Monitor Access Control Activity

All AnzoGraph DB data access and access control modifications are logged in a system table named sth_acl. System administrators can monitor the sth_acl system table for various types of access control entries and activities. Those events include:

• "Init file execution"
• "Authorization Success"
• "Authorization Failure"
• "Create Role"
• "Drop Role"
• "Alter Role"
• "Alter Graph" (changes of ownership)
• "Alter Owned By"
• "Grant Membership"
• "Grant Privilege"
• "Revoke Membership"
• "Revoke Privilege"

In addition to monitoring access, an administrator can diagnose failures by examining the entries in the "sth_acl" table. You can query the AnzoGraph DB system table using regular SPARQL queries just like that of any other database source. For example:

azgi -c "select * where {table 'sth_acl'}"

The following provides a sample query of sth_acl table entries following execution of a GRANT statement:

xrowid   | query | time          | user | action_type           | detail
---------+-------+---------------+------+-----------------------+------------------------------------------------
1219813  | 12453 | 2020-11-20... | test | Grant Privilege       | Granted privileges 1 on <testGraph> to <jsmith>
1220751  |     0 | 2020-11-20... |      | Authorization Success | test
1219294  |     0 | 2020-11-20... |      | Authorization Success | test
1212465  | 12370 | 2020-11-20... | test | Grant Membership      | Granted membership of <engineers> to <jsmith>

Access Control System Graphs

All AnzoGraph DB role and object attributes and privileges are stored in one of two system graphs, <sbxroles> or <sbxaclobj>.

Regardless of whether users are authenticated locally or by a remote directory service, the privileges granted to specific groups or roles is stored locally within the system graph named <sbxroles>.

The <sbxroles> System Graph

The AnzoGraph DB<sbxroles> system graph is updated whenever a role is created, altered, or dropped. The following triples get inserted, updated, or removed from the <sbxroles> graph, whenever one of these operations is performed.

INSERT DATA {
GRAPH <sbxroles> {
<role1> a <Role>;
<attrs> attrib_list;	              # combined list of attributes
<password> "passwd"^^xsd:string;   # optional triple for local authentication
<rowlimit> NNN;                      # optional triple
<priority> NNN;                      # optional triple
<grants> "member1,member2";          # list of all the roles granted privileges
.
  }
}

The <sbxaclobj> System Graph

A second system graph, named <sbxaclobj>, is updated with new triples whenever an object is created or dropped or if its privileges are altered. The following triples get inserted, updated, or removed from the <sbxroles> system graph whenever one of these operations is performed.

INSERT DATA {
GRAPH <sbxaclobj> {
   <aclobj_uri>		   # <based on objname,objtype,objcontainer
   <objname> name;
   <objtype> <graph | view | query | udx | subject | predicate | triple> ;
   <privileges> acl;         # mandatory: serialized json string for Privileges
   <objid> (graphid | viewid | queryid);  # optional: for graph
   <container> “container” ; # optional: for udx; name of the library
# for subject - name of the graph
# for predicate - name of the graph
# for triple - name of the graph
.
  }
}