ContX IQ: allow READ action
Allow any Person node to perform a READ action on all LicenseNumber nodes.
Use case
The policy allows all Person nodes to perform READ operation on LicenseNumber nodes, regardless of their connection to the LicenseNumber.
Note that there are no filters present in the policy, which means that the policy can be used to match all LicenseNumber nodes.
Requirements
- ServiceAccount credentials created in the IndyKite Hub for your organization .
- AppAgent credentials created in the IndyKite Hub, using the REST endpoints or using Terraform for your Project / Application.
Steps
1. Using the AppAgent credential as API Key (name: X-IK-ClientKey), ingest data in your IKG (IndyKite Knowledge Graph) using the script provided.
2. Using the ServiceAccount credential as Bearer token, create CIQ Policy which designated the READ action on all nodes of a category, with _Application as subject.
When a new Application with new credentials is created, _Application and _AppAgent nodes are created in the IKG.
We can use the _Application Bearer token, with no link between the _Application node and the other nodes, as the mandatory subject token.
We add a filter with attribute: subject.external_id and value: $_appId (reserved value).
When the subject is _Application, the $_appId input does not need to be provided in the CIQ Execution and is automatically assigned the subject.external_id value.
3. Using the ServiceAccount credential as Bearer token, create a CIQ Query in the context of the policy to retrieve the data.
4. Using the AppAgent credential as API Key (name: X-IK-ClientKey), run a CIQ Execution.
5. Delete your configuration.
Step 1
Ingest the nodes needed for this use case.
POST https://eu.api.indykite.com/capture/v1/nodes/Json
{
"nodes": [
{
"external_id": "alice",
"is_identity": true,
"type": "Person",
"properties": [
{
"type": "email",
"value": "alice@email.com"
},
{
"type": "given_name",
"value": "Alice"
},
{
"type": "last_name",
"value": "Smith"
}
]
},
{
"external_id": "ryan",
"is_identity": true,
"type": "Person",
"properties": [
{
"type": "email",
"value": "ryan@yahoo.co.uk"
},
{
"type": "given_name",
"value": "ryan"
},
{
"type": "last_name",
"value": "mushu"
}
]
},
{
"external_id": "tilda",
"is_identity": true,
"type": "Person",
"properties": [
{
"type": "email",
"value": "tilda@yahoo.co.uk"
},
{
"type": "given_name",
"value": "tilda"
},
{
"type": "last_name",
"value": "mushu"
}
]
},
{
"external_id": "cb123",
"type": "PaymentMethod",
"properties": [
{
"type": "payment_name",
"value": "Credit Card"
}
]
},
{
"external_id": "kl123",
"type": "PaymentMethod",
"properties": [
{
"type": "payment_name",
"value": "Klarna"
}
]
},
{
"external_id": "ct123",
"type": "Contract",
"properties": [
{
"type": "category",
"value": "Insurance"
},
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "hfgrten123",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "ct234",
"type": "Contract",
"properties": [
{
"type": "category",
"value": "Insurance"
},
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "hfgrten234",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "ct985",
"type": "Contract",
"properties": [
{
"type": "category",
"value": "Insurance"
},
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "hfgrten985",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "car1",
"type": "Vehicle",
"properties": [
{
"type": "category",
"value": "Car"
},
{
"type": "is_active",
"value": true
},
{
"type": "vin",
"value": "rtfhcnvjt471"
}
]
},
{
"external_id": "car2",
"type": "Vehicle",
"properties": [
{
"type": "category",
"value": "Car"
},
{
"type": "is_active",
"value": true
},
{
"type": "vin",
"value": "kdcbfrt178"
}
]
},
{
"external_id": "truck1",
"type": "Vehicle",
"properties": [
{
"type": "category",
"value": "Truck"
},
{
"type": "is_active",
"value": true
},
{
"type": "vin",
"value": "sncnrkcldp"
}
]
},
{
"external_id": "license1",
"type": "LicenseNumber",
"properties": [
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "AX123456",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "license2",
"type": "LicenseNumber",
"properties": [
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "OL123456",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "license3",
"type": "LicenseNumber",
"properties": [
{
"type": "status",
"value": "Active"
},
{
"type": "number",
"value": "VN123456",
"metadata": {
"assurance_level": 3,
"source": "BRREG"
}
}
]
},
{
"external_id": "company1",
"type": "Company",
"properties": [
{
"type": "name",
"value": "Company1"
},
{
"type": "registration",
"value": "256314523"
}
]
},
{
"external_id": "company2",
"type": "Company",
"properties": [
{
"type": "name",
"value": "Company2"
},
{
"type": "registration",
"value": "942365123"
}
]
},
{
"external_id": "application1",
"type": "Application",
"properties": [
{
"type": "name",
"value": "Application"
}
]
},
{
"external_id": "application2",
"type": "Application",
"properties": [
{
"type": "name",
"value": "Application2"
}
]
}
]
}Ingest the relationships needed for this use case.
POST https://eu.api.indykite.com/capture/v1/relationships/Json
{
"relationships": [
{
"source": {
"external_id": "ryan",
"type": "Person"
},
"target": {
"external_id": "cb123",
"type": "PaymentMethod"
},
"type": "HAS"
},
{
"source": {
"external_id": "tilda",
"type": "Person"
},
"target": {
"external_id": "kl123",
"type": "PaymentMethod"
},
"type": "HAS"
},
{
"source": {
"external_id": "alice",
"type": "Person"
},
"target": {
"external_id": "cb123",
"type": "PaymentMethod"
},
"type": "HAS"
},
{
"source": {
"external_id": "ryan",
"type": "Person"
},
"target": {
"external_id": "ct123",
"type": "Contract"
},
"type": "ACCEPTED"
},
{
"source": {
"external_id": "tilda",
"type": "Person"
},
"target": {
"external_id": "ct234",
"type": "Contract"
},
"type": "ACCEPTED"
},
{
"source": {
"external_id": "alice",
"type": "Person"
},
"target": {
"external_id": "ct985",
"type": "Contract"
},
"type": "ACCEPTED"
},
{
"source": {
"external_id": "ct123",
"type": "Contract"
},
"target": {
"external_id": "car1",
"type": "Vehicle"
},
"type": "COVERS"
},
{
"source": {
"external_id": "ct985",
"type": "Contract"
},
"target": {
"external_id": "car1",
"type": "Vehicle"
},
"type": "COVERS"
},
{
"source": {
"external_id": "ct234",
"type": "Contract"
},
"target": {
"external_id": "truck1",
"type": "Vehicle"
},
"type": "COVERS"
},
{
"source": {
"external_id": "car1",
"type": "Vehicle"
},
"target": {
"external_id": "license1",
"type": "LicenseNumber"
},
"type": "HAS"
},
{
"source": {
"external_id": "truck1",
"type": "Vehicle"
},
"target": {
"external_id": "license2",
"type": "LicenseNumber"
},
"type": "HAS"
},
{
"source": {
"external_id": "car2",
"type": "Vehicle"
},
"target": {
"external_id": "license3",
"type": "LicenseNumber"
},
"type": "HAS"
},
{
"source": {
"external_id": "company1",
"type": "Company"
},
"target": {
"external_id": "car1",
"type": "Vehicle"
},
"type": "OWNS"
},
{
"source": {
"external_id": "company1",
"type": "Company"
},
"target": {
"external_id": "car2",
"type": "Vehicle"
},
"type": "OWNS"
},
{
"source": {
"external_id": "company1",
"type": "Company"
},
"target": {
"external_id": "truck1",
"type": "Vehicle"
},
"type": "OWNS"
},
{
"source": {
"external_id": "application1",
"type": "Application"
},
"target": {
"external_id": "company1",
"type": "Company"
},
"type": "HAS_AGREEMENT_WITH"
},
{
"source": {
"external_id": "application2",
"type": "Application"
},
"target": {
"external_id": "company1",
"type": "Company"
},
"type": "HAS_AGREEMENT_WITH"
}
]
}Step 2
CIQ Policy which designates the READ action on all nodes of a category.
policy.jsonJson
{
"meta": {
"policy_version": "1.0-ciq"
},
"subject": {
"type": "_Application"
},
"condition": {
"cypher": "MATCH (subject:_Application) MATCH (p:Person) MATCH (ln:LicenseNumber)",
"filter": [
{
"attribute": "subject.external_id",
"operator": "=",
"value": "$_appId"
}
]
},
"allowed_reads": {
"nodes": [
"ln.property.*"
]
}
}Request to create a CIQ Policy configuration using REST.
POST https://eu.api.indykite.com/configs/v1/authorization-policiesJson
{
"project_id": "your_project_gid",
"description": "description of policy",
"display_name": "policy name",
"name": "policy-name",
"policy": "{\"meta\":{\"policy_version\":\"1.0-ciq\"},\"subject\":{\"type\":\"_Application\"},\"condition\":{\"cypher\":\"MATCH (subject:_Application) MATCH (p:Person) MATCH (ln:LicenseNumber)\",\"filter\":[{\"attribute\":\"subject.external_id\",\"operator\":\"=\",\"value\":\"$_appId\"}]},\"allowed_reads\":{\"nodes\":[\"ln.property.*\"]}}",
"status": "ACTIVE",
"tags": []
}Request to read the CIQ Policy configuration using REST.
policy_request.jsonJson
{
"id": "your_policy_configuration_gid"
}Step 3
Create a CIQ Query in the context of the policy to retrieve the data.
knowledge_query.jsonJson
{
"nodes": [
"ln.property.number"
]
}Request to create a CIQ Query configuration using REST.
POST https://eu.api.indykite.com/configs/v1/knowledge-queriesJson
{
"project_id": "your_project_gid",
"description": "description of knowledge query",
"display_name": "knowledge query name",
"name": "knowledge-query-name",
"policy_id": "your_policy_gid",
"query": "{\"nodes\":[\"ln.property.number\"]}",
"status": "ACTIVE"
}Read the CIQ Query Configuration.
GET https://eu.api.indykite.com/configs/v1/knowledge-queries/{id}Json
{
"id": "your_knowledge_query_configuration_gid"
}Step 4
CIQ Execution request.
POST https://eu.api.indykite.com/contx-iq/v1/executeJson
{
"id": "knowledge_query_gid",
"input_params": {}
}CIQ Execution response.
response.jsonJson
{
"data": [
{
"nodes": {
"ln.property.number": "AX123456"
}
},
{
"nodes": {
"ln.property.number": "AX123456"
}
},
{
"nodes": {
"ln.property.number": "AX123456"
}
},
{
"nodes": {
"ln.property.number": "OL123456"
}
},
{
"nodes": {
"ln.property.number": "OL123456"
}
},
{
"nodes": {
"ln.property.number": "OL123456"
}
},
{
"nodes": {
"ln.property.number": "VN123456"
}
},
{
"nodes": {
"ln.property.number": "VN123456"
}
},
{
"nodes": {
"ln.property.number": "VN123456"
}
}
]
}Step 5
Delete the CIQ Query.
DELETE https://eu.api.indykite.com/configs/v1/knowledge-queries/{id}Json
{
"id": "your_knowledge_query_configuration_gid"
}Delete the CIQ Policy.
DELETE https://eu.api.indykite.com/configs/v1/authorization-policies/{id}Json
{
"id": "your_policy_configuration_gid"
}Tags
CIQ Policy CIQ Query CIQ Execution Security
Related Resources
ContX IQ basic example
ContX IQ Python
ContX IQ: list authorized resources.
ContX IQ Python
ContX IQ: allow creation nodes and relationships.
ContX IQ Json
ContX IQ: upsert relationships
ContX IQ Json
ContX IQ: delete nodes and relationships.
ContX IQ Json
ContX IQ: loyalty program.
ContX IQ Json
ContX IQ: link the _Application node to other data in the IKG.
ContX IQ Json
ContX IQ: With _Application node as a subject, read resources and upsert relationships and nodes.
ContX IQ Json
ContX IQ: With User node as a subject, read resources and upsert relationships and nodes.
ContX IQ Json
ContX IQ: With Person node as a subject, gives a company a consent on a payment method and then revokes it.
ContX IQ Json