Curiosity

A slide featuring a code panel with a blue padlock and authorization snippet, alongside three rounded cards with icons.

Permissions

Curiosity enforces access at query time — in search, graph traversals, and AI responses. A user never sees a node they can't access, regardless of how the query is written.

Default: no restriction set → visible to all authenticated users.

var team = await graph.CreateTeamAsync("Engineering");  // idempotent
graph.RestrictAccessToTeam(ticket, team);               // restrict before committing

Three patterns:

Source-mirrored — mirror the source's permission model (recommended):

foreach (var group in row.SharedWith)
    graph.RestrictAccessToTeam(node, await graph.CreateTeamAsync(group));

Rule-based — apply a segmentation rule:

if (row.Tier == "Enterprise") graph.RestrictAccessToTeam(ticket, enterpriseTeam);

Public with overrides — open by default, selectively restricted:

if (row.IsConfidential) graph.RestrictAccessToTeam(doc, restrictedTeam);

Don't skip this in early development

Retrofitting ACLs to an existing graph means re-ingesting everything. Model permissions from day one.

→ Access control model

Go back 05-edges Next step 07-incremental-sync