Security

This feature has been released as a public beta in AuraDB Enterprise October Release and Neo4j Enterprise Edition 5.13 and breaking changes are likely to be introduced before it is made generally available (GA).

CDC returns all changes in the database and is not limited to the entities which a certain user is allowed to access. In order to prevent unauthorized access, the procedure cdc.query requires admin privileges and should be configured for least privilege access.

For a regular user to be able to run cdc.query, the user must have been granted execute privileges as well as boosted execute privileges.

GRANT EXECUTE PROCEDURE cdc.query ON DBMS TO $role
GRANT EXECUTE BOOSTED PROCEDURE cdc.query ON DBMS TO $role

Non-Boosted execute privileges are usually part of the PUBLIC role in which case they do not need to be granted a second time.

Furthermore, the user will not have access to a database unless they have been granted access.

GRANT ACCESS ON DATABASE $database TO $role

Usually The PUBLIC role already has access to the default database.

The procedures cdc.current and cdc.earliest do not require admin privileges. In order to execute these, access to the database and regular execution privileges are sufficient.

For more details regarding procedure privileges in Neo4j, see Operations Manual → Manage procedure and user-defined function permissions.