cartography 0.117.0__py3-none-any.whl → 0.119.0__py3-none-any.whl

cartography/intel/gsuite/groups.py

@@ -0,0 +1,291 @@
+import logging
+from typing import Any
+
+import neo4j
+from googleapiclient.discovery import Resource
+from googleapiclient.errors import HttpError
+
+from cartography.client.core.tx import load
+from cartography.client.core.tx import load_matchlinks
+from cartography.graph.job import GraphJob
+from cartography.models.gsuite.group import GSuiteGroupSchema
+from cartography.models.gsuite.group import GSuiteGroupToGroupMemberRel
+from cartography.models.gsuite.group import GSuiteGroupToGroupOwnerRel
+from cartography.models.gsuite.tenant import GSuiteTenantSchema
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+GOOGLE_API_NUM_RETRIES = 5
+
+
+@timeit
+def get_all_groups(
+    admin: Resource, customer_id: str = "my_customer"
+) -> list[dict[str, Any]]:
+    """
+    Return list of Google Groups in your organization
+    Returns empty list if we are unable to enumerate the groups for any reasons
+
+    googleapiclient.discovery.build('admin', 'directory_v1', credentials=credentials, cache_discovery=False)
+
+    :param admin: google's apiclient discovery resource object.  From googleapiclient.discovery.build
+    See https://googleapis.github.io/google-api-python-client/docs/epy/googleapiclient.discovery-module.html#build.
+    :return: list of Google groups in domain
+    """
+    request = admin.groups().list(
+        customer=customer_id,
+        maxResults=20,
+        orderBy="email",
+    )
+    response_objects = []
+    while request is not None:
+        try:
+            resp = request.execute(num_retries=GOOGLE_API_NUM_RETRIES)
+            response_objects.extend(resp.get("groups", []))
+            request = admin.groups().list_next(request, resp)
+        except HttpError as e:
+            if (
+                e.resp.status == 403
+                and "Request had insufficient authentication scopes" in str(e)
+            ):
+                logger.error(
+                    "Missing required GSuite scopes. If using the gcloud CLI, "
+                    "run: gcloud auth application-default login --scopes="
+                    '"https://www.googleapis.com/auth/admin.directory.user.readonly,'
+                    "https://www.googleapis.com/auth/admin.directory.group.readonly,"
+                    "https://www.googleapis.com/auth/admin.directory.group.member.readonly,"
+                    'https://www.googleapis.com/auth/cloud-platform"'
+                )
+            raise
+    return response_objects
+
+
+@timeit
+def get_members_for_groups(
+    admin: Resource, groups_email: list[str]
+) -> dict[str, list[dict[str, Any]]]:
+    """Get all members for given groups emails
+
+    Args:
+        admin (Resource): google's apiclient discovery resource object.  From googleapiclient.discovery.build
+        See https://googleapis.github.io/google-api-python-client/docs/epy/googleapiclient.discovery-module.html#build.
+        groups_email (list[str]): List of group email addresses to get members for
+
+
+    :return: list of dictionaries representing Users or Groups grouped by group email
+    """
+    results: dict[str, list[dict]] = {}
+    for group_email in groups_email:
+        request = admin.members().list(
+            groupKey=group_email,
+            maxResults=500,
+        )
+        members: list[dict] = []
+        while request is not None:
+            resp = request.execute(num_retries=GOOGLE_API_NUM_RETRIES)
+            members = members + resp.get("members", [])
+            request = admin.members().list_next(request, resp)
+        results[group_email] = members
+
+    return results
+
+
+@timeit
+def transform_groups(
+    groups: list[dict], group_memberships: dict[str, list[dict[str, Any]]]
+) -> tuple[list[dict], list[dict], list[dict]]:
+    """Strips list of API response objects to return list of group objects only and lists of subgroup relationships
+
+    :param groups: Raw groups from Google API
+    :param group_memberships: Group memberships data
+    :return: tuple of (groups, group_member_relationships, group_owner_relationships)
+    """
+    transformed_groups: list[dict] = []
+    group_member_relationships: list[dict] = []
+    group_owner_relationships: list[dict] = []
+
+    for group in groups:
+        group_id = group["id"]
+        group_email = group["email"]
+        group["member_ids"] = []
+        group["owner_ids"] = []
+
+        for member in group_memberships.get(group_email, []):
+            if member["type"] == "GROUP":
+                # Create group-to-group relationships
+                relationship_data = {
+                    "parent_group_id": group_id,
+                    "subgroup_id": member.get("id"),
+                    "role": member.get("role"),
+                }
+
+                if member.get("role") == "OWNER":
+                    group_owner_relationships.append(relationship_data)
+                else:
+                    group_member_relationships.append(relationship_data)
+                continue
+
+            # Handle user memberships
+            if member.get("role") == "OWNER":
+                group["owner_ids"].append(member.get("id"))
+            group["member_ids"].append(member.get("id"))
+
+        transformed_groups.append(group)
+
+    return transformed_groups, group_member_relationships, group_owner_relationships
+
+
+@timeit
+def load_gsuite_groups(
+    neo4j_session: neo4j.Session,
+    groups: list[dict],
+    customer_id: str,
+    gsuite_update_tag: int,
+) -> None:
+    """
+    Load GSuite groups using the modern data model
+    """
+    logger.info("Ingesting %d gsuite groups", len(groups))
+
+    # Load tenant first if it doesn't exist
+    tenant_data = [{"id": customer_id}]
+    load(
+        neo4j_session,
+        GSuiteTenantSchema(),
+        tenant_data,
+        lastupdated=gsuite_update_tag,
+    )
+
+    # Load groups with relationship to tenant
+    load(
+        neo4j_session,
+        GSuiteGroupSchema(),
+        groups,
+        lastupdated=gsuite_update_tag,
+        CUSTOMER_ID=customer_id,
+    )
+
+
+@timeit
+def load_gsuite_group_to_group_relationships(
+    neo4j_session: neo4j.Session,
+    group_member_relationships: list[dict],
+    group_owner_relationships: list[dict],
+    customer_id: str,
+    gsuite_update_tag: int,
+) -> None:
+    """
+    Load GSuite group-to-group relationships using MatchLinks
+    """
+    logger.info(
+        "Ingesting %d group member relationships", len(group_member_relationships)
+    )
+    logger.info(
+        "Ingesting %d group owner relationships", len(group_owner_relationships)
+    )
+
+    # Load group member relationships (Group -> Group MEMBER)
+    if group_member_relationships:
+        load_matchlinks(
+            neo4j_session,
+            GSuiteGroupToGroupMemberRel(),
+            group_member_relationships,
+            lastupdated=gsuite_update_tag,
+            _sub_resource_label="GSuiteTenant",
+            _sub_resource_id=customer_id,
+        )
+
+    # Load group owner relationships (Group -> Group OWNER)
+    if group_owner_relationships:
+        load_matchlinks(
+            neo4j_session,
+            GSuiteGroupToGroupOwnerRel(),
+            group_owner_relationships,
+            lastupdated=gsuite_update_tag,
+            _sub_resource_label="GSuiteTenant",
+            _sub_resource_id=customer_id,
+        )
+
+
+@timeit
+def cleanup_gsuite_groups(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: dict[str, Any],
+    customer_id: str,
+    gsuite_update_tag: int,
+) -> None:
+    """
+    Clean up GSuite groups and group-to-group relationships using the modern data model
+    """
+    logger.debug("Running GSuite groups cleanup job")
+
+    # Cleanup group nodes
+    GraphJob.from_node_schema(GSuiteGroupSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+
+    # Cleanup group-to-group member relationships
+    GraphJob.from_matchlink(
+        GSuiteGroupToGroupMemberRel(),
+        "GSuiteTenant",
+        customer_id,
+        gsuite_update_tag,
+    ).run(neo4j_session)
+
+    # Cleanup group-to-group owner relationships
+    GraphJob.from_matchlink(
+        GSuiteGroupToGroupOwnerRel(),
+        "GSuiteTenant",
+        customer_id,
+        gsuite_update_tag,
+    ).run(neo4j_session)
+
+
+@timeit
+def sync_gsuite_groups(
+    neo4j_session: neo4j.Session,
+    admin: Resource,
+    gsuite_update_tag: int,
+    common_job_parameters: dict[str, Any],
+) -> None:
+    """
+    GET GSuite group objects using the google admin api resource, load the data into Neo4j and clean up stale nodes.
+
+    :param neo4j_session: The Neo4j session
+    :param admin: Google admin resource object created by `googleapiclient.discovery.build()`.
+    See https://googleapis.github.io/google-api-python-client/docs/epy/googleapiclient.discovery-module.html#build.
+    :param gsuite_update_tag: The timestamp value to set our new Neo4j nodes with
+    :param common_job_parameters: Parameters to carry to the Neo4j jobs
+    :return: Nothing
+    """
+    logger.debug("Syncing GSuite Groups")
+
+    customer_id = common_job_parameters.get(
+        "CUSTOMER_ID", "my_customer"
+    )  # Default to "my_customer" for backward compatibility
+
+    # 1. GET - Fetch data from API
+    resp_objs = get_all_groups(admin, customer_id)
+    group_members = get_members_for_groups(admin, [resp["email"] for resp in resp_objs])
+
+    # 2. TRANSFORM - Shape data for ingestion
+    groups, group_member_relationships, group_owner_relationships = transform_groups(
+        resp_objs, group_members
+    )
+
+    # 3. LOAD - Ingest to Neo4j using data model
+    load_gsuite_groups(neo4j_session, groups, customer_id, gsuite_update_tag)
+
+    # Load group-to-group relationships after groups are loaded
+    load_gsuite_group_to_group_relationships(
+        neo4j_session,
+        group_member_relationships,
+        group_owner_relationships,
+        customer_id,
+        gsuite_update_tag,
+    )
+
+    # 4. CLEANUP - Remove stale data
+    cleanup_params = {**common_job_parameters, "CUSTOMER_ID": customer_id}
+    cleanup_gsuite_groups(neo4j_session, cleanup_params, customer_id, gsuite_update_tag)

cartography/intel/gsuite/users.py

@@ -0,0 +1,142 @@
+import logging
+from collections import defaultdict
+from typing import Any
+
+import neo4j
+from googleapiclient.discovery import Resource
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.gsuite.tenant import GSuiteTenantSchema
+from cartography.models.gsuite.user import GSuiteUserSchema
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+GOOGLE_API_NUM_RETRIES = 5
+
+
+@timeit
+def get_all_users(admin: Resource) -> list[dict]:
+    """
+    Return list of Google Users in your organization
+    Returns empty list if we are unable to enumerate the users for any reasons
+    https://developers.google.com/admin-sdk/directory/v1/guides/manage-users
+
+    :param admin: apiclient discovery resource object
+    :return: list of Google users in domain
+    see https://developers.google.com/admin-sdk/directory/v1/guides/manage-users#get_all_domain_users
+    """
+    request = admin.users().list(
+        customer="my_customer",
+        maxResults=500,
+        orderBy="email",
+    )
+    response_objects = []
+    while request is not None:
+        resp = request.execute(num_retries=GOOGLE_API_NUM_RETRIES)
+        response_objects.append(resp)
+        request = admin.users().list_next(request, resp)
+    return response_objects
+
+
+@timeit
+def transform_users(response_objects: list[dict]) -> dict[str, list[dict[str, Any]]]:
+    """Transform list of API response objects to return list of user objects with flattened structure grouped by customerId
+    :param response_objects: Raw API response objects
+    :return: list of dictionary objects for data model consumption
+    """
+    results = defaultdict(list)
+    for response_object in response_objects:
+        for user in response_object["users"]:
+            # Flatten the nested name structure
+            transformed_user = user.copy()
+            if "name" in user and isinstance(user["name"], dict):
+                transformed_user["name"] = user["name"].get("fullName")
+                transformed_user["family_name"] = user["name"].get("familyName")
+                transformed_user["given_name"] = user["name"].get("givenName")
+            results[transformed_user["customerId"]].append(transformed_user)
+    return results
+
+
+@timeit
+def load_gsuite_users(
+    neo4j_session: neo4j.Session,
+    users_by_customer: dict[str, list[dict]],
+    gsuite_update_tag: int,
+) -> None:
+    """
+    Load GSuite users using the modern data model
+    """
+    logger.info("Ingesting %s gsuite tenants", len(users_by_customer))
+    tenant_data = [{"id": customer_id} for customer_id in users_by_customer.keys()]
+    load(
+        neo4j_session,
+        GSuiteTenantSchema(),
+        tenant_data,
+        lastupdated=gsuite_update_tag,
+    )
+
+    for customer_id, users in users_by_customer.items():
+        logger.info(
+            "Ingesting %s gsuite users for customer %s", len(users), customer_id
+        )
+        # Load users with relationship to tenant
+        load(
+            neo4j_session,
+            GSuiteUserSchema(),
+            users,
+            lastupdated=gsuite_update_tag,
+            CUSTOMER_ID=customer_id,
+        )
+
+
+@timeit
+def cleanup_gsuite_users(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: dict[str, Any],
+) -> None:
+    """
+    Clean up GSuite users using the modern data model
+    """
+    logger.debug("Running GSuite users cleanup job")
+    GraphJob.from_node_schema(GSuiteUserSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+
+
+@timeit
+def sync_gsuite_users(
+    neo4j_session: neo4j.Session,
+    admin: Resource,
+    gsuite_update_tag: int,
+    common_job_parameters: dict[str, Any],
+) -> list[str]:
+    """
+    GET GSuite user objects using the google admin api resource, load the data into Neo4j and clean up stale nodes.
+
+    :param neo4j_session: The Neo4j session
+    :param admin: Google admin resource object created by `googleapiclient.discovery.build()`.
+    See https://googleapis.github.io/google-api-python-client/docs/epy/googleapiclient.discovery-module.html#build.
+    :param gsuite_update_tag: The timestamp value to set our new Neo4j nodes with
+    :param common_job_parameters: Parameters to carry to the Neo4j jobs
+    :return: list of customer IDs
+    """
+    logger.debug("Syncing GSuite Users")
+
+    # 1. GET - Fetch data from API
+    resp_objs = get_all_users(admin)
+
+    # 2. TRANSFORM - Shape data for ingestion
+    users_by_customers = transform_users(resp_objs)
+
+    # 3. LOAD - Ingest to Neo4j using data model
+    load_gsuite_users(neo4j_session, users_by_customers, gsuite_update_tag)
+
+    # 4. CLEANUP - Remove stale data
+    for customer_id in users_by_customers.keys():
+        cleanup_params = {**common_job_parameters, "CUSTOMER_ID": customer_id}
+        cleanup_gsuite_users(neo4j_session, cleanup_params)
+
+    # Return the list of customer IDs
+    return list(users_by_customers.keys())

cartography/intel/jamf/computers.py

@@ -4,6 +4,7 @@ from typing import List
 
 import neo4j
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.jamf.util import call_jamf_api
 from cartography.util import run_cleanup_job
 from cartography.util import timeit
@@ -35,7 +36,12 @@ def load_computer_groups(
     g.lastupdated = $UpdateTag
     """
     groups = data.get("computer_groups")
-    neo4j_session.run(ingest_groups, JsonData=groups, UpdateTag=update_tag)
+    run_write_query(
+        neo4j_session,
+        ingest_groups,
+        JsonData=groups,
+        UpdateTag=update_tag,
+    )
 
 
 @timeit

cartography/intel/oci/iam.py

@@ -10,6 +10,8 @@ from typing import List
 import neo4j
 import oci
 
+from cartography.client.core.tx import read_list_of_dicts_tx
+from cartography.client.core.tx import run_write_query
 from cartography.util import run_cleanup_job
 
 from . import utils
@@ -89,7 +91,8 @@ def load_compartments(
     """
 
     for compartment in compartments:
-        neo4j_session.run(
+        run_write_query(
+            neo4j_session,
             ingest_compartment,
             OCID=compartment["id"],
             COMPARTMENT_ID=compartment["compartment-id"],
@@ -126,7 +129,8 @@ def load_users(
     """
 
     for user in users:
-        neo4j_session.run(
+        run_write_query(
+            neo4j_session,
             ingest_user,
             OCID=user["id"],
             CREATE_DATE=str(user["time-created"]),
@@ -206,7 +210,8 @@ def load_groups(
     """
 
     for group in groups:
-        neo4j_session.run(
+        run_write_query(
+            neo4j_session,
             ingest_group,
             OCID=group["id"],
             CREATE_DATE=str(group["time-created"]),
@@ -260,7 +265,11 @@ def sync_group_memberships(
         "MATCH (group:OCIGroup)<-[:RESOURCE]-(OCITenancy{ocid: $OCI_TENANCY_ID}) "
         "return group.name as name, group.ocid as ocid;"
     )
-    groups = neo4j_session.run(query, OCI_TENANCY_ID=current_tenancy_id)
+    groups = neo4j_session.execute_read(
+        read_list_of_dicts_tx,
+        query,
+        OCI_TENANCY_ID=current_tenancy_id,
+    )
     groups_membership = {
         group["ocid"]: get_group_membership_data(iam, group["ocid"], current_tenancy_id)
         for group in groups
@@ -288,7 +297,8 @@ def load_group_memberships(
     """
     for group_ocid, membership_data in group_memberships.items():
         for info in membership_data["GroupMemberships"]:
-            neo4j_session.run(
+            run_write_query(
+                neo4j_session,
                 ingest_membership,
                 COMPARTMENT_ID=info["compartment-id"],
                 GROUP_OCID=info["group-id"],
@@ -317,7 +327,8 @@ def load_policies(
     """
 
     for policy in policies:
-        neo4j_session.run(
+        run_write_query(
+            neo4j_session,
             ingest_policy,
             OCID=policy["id"],
             POLICY_NAME=policy["name"],
@@ -386,7 +397,8 @@ def load_oci_policy_group_reference(
     ON CREATE SET r.firstseen = timestamp()
     SET r.lastupdated = $oci_update_tag
     """
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_policy_group_reference,
         POLICY_ID=policy_id,
         GROUP_ID=group_id,
@@ -408,7 +420,8 @@ def load_oci_policy_compartment_reference(
     ON CREATE SET r.firstseen = timestamp()
     SET r.lastupdated = $oci_update_tag
     """
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_policy_compartment_reference,
         POLICY_ID=policy_id,
         COMPARTMENT_ID=compartment_id,
@@ -487,7 +500,8 @@ def load_region_subscriptions(
     SET r.lastupdated = $oci_update_tag
     """
     for region in regions:
-        neo4j_session.run(
+        run_write_query(
+            neo4j_session,
             query,
             REGION_KEY=region["region-key"],
             REGION_NAME=region["region-name"],

cartography/intel/oci/organizations.py

@@ -11,6 +11,7 @@ from oci.exceptions import ConfigFileNotFound
 from oci.exceptions import InvalidConfig
 from oci.exceptions import ProfileNotFound
 
+from cartography.client.core.tx import run_write_query
 from cartography.util import run_cleanup_job
 
 logger = logging.getLogger(__name__)
@@ -100,7 +101,8 @@ def load_oci_accounts(
     SET aa.lastupdated = $oci_update_tag, aa.name = $ACCOUNT_NAME
     """
     for name in oci_accounts:
-        neo4j_session.run(
+        run_write_query(
+            neo4j_session,
             query,
             TENANCY_ID=oci_accounts[name]["tenancy"],
             ACCOUNT_NAME=name,

cartography/intel/oci/utils.py

@@ -7,6 +7,8 @@ from typing import List
 
 import neo4j
 
+from cartography.client.core.tx import read_list_of_dicts_tx
+
 
 # Generic way to turn a OCI python object into the json response that you would see from calling the REST API.
 def oci_object_to_json(in_obj: Any) -> List[Dict[str, Any]]:
@@ -36,7 +38,11 @@ def get_compartments_in_tenancy(
         "return DISTINCT compartment.name as name, compartment.ocid as ocid, "
         "compartment.compartmentid as compartmentid;"
     )
-    return neo4j_session.run(query, OCI_TENANCY_ID=tenancy_id)
+    return neo4j_session.execute_read(
+        read_list_of_dicts_tx,
+        query,
+        OCI_TENANCY_ID=tenancy_id,
+    )
 
 
 # Grab list of all groups in neo4j already populated by iam.
@@ -48,7 +54,11 @@ def get_groups_in_tenancy(
         "MATCH (OCITenancy{ocid: $OCI_TENANCY_ID})-[*]->(group:OCIGroup)"
         "return DISTINCT group.name as name, group.ocid as ocid;"
     )
-    return neo4j_session.run(query, OCI_TENANCY_ID=tenancy_id)
+    return neo4j_session.execute_read(
+        read_list_of_dicts_tx,
+        query,
+        OCI_TENANCY_ID=tenancy_id,
+    )
 
 
 # Grab list of all policies in neo4j already populated by iam.
@@ -61,7 +71,11 @@ def get_policies_in_tenancy(
         "return DISTINCT policy.name as name, policy.ocid as ocid, policy.statements as statements, "
         "policy.compartmentid as compartmentid;"
     )
-    return neo4j_session.run(query, OCI_TENANCY_ID=tenancy_id)
+    return neo4j_session.execute_read(
+        read_list_of_dicts_tx,
+        query,
+        OCI_TENANCY_ID=tenancy_id,
+    )
 
 
 # Grab list of all regions in neo4j already populated by iam.
@@ -73,7 +87,11 @@ def get_regions_in_tenancy(
         "MATCH (OCITenancy{ocid: $OCI_TENANCY_ID})-->(region:OCIRegion)"
         "return DISTINCT region.name as name, region.key as key;"
     )
-    return neo4j_session.run(query, OCI_TENANCY_ID=tenancy_id)
+    return neo4j_session.execute_read(
+        read_list_of_dicts_tx,
+        query,
+        OCI_TENANCY_ID=tenancy_id,
+    )
 
 
 # Grab list of all security groups in neo4j already populated by network. Need to handle regions for this one.
@@ -88,4 +106,9 @@ def get_security_groups_in_tenancy(
         "return DISTINCT security_group.name as name, security_group.ocid as ocid, security_group.compartmentid "
         "as compartmentid;"
     )
-    return neo4j_session.run(query, OCI_TENANCY_ID=tenancy_id, OCI_REGION=region)
+    return neo4j_session.execute_read(
+        read_list_of_dicts_tx,
+        query,
+        OCI_TENANCY_ID=tenancy_id,
+        OCI_REGION=region,
+    )

cartography/intel/okta/awssaml.py

@@ -68,24 +68,25 @@ def query_for_okta_to_aws_role_mapping(
     :param neo4j_session: session from the Neo4j server
     :param mapping_regex: the regex used by the organization to map groups to aws roles
     """
-    query = "MATCH (app:OktaApplication{name:'amazon_aws'})--(group:OktaGroup) return group.id, group.name"
+    query = (
+        "MATCH (app:OktaApplication{name:'amazon_aws'})--(group:OktaGroup) "
+        "RETURN group.id AS group_id, group.name AS group_name"
+    )
 
     group_to_role_mapping: List[Dict] = []
-    has_results = False
-    results = neo4j_session.run(query)
+    results = neo4j_session.execute_read(read_list_of_dicts_tx, query)
 
     for res in results:
-        has_results = True
         # input: okta group id, okta group name. output: aws role arn.
         mapping = transform_okta_group_to_aws_role(
-            res["group.id"],
-            res["group.name"],
+            res["group_id"],
+            res["group_name"],
             mapping_regex,
         )
         if mapping:
             group_to_role_mapping.append(mapping)
 
-    if has_results and not group_to_role_mapping:
+    if results and not group_to_role_mapping:
         logger.warning(
             "AWS Okta Application present, but no mappings were found. "
             "Please verify the mapping regex is correct",
@@ -247,7 +248,7 @@ def _load_awssso_tx(
         ingest_statement,
         GROUP_TO_ROLE=[g._asdict() for g in group_to_role],
         okta_update_tag=okta_update_tag,
-    )
+    ).consume()
 
 
 def _load_okta_group_to_awssso_roles(

cartography/intel/okta/users.py

@@ -161,7 +161,7 @@ def _load_okta_users(
     new_user.password_changed = user_data.password_changed,
     new_user.transition_to_status = user_data.transition_to_status,
     new_user.lastupdated = $okta_update_tag,
-    new_user :UserAccount
+    new_user:UserAccount
     WITH new_user, org
     MERGE (org)-[org_r:RESOURCE]->(new_user)
     ON CREATE SET org_r.firstseen = timestamp()