Native User Security & Access Control in Neo4j Enterprise [Security Series, Part 2]

In Neo4j 3.1 Enterprise Edition, we introduced a new role-based access control framework for user and application access to the database. The framework enables system administrators to manage permissions and ensure that authenticated users and applications can perform only authorized actions on data graph stored in Neo4j.

In this series on database security and access control, we’ll explore all of the different facets and features available in Neo4j Enterprise Edition to keep your data secure. Last week, we looked at role-based access control in Neo4j.

This week, we’ll take a closer look at administering both database security and access control for native users of Neo4j Enterprise Edition.

Native Users

Internal authentication means that user names and their passwords are managed inside Neo4j. We call this built-in functionality native users. Another way of controlling authentication is through external security software such as Active Directory accessed via the built-in LDAP connector.

For administering native users, Neo4j offers additional actions for an admin:
    • View all users and roles
    • Create and Delete any other user
    • Assign and Remove role from user
    • Create and Delete custom-defined role
    • Suspend and Activate any other user
    • Change password for any user (cannot be an empty string or an existing password)
When admin suspends or deletes another user, the following rules apply:
    • Admin can suspend or delete any other user (including other admins), but not itself.
    • Deleting a user terminates all of the user’s running queries and sessions.
    • All queries currently running for the deleted user are rolled back.
    • The user will no longer be able to log back in (until re-activated by admin if suspended).
    • There is no need to remove assigned roles from a user prior to deleting the user.
To simplify user management, the Neo4j Browser widget can be invoked with :server user add and :server user list commands. In the example below, you can see a preview of available actions.

Learn more about native user database security and access control in Neo4j Enterprise Edition

All individual user management actions are exposed through built-in System Procedures, meaning these actions can be scripted if needed.

View All Users and Roles

An admin can view the details of all defined users and roles. Neo4j 3.1 introduces four new System Procedures: listUsers, listRoles, listRolesForUser and listUsersForRole.

The example below lists four users and their respective roles. User anne has no roles assigned and is required to change her password upon her next login. User bill is suspended and will not be able to log in until activated by admin.

List Users & Roles in Neo4j database security

By invoking, we can see all defined roles in the system. The example below shows that role architect is not assigned to any user, and shows two publishers, John and Bob, and one reader, Bill.

List role-based access control in Neo4j

You can easily view all roles assigned to a user:

List roles for user in Neo4j access control

Also, you can list all users that have a given role assigned:

List users for role in Neo4j access control

Create and Delete Any Other User

The example below creates a new user called johnsmith with password abc. It includes the requirement to change the password at the user’s next (first) login.

Create a new native user in Neo4j

Deleting a user named janebrown is just as straightforward.

Delete a user in Neo4j

Assign and Remove Role from User

You can easily assign the role publisher to user johnsmith.

Add a role to a user in Neo4j

And you can just as easily remove the role publisher from user johnsmith.

Remove role from user in Neo4j

Create and Delete Custom Roles

Admins can create and delete custom roles. Note that both roles are case sensitive, so testRole is not the same as testrole. The example below creates role operator and then deletes the same role.

Create a custom user role in Neo4j

Delete a custom user role in Neo4j

Suspending and Activating Users

Finally, let’s review System Procedures to suspend and activate users. The example below suspends user jane and then activates the same user.

Suspend a user in Neo4j

Activate a user in Neo4j

Managing User Passwords

Administrators can change the password of any user. The following example changes the password for joebloggs to h6u4%kr.

Change a database user password in Neo4j

Native Users Can View Assigned Roles and Change Their Passwords

Any active user can view their own assigned roles. In this example, the logged-in user is johnsmith, who is assigned reader and publisher roles with no extra flags set.

Show the current graph database user in Neo4j

Active users can change their passwords. In this example, a user changes her password to abc.

User can change their own password in Neo4j

Synchronize Native Users across Cluster

Native users in Neo4j are stored securely on disk in each Neo4j instance. Neo4j automatically reloads the stored users and assigned roles from disk every five seconds. By default, the changes apply to the Neo4j instance where the commands were executed. The changes are not automatically propagated across a cluster of Neo4j instances.

If you need to make changes to native users and synchronize them across the cluster, you can:
    • Manually copy relevant users and roles files on disk to all other cluster instances
    • Use a network folder to store users and roles files
    • Create an automated process that synchronizes the stored data across the cluster (e.g., here is an excellent rsync example)


As you can see, native user security and access control in Neo4j Enterprise Edition is designed to be both flexible and customizable to your database security needs without being overly complicated. These native user features ensure that only authenticated users and applications can access your graph database.

In the coming weeks, we’ll take a closer look at federated users via the LDAP connector, query management, security event logs, custom plugins, user-defined procedures and more. In the meantime, download the enterprise security white paper below to dive into more details.

Discover how to protect your graph data with enterprise-ready security and access control: Download this white paper, Why Intelligent Applications Need a Graph Database with Granular Security, and get started on securing your graph database today.

Read the White Paper

Catch up with the rest of the Neo4j graph database security series: