Copyright (c) 2005 - 2017 Franz, Incorporated

Last updated 10 January 2017 at 15:42

• Documentation Index
  • Release Notes
  • Quick Start
  • Introduction
  • Setup and Configuration
    • Download
    • Server Installation
    • Server Configuration and Control
    • WebView
    • Database Upgrading
  • Server Management
    • Performance Tuning
    • Deleting Duplicate Triples
    • Purging Deleted Triples
    • Auditing
    • Replication
    • Point-in-Time Recovery
    • Transaction Log Archiving
    • Security Overview
    • Security Implementation
  • Tools
    • Data Loading
    • Data Export
    • Backup and Restore
    • Querying
    • RDFS++
    • Materializer
  • Details
    • AllegroGraph Indices
    • Full-text Indices
    • Encoded IDs
    • Connection Pooling
    • N-dimensional Geospatial Overview
    • 2-D Geospatial
    • Temporal
    • Social Network
    • JavaScript
    • Datatypes
    • Data Conversion (Rapper)
    • Stored Procedures
    • Triple Attributes
  • Querying
    • SPARQL documentation summary
    • SPARQL Reference
    • SPIN
    • SPARQL Magic Properties
    • Prolog
  • 3rd-party tools
    • Solr text Indices
    • MongoDB integration
    • Callimachus support
    • TopBraid Composer Plugin
    • Cloudera
  • Client APIs
    • Gruff
    • REST/HTTP interface
    • HTTP reference
    • Javadocs (Sesame and Jena)
    • Python API
    • Lisp Reference
    • JavaScript
  • Tutorials
    • N-dimensional Geospatial
    • SPARQL Tutorial
    • Java Sesame
    • Java Jena
    • Python Sesame
    • Lisp
    • Prolog
    • More...
  • Other
    • Suggested Reading
    • Conferences and Seminars
    • Source Code on Github
    • Community Resources
    • Amazon EC2
    • Copyrights
    • Change History
  • Franz, Inc.

AllegroGraph Enterprise Security and Management

Franz AllegroGraph v4 represents the first Semantic Technology Database with OLTP, ACID compliance and Enterprise Management functionality. AllegroGraph Enterprise Security and Management (ESM) provides the mission critical functionality that organizations need to support 24/7/365 operations. AllegroGraph has received a Certificate of Networthiness for the product to run on the Department of Defense .mil network.

This document gives and overview of security in AllegroGraph. See Security Implementation for implementation details.

AllegroGraph ESM includes the following:

• Transport Layer security to and from database clients.
• Management, Access Control and Security for the AllegroGraph database server and AllegroGraph Enterprise Subsystems; such as Backup, Restore, Point-in-Time Recovery, Warm Standby and Replication.
• Data Access Control v4
• Data Access Control v4.5 – Triple Level Security

Transport Layer Security

Access to an AllegroGraph database server can be obtained via AllegroGraph’s RESTful interface (for HTTP and HTTPS clients), through AllegroGraph’s built-in web interface – AGWebView, and through a local Lisp client application

All client network access to AllegroGraph occurs though the product’s HTTP and HTTPS RESTful interfaces. The AllegroGraph interface, and RESTful interfaces in general, are remarkable in that they are by definition client-server, stateless, cacheable and provide a uniform interface identifying system resources in the client request.

AllegroGraph clients can connect directly to the server via HTTP, sending and receiving clear text. AllegroGraph clients also have the ability to send and receive encrypted requests.

SSL and TLS

When an AllegroGraph session is established over Secure Sockets Layer (SSL), the server shares a public key with the client which is used to encrypt subsequent requests. AllegroGraph supports SSL v3 and TLS v1.0 (SSL v3.1).

AllegroGraph utilizes FIPS 140-2 compliant encryption for data in transit. Reference http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf.

X.509 Certificates

The server provides an X.509 certificate to the client during the SSL/TLS handshake when the connection is established. Therefore the client can check the contents of the certificate if desired.

Management Access Control

AGWebView provides a GUI management and data access interface to AllegroGraph v4, as we describe in Security Implementation. The web-browser based interface allows the system administrator to manage access control to individual databases, maintain users and roles, and control the Warm Standby and Replication interfaces.

Configuration of Databases and Catalogs

Database and collections of databases are effectively managed through AGWebView. Control over placement of the catalogs, individual databases, and server settings is managed during initial server configuration.

Management of JavaScript and Lisp Stored Procedures

Both JavaScript and Lisp stored procedures are supported. The user manages stored procedures through AGWebView.

User Management

The system administrator is given fine-grain control over creation and management of users, passwords and roles through the AGWebView interface.

There are several predefined user attributes, including Superuser, Start Sessions, Eval (stored procedures) and (control) Replication.

For each user and role, the administrator can manage these attributes and access to individual databases. Access to databases can be granted per database, a portion of a catalog or for the entire database server.

Programmatic System Management

Through the RESTful interface to AllegroGraph, all the management functions of the product are exposed via HTTP(S), Java, Python, Lisp and others. Customer organizations can take advantage of AGWebView, or for embedded solutions provide their own custom interface to AllegoGraph security and management.

Summary:

Manage User Attributes

• Super User - Manages user accounts and all security.
• Eval User - Manages access to AllegroGraph stored procedure functionality.
• Session - Allows users to manage their own sessions.
• Read/Write - Defined per user for each database and catalog.

Administrative Functionality

• List Users
• Create Users
• Delete Users
• Change Password
• List User Roles
• Add Role to User
• Delete Role from User
• List User Permission Flags
• Assign Permission Flags
• Delete Permission Flags
• List User Database and Catalog Access
• Set User Database and Catalog Access
• List Users within specified Role
• Create New Role
• Delete Role
• Grant and Revoke Permissions for each Role
• Create and Delete Database
• Specify security filters for roles and for users

Data Access - Allegro Graph v4.3 (Triple Level Security)

As RDF stores become more entrenched in enterprise applications, increased security and improved fine-grained control of access to data is required. To support this, AllegroGraph v4.3 introduces Triple/Quad Level Security Filters, which are described in this section of Security Implementation.

With Security Filters the system administrator is able to grant user access to the entire store, or restrict access to a limited and filtered view of the database.

Security Filters can be applied to individual databases for all add/delete/query operations, per user and per role. You specify which values of the subject, predicate, object, or graph should be allowed or disallowed and then query responses are filtered appropriately, and attempts to add or delete filtered triples fail.

Key Security Filter Features:

• Apply Security Filters per User and/or Role.
• Prevents RDF data access to unauthorized users.
• Minimal Administration.
• The user views the database based on the applied Security Filter.
• Allows Extremely fine-grained and flexible access to RDF data.