Security
PuppyGraph layers three independent access controls. Use them in combination as needed:
- OAuth / OIDC Single Sign-On. Who you are. Users authenticate through your identity provider (Okta, Auth0, Azure AD, Google Workspace, Keycloak, etc.); PuppyGraph receives and verifies the ID token.
- Role-Based Access Control. What you can do. Each user is assigned one of five built-in roles. Permissions are enforced at every entry point: REST, Bolt, and Gremlin.
- Row-Level Security. What you can see. Per-user predicates from an entitlement table are injected into every source-table scan, so the same Cypher query returns different rows for different users.
A request flows through them in that order. The IdP says who the user is, RBAC decides whether they may execute the operation at all, and RLS narrows the result set to the rows that user is entitled to see.