a2b09d5-2923-45d7-8453-8b1c698427b0:1152932499723124736",
"StartId": 0,
"StartElementId": "4:3a2b09d5-2923-45d7-8453-8b1c698427b0:0",
"EndId": 15,
"EndElementId": "4:3a2b09d5-2923-45d7-8453-8b1c698427b0:15",
"Type": "HAS_AGREEMENT_WITH",
"Props": {
"create_time": "2025-06-09T15:12:46.374Z",
"id": "48BJHS2CTFKcVpD4cUF8IA",
"update_time": "2025-06-09T15:12:46.374Z"
}
}
}
},
{
"nodes": {
"subject.external_id": "application_external_id"
},
"relationships": {
"r1": {
"Id": 1152932499723124700,
"ElementId": "5:3a2b09d5-2923-45d7-8453-8b1c698427b0:1152932499723124736",
"StartId": 0,
"StartElementId": "4:3a2b09d5-2923-45d7-8453-8b1c698427b0:0",
"EndId": 15,
"EndElementId": "4:3a2b09d5-2923-45d7-8453-8b1c698427b0:15",
"Type": "HAS_AGREEMENT_WITH",
"Props": {
"create_time": "2025-06-09T15:12:46.374Z",
"id": "48BJHS2CTFKcVpD4cUF8IA",
"update_time": "2025-06-09T15:12:46.374Z"
}
}
}
},
{
"nodes": {
"subject.external_id": "application_external_id"
},
"relationships": {
"r1": {
"Id": 1152932499723124700,
"ElementId": "5:3a2b09d5-2923-45d7-8453-8b1c698427b0:1152932499723124736",
"StartId": 0,
"StartElementId": "4:3a2b09d5-2923-45d7-8453-8b1c698427b0:0",
"EndId": 15,
"EndElementId": "4:3a2b09d5-2923-45d7-8453-8b1c698427b0:15",
"Type": "HAS_AGREEMENT_WITH",
"Props": {
"create_time": "2025-06-09T15:12:46.374Z",
"id": "48BJHS2CTFKcVpD4cUF8IA",
"update_time": "2025-06-09T15:12:46.374Z"
}
}
}
}
]
}Step 5
Create a CIQ Policy which designates the nodes which are allowed to read the Payment Methods nodes according to relationships.
policy.jsonJson
{
"meta": {
"policy_version": "1.0-ciq"
},
"subject": {
"type": "_Application"
},
"condition": {
"cypher": "MATCH (subject:_Application)-[r1:HAS_AGREEMENT_WITH]->(company:Company)-[r2:OWNS]->(vehicle:Vehicle)-[r3:HAS]->(ln:LicenseNumber) MATCH (vehicle)<-[r4:COVERS]-(contract:Contract)<-[r5:ACCEPTED]-(person:Person)-[r6:HAS]->(pm:PaymentMethod)",
"filter": [
{
"attribute": "subject.external_id",
"operator": "=",
"value": "$_appId"
}
]
},
"allowed_reads": {
"nodes": [
"pm.property.*",
"person.property.*",
"vehicle.property.is_active"
],
"relationships": []
}
}Request to create a CIQ Policy configuration using REST.
POST https://eu.api.indykite.com/configs/v1/authorization-policiesJson
{
"project_id": "your_project_gid",
"description": "description of policy",
"display_name": "policy name",
"name": "policy-name",
"policy": "{\"meta\":{\"policy_version\":\"1.0-ciq\"},\"subject\":{\"type\":\"_Application\"},\"condition\":{\"cypher\":\"MATCH (subject:_Application)-[r1:HAS_AGREEMENT_WITH]->(company:Company)-[r2:OWNS]->(vehicle:Vehicle)-[r3:HAS]->(ln:LicenseNumber) MATCH (vehicle)<-[r4:COVERS]-(contract:Contract)<-[r5:ACCEPTED]-(person:Person)-[r6:HAS]->(pm:PaymentMethod)\",\"filter\":[{\"attribute\":\"subject.external_id\",\"operator\":\"=\",\"value\":\"$_appId\"}]},\"allowed_reads\":{\"nodes\":[\"pm.property.*\",\"person.property.*\",\"vehicle.property.is_active\"],\"relationships\":[]}}",
"status": "ACTIVE",
"tags": []
}Request to create a CIQ Policy configuration using Python.
policy_request.pyPython
import http.client
conn = http.client.HTTPSConnection("eu.api.indykite.com")
payload = "{"description": "",
"display_name": "",
"name": "",
"policy": "",
"project_id": "",
"status": "ACTIVE",
"tags": [
""
]}"
headers = {
'Content-Type': "application/json",
'Authorization': "YOUR_SECRET_TOKEN"
}
conn.request("POST", "/configs/v1/authorization-policies", payload, headers)
res = conn.getresponse()
data = res.read()
Request to read the CIQ Policy configuration using REST.
policy_request.jsonJson
{
"id": "your_policy_configuration_gid"
}Request to create a CIQ Policy configuration using Python.
policy_request.pyPython
import http.client
conn = http.client.HTTPSConnection("eu.api.indykite.com")
headers = { 'Authorization': "YOUR_SECRET_TOKEN" }
conn.request("GET", "/configs/v1/authorization-policies/{{id}}", headers=headers)
res = conn.getresponse()
data = res.read()
Step 6
Create a CIQ Query in the context of the policy to retrieve the data.
knowledge_query.jsonJson
{
"nodes": [
"vehicle.property.is_active",
"person.property.email",
"pm.property.payment_name"
]
}Request to create a CIQ Query configuration using REST.
POST https://eu.api.indykite.com/configs/v1/knowledge-queriesJson
{
"project_id": "your_project_gid",
"description": "description of knowledge query",
"display_name": "knowledge query name",
"name": "knowledge-query-name",
"policy_id": "your_policy_gid",
"query": "{\"nodes\":[\"vehicle.property.is_active\",\"person.property.email\",\"pm.property.payment_name\"]}",
"status": "ACTIVE"
}Request to create a CIQ Query configuration.
create_knowledge_query.pyPython
import http.client
conn = http.client.HTTPSConnection("eu.api.indykite.com")
payload = "{"description": "",
"display_name": "",
"name": "",
"policy_id": "",
"project_id": "",
"query": "",
"status": "ACTIVE"}"
headers = {
'Content-Type': "application/json",
'Authorization': "YOUR_SECRET_TOKEN"
}
conn.request("POST", "/configs/v1/knowledge-queries", payload, headers)
res = conn.getresponse()
data = res.read()
Read the CIQ Query Configuration.
GET https://eu.api.indykite.com/configs/v1/knowledge-queries/{id}Json
{
"id": "your_knowledge_query_configuration_gid"
}Step 7
CIQ execution request.
POST https://eu.api.indykite.com/contx-iq/v1/executeJson
{
"id": "knowledge_query_gid",
"input_params": {}
}CIQ execution response.
response.jsonJson
{
"data": [
{
"nodes": {
"person.property.email": "alice@email.com",
"pm.property.payment_name": "Credit Card",
"vehicle.property.is_active": true
}
},
{
"nodes": {
"person.property.email": "ryan@yahoo.co.uk",
"pm.property.payment_name": "Credit Card",
"vehicle.property.is_active": true
}
},
{
"nodes": {
"person.property.email": "tilda@yahoo.co.uk",
"pm.property.payment_name": "Klarna",
"vehicle.property.is_active": true
}
}
]
}Request to execute a CIQ execution.
ciq.pythonPython
import http.client
conn = http.client.HTTPSConnection("eu.api.indykite.com")
payload = "{"id": "knowledge_query_gid",
"input_params": {"ln_number": "AX123456","app_external_id": "application1"}
}"
headers = {
'Content-Type': "application/json",
'Authorization': "YOUR_SECRET_TOKEN"
}
conn.request("POST", "/contx-iq/v1/execute", payload, headers)
res = conn.getresponse()
data = res.read()
Step 8
Delete the CIQ Queries.
DELETE https://eu.api.indykite.com/configs/v1/knowledge-queries/{id}Json
{
"id": "your_knowledge_query_configuration_gid"
}Request to delete the CIQ Queries.
del.pyPython
import http.client
conn = http.client.HTTPSConnection("eu.api.indykite.com)
headers = { 'Authorization': "Bearer ..." }
conn.request("DELETE", "/configs/v1/knowledge-queries/{id}", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
Delete the CIQ Policies.
DELETE https://eu.api.indykite.com/configs/v1/authorization-policies/{id}Json
{
"id": "your_policy_configuration_gid"
}Request to delete the CIQ Policies.
del.pyPython
import http.client
conn = http.client.HTTPSConnection("eu.api.indykite.com")
headers = { 'Authorization': "Bearer ...", 'Content-Type': "application/json" }
conn.request("DELETE", "/configs/v1/authorization-policies/{id}", headers=headers)
res = conn.getresponse()
data = res.read()
Tags
CIQ Policy CIQ Query CIQ Execution Security
Related Resources
ContX IQ basic example
ContX IQ Python
ContX IQ: allow READ action
ContX IQ Json
ContX IQ: allow creation nodes and relationships.
ContX IQ Json
ContX IQ: upsert relationships
ContX IQ Json
ContX IQ: delete nodes and relationships.
ContX IQ Json
ContX IQ: loyalty program.
ContX IQ Json
ContX IQ: link the _Application node to other data in the IKG.
ContX IQ Json
ContX IQ: With _Application node as a subject, read resources and upsert relationships and nodes.
ContX IQ Json
ContX IQ: With User node as a subject, read resources and upsert relationships and nodes.
ContX IQ Json
ContX IQ: With Person node as a subject, gives a company a consent on a payment method and then revokes it.
ContX IQ Json