B.5. Manage users and roles

This section describes different scenarios of using the Neo4j Security features.

In this section, we show two cases of how the Neo4j Security features can be combined to cater for various real-world scenarios.

Both cases assume the existence of an administrator and a fictitious developer called Jane, who requires access to the database.

B.5.1. Creating a user and managing roles

Step 1: Administrator creates a user

The administrator creates a user on the system with username 'jane' and password 'abracadabra', requiring that as soon as Jane logs in for the first time, she is required to change her password immediately:

CALL dbms.security.createUser('jane', 'abracadabra', true)

Step 2: Administrator assigns the publisher role to the user

The administrator assigns the publisher role to Jane allowing her to both read and write data:

CALL dbms.security.addRoleToUser('publisher', 'jane')

Step 3: User logs in and changes her password

As soon as Jane logs in, she is prompted to change her password.

She changes it to 'R0ckyR0ad88':

CALL dbms.security.changePassword('R0ckyR0ad88')

Step 4: User writes data

Jane executes a query which inserts some data:

CREATE (:Person {name: 'Sam' age: 19})
+-------------------+
| No data returned. |
+-------------------+
Nodes created: 1
Properties set: 2
Labels added: 1

Step 5: Administrator removes the publisher role from the user

The administrator removes the publisher role from Jane.

CALL dbms.security.removeRoleFromUser('publisher', 'jane')

Step 6: User attempts to read data

Jane tries to execute a read query:

MATCH (p:Person)
RETURN p.name

The query fails, as Jane does not have the role allowing her to read data (in fact, she has no assigned roles):

Read operations are not allowed for user 'jane' with no roles.

Step 7: Administrator assigns the reader role to the user

The administrator assigns the reader role to Jane:

CALL dbms.security.addRoleToUser('reader', 'jane')

Step 8: User attempts to write data

Jane tries to execute a write query:

CREATE (:Person {name: 'Bob' age: 52})

The query fails, as Jane does not have the role allowing her to write data.

Write operations are not allowed for user 'jane' with roles ['reader'].

Step 9: User attempts to read data

Jane tries to execute a read query:

MATCH (p:Person)
RETURN p.name

The query succeeds as she is assigned the reader role:

+-------+
| name  |
+-------+
| "Sam" |
+-------+
1 row

B.5.2. Suspending and reactivating a user

This scenario follows on from the one above.

Step 1: Administrator suspends the user

The administrator suspends Jane.

CALL dbms.security.suspendUser('jane')

Step 2: Suspended user tries to log in

Jane tries to log in to the system, and will fail to do so.

Step 3: Administrator activates suspended user

The administrator activates Jane.

CALL dbms.security.activateUser('jane')

Step 4: Activated user logs in

Jane is now able to log in successfully.