Context-Based Access Control Using Graph Databases

‍Contributors: Hadi Ahmadi, Derek Small
‍
‍Abstract
‍Enel X (formerly EnerNOC), an Enel Group Company, a division of Enel e-solutions, is an energy company that is capitalizing on the power industry transformation, aimed at understanding and servicing the needs of Enel’s global customer base by exploring opportunities in areas of new technologies to develop customer-centric, innovative products and both non-commodity and digital solutions. Enel X services need to store and retrieve complex data about consumer organizations. The data fundamentally includes definitions of users, roles, sites, spaces, and equipment as well as various relationships between these entities.

The variety of data objects and the complexity of relationships between them in a multi-tenant service platform will demand highly granular access management and sophisticated resource protection policies to ensure appropriate access to each and every active user of the system. These rigorous policies will rely on defining authorization data that can be utilized for policy enforcement.

To address the problem of authorization over such a complex data structure, Nulli and Enel X collaborated on the design of a graph-based access control solution. Enel X designed the data model and implemented a custom-written API, named Atlas API, that stores and retrieves graph data as well as encapsulates and orchestrates data interaction on behalf of applications. Nulli led the implementation of ForgeRock Identity Platform™ and its integration with the Neo4j® Graph Database for authentication and authorization purposes. The key advantage of this approach is to support coexistence of customer and authorization data, such as users, organizations, resources, and policy rules; hence, to allow for performant access control decision making through simultaneous traversing of customer and authorization data nodes over the graph.