All versions of this manual

Access control: Users, groups and rights

Linkurious relies on a role-based access control model based on node-categories and edge-types:

  • Users belong to at least one user-group
  • User-groups have several access-rights
  • Each access-right defines access to a specific node-category or edge-type:
    • none (no access)
    • read (read-only access)
    • write (read and write access)

When users belong to several user-groups, it can happen that many access-rights are defined for a node-category (or edge-type). In this case, the more permissive access-right is granted.


  • User Foo belong to User-groups Accounting and Sales
  • User-group Accounting has:
    • READ access to node-category COMPANY
    • WRITE access to node-category CONTRACT
  • User-group Sales has:
    • READ access to node-category CONTRACT
    • WRITE access to node-category CUSTOMER
  • Result:
    • User Foo has READ access to node-category COMPANY (via User-group Accounting)
    • User Foo has WRITE access to node-category CONTRACT (via User-group Accounting)
    • User Foo has WRITE access to node-category CUSTOMER (via User-group Sales)

Creating users, groups and rights

To create users, user-groups and access-rights, administrators can use the Web user interface via the Admin > Users menu: admin-users menu

Password hashing

Passwords are hashed with the PBKDF2 algorithm and the following parameters:

  • iterations: 1000
  • salt length: 96 bits
  • key length: 256 bytes

External users

When using an external source for authentication (LDAP, Active Directory, OpenID Connect etc.), users are automatically created in Linkurious when they first connect.

These shadow-users allow to store Linkurious specific data such as user preferences, user-groups and other objects (visualizations, etc.). Passwords of external users are never stored inside Linkurious.

The user-group that will be attributed to these users is the default user-group (with read-all access), unless you specify a group ID in access.externalUserDefaultGroupId or you configure a group mapping. (see details on how to configure access).

Group mapping

If an external source already organizes users in groups, it's possible to use this information to map automatically external groups to Linkurious groups. To do so, you have to set the access.externalUsersGroupMapping configuration key to be an object with the external group IDs as keys and the internal group IDs as values.

For example, if we want to provide group mapping for Microsoft Active Directory:

{ // under the access configuration key 
  // ... 
  "externalUsersGroupMapping": {
    "Administrators": 1 // any Active Directory admin is a Linkurious admin 
  // ... 

For some identity providers the external group IDs is an actual name, for others is an ID:

  • Azure AD uses the group ID, e.g. "818b6e03-15dd-4e19-8cb1-a4f434b40a04"
  • LDAP uses the group ID, e.g. "999"
  • Microsoft Active Directory uses the group name, e.g. "Administrators"

To exclude some groups of users from logging in into Linkurious, set up a list of authorized groups in the configuration key access.externalUsersAllowedGroups.