Security of administration

All of the commands described in the enclosing Administration section require that the user executing the commands has the rights to do so. These privileges can be conferred either by granting the user the admin role, which enables all administrative rights, or by granting specific combinations of privileges.

The admin role

The built-in role admin includes a number of privileges allowing users granted this role the ability to perform administrative tasks. These include the rights to perform the following classes of tasks:

  • Manage database security for controlling the rights to perform actions on specific databases:

    • Manage access to a database and the right to start and stop a database

    • Manage indexes and constraints

    • Allow the creation of labels, relationship types or property names

  • Manage DBMS security for controlling the rights to perform actions on the entire system:

These rights are conferred using privileges that can be managed using GRANT, DENY and REVOKE commands, with the exception of the DBMS Security privileges which are only available within the built-in admin role.

Query
SHOW ROLE admin PRIVILEGES
Table 1. Result
access action resource graph segment role

"GRANTED"

"read"

"all_properties"

"*"

"NODE(*)"

"admin"

"GRANTED"

"write"

"all_properties"

"*"

"NODE(*)"

"admin"

"GRANTED"

"traverse"

"graph"

"*"

"NODE(*)"

"admin"

"GRANTED"

"read"

"all_properties"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"write"

"all_properties"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"traverse"

"graph"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"access"

"database"

"*"

"database"

"admin"

"GRANTED"

"admin"

"database"

"*"

"database"

"admin"

"GRANTED"

"schema"

"database"

"*"

"database"

"admin"

"GRANTED"

"token"

"database"

"*"

"database"

"admin"

Rows: 10

If the built-in admin role has been altered or dropped, and needs to be restored to its original state, see Operations Manual → Password and user recovery.

Database administration

As described in the section on sub-graph security, the GRANT command allows an administrator to grant a privilege to a role in order to access an entity. The DENY command allows an administrator to deny a privilege to a role in order to prevent access to an entity. The REVOKE command allows an administrator to remove a previously granted or denied privilege. The syntax is:

Table 2. General database privilege command syntax
Command Description
GRANT database-privilege ON DATABASE[S] {* | name} TO role[, ...]

Grant a privilege to one or multiple roles

DENY database-privilege ON DATABASE[S] {* | name} TO role[, ...]

Deny a privilege to one or multiple roles

REVOKE GRANT database-privilege ON DATABASE[S] {* | name} FROM role[, ...]

Revoke a granted privilege from one or multiple roles

REVOKE DENY database-privilege ON DATABASE[S] {* | name} FROM role[, ...]

Revoke a denied privilege from one or multiple roles

REVOKE database-privilege ON DATABASE[S] {* | name} FROM role[, ...]

Revoke a granted or denied privilege from one or multiple roles

Where the components are:

  • database-privilege

    • ACCESS

      allows access for a specific database/graph

    • START

      allows the specified database to be started

    • STOP

      allows the specified database to be stopped

    • CREATE INDEX

      allows indexes to be created on the specified database.

    • DROP INDEX

      allows indexes to be deleted on the specified database.

    • INDEX [MANAGEMENT]

      allows indexes to be created and deleted on the specified database.

    • CREATE CONSTRAINT

      allows constraints to be created on the specified database.

    • DROP CONSTRAINT

      allows constraints to be deleted on the specified database.

    • CONSTRAINT [MANAGEMENT]

      allows constraints to be created and deleted on the specified database.

    • CREATE NEW [NODE] LABEL

      allows labels to be created so that future nodes can be assigned them.

    • CREATE NEW [RELATIONSHIP] TYPE

      allows relationship types to be created so that future relationships can be created with these types.

    • CREATE NEW [PROPERTY] NAME

      allows property names to be created so that nodes and relationships can have properties with these names assigned.

    • NAME [MANAGEMENT]

      allows all of the name management capabilities: node labels, relationship types and property names.

    • ALL [[DATABASE] PRIVILEGES]

      allows access, start, stop, index, constraint, and name management for the specified database.

  • name

    • The database to associate the privilege with. Note that if you delete a database and create a new one with the same name, the new one will NOT have any of the privileges specifically assigned to the deleted database.

    • It can be * which means all databases. Any new databases created after this command will also be associated with these privileges.

  • role[, …​]

    • The role or roles to associate the privilege with, comma-separated.

It is important to note that using DENY does NOT erase a GRANT command; they both exist. The only way to erase a privilege is with REVOKE.

The hierarchy between the different database privileges is shown in the image below.

privilege hierarchy database
Figure 1. Database privileges hierarchy
Table 3. Database privilege command syntax
Command Description
GRANT ACCESS
    ON DATABASE[S] {* | name}
    TO role[, ...]

Allow the specified role or roles to access the database name or all databases.

GRANT {START | STOP}
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to start or stop the database name or all databases.

GRANT {CREATE | DROP} INDEX[ES]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create or delete indexes on the database name or all databases.

GRANT INDEX[ES] [MANAGEMENT]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create and delete indexes on the database name or all databases.

GRANT {CREATE | DROP} CONSTRAINT[S]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create or delete indexes on the database name or all databases.

GRANT CONSTRAINT[S] [MANAGEMENT]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create and delete constraints on the database name or all databases.

GRANT CREATE NEW [NODE] LABEL[S]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create new labels for nodes in the database name or all databases.

GRANT CREATE NEW [RELATIONSHIP] TYPE[S]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create new types for relationships in the database name or all databases.

GRANT CREATE NEW [PROPERTY] NAME[S]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create new names for properties in the database name or all databases.

GRANT NAME [MANAGEMENT]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create new labels, relationship types and property names in the database name or all databases.

GRANT ALL [[DATABASE] PRIVILEGES]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to access, start, and stop, as well as perform index, constraint, and name management on the database name or all databases.

grant privileges database
Figure 2. Syntax of GRANT and DENY Database Privileges

The database ACCESS privilege

The ACCESS privilege enables users to connect to a database. With ACCESS you can run calculations, for example, RETURN 2*5 AS answer or call functions RETURN timestamp() AS time.

Command syntax
GRANT ACCESS
    ON DATABASE[S] {* | name}
    TO role[, ...]

For example, granting the ability to access the database neo4j to the role regularUsers is done using the following query.

Query
GRANT ACCESS ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The ACCESS privilege can also be denied.

Command syntax
DENY ACCESS
    ON DATABASE[S] {* | name}
    TO role[, ...]

For example, denying the ability to access to the database neo4j to the role regularUsers is done using the following query.

Query
DENY ACCESS ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query
SHOW ROLE regularUsers PRIVILEGES
Table 4. Result
access action resource graph segment role

"DENIED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

Rows: 2

Only the admin role has access to execute the SHOW PRIVILEGES command.

The database START/STOP privileges

The START privilege can be used to enable the ability to start a database.

Command syntax
GRANT START
    ON DATABASE[S] {* | name}
    TO role[, ...]

For example, granting the ability to start the database neo4j to the role regularUsers is done using the following query.

Query
GRANT START ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The START privilege can also be denied.

Command syntax
DENY START
    ON DATABASE[S] {* | name}
    TO role[, ...]

For example, denying the ability to start to the database neo4j to the role regularUsers is done using the following query.

Query
DENY START ON DATABASE system TO regularUsers

0 rows, System updates: 1

The STOP privilege can be used to enable the ability to stop a database.

Command syntax
GRANT STOP
    ON DATABASE[S] {* | name}
    TO role[, ...]

For example, granting the ability to stop the database neo4j to the role regularUsers is done using the following query.

Query
GRANT STOP ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The STOP privilege can also be denied.

Command syntax
DENY STOP
    ON DATABASE[S] {* | name}
    TO role[, ...]

For example, denying the ability to stop to the database neo4j to the role regularUsers is done using the following query.

Query
DENY STOP ON DATABASE system TO regularUsers

0 rows, System updates: 1

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query
SHOW ROLE regularUsers PRIVILEGES
Table 5. Result
access action resource graph segment role

"DENIED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"start_database"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"stop_database"

"database"

"neo4j"

"database"

"regularUsers"

"DENIED"

"start_database"

"database"

"system"

"database"

"regularUsers"

"DENIED"

"stop_database"

"database"

"system"

"database"

"regularUsers"

Rows: 6

The INDEX MANAGEMENT privileges

Indexes can be created or deleted with the CREATE INDEX and DROP INDEX commands. The privilege to do this can be granted with GRANT CREATE INDEX and GRANT DROP INDEX commands.

Table 6. Index management command syntax
Command Description
GRANT {CREATE | DROP} INDEX[ES]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create or delete indexes on the database name or all databases

GRANT INDEX[ES] [MANAGEMENT]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create and delete indexes on the database name or all databases

For example, granting the ability to create indexes on the database neo4j to the role regularUsers is done using the following query.

Query
GRANT CREATE INDEX ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The CONSTRAINT MANAGEMENT privileges

Constraints can be created or deleted with the CREATE CONSTRAINT and DROP CONSTRAINT commands. The privilege to do this can be granted with GRANT CREATE CONSTRAINT and GRANT DROP CONSTRAINT commands.

Table 7. Constraint management command syntax
Command Description
GRANT {CREATE | DROP} CONSTRAINT[S]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create or delete constraints on the database name or all databases

GRANT CONSTRAINT[S] [MANAGEMENT]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create and delete constraints on the database name or all databases

For example, granting the ability to create constraints on the database neo4j to the role regularUsers is done using the following query.

Query
GRANT CREATE CONSTRAINT ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The NAME MANAGEMENT privileges

The right to create new labels, relationship types, and property names is different from the right to create nodes, relationships, and properties. The latter is managed using database WRITE privileges, while the former is managed using specific GRANT/DENY CREATE NEW …​ commands for each type.

Table 8. Label, relationship type and property name management command syntax
Command Description
GRANT CREATE NEW [NODE] LABEL[S]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create new labels for nodes in the database name or all databases

GRANT CREATE NEW [RELATIONSHIP] TYPE[S]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create new types for relationships in the database name or all databases

GRANT CREATE NEW [PROPERTY] NAME[S]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create new names for properties in the database name or all databases

GRANT NAME [MANAGEMENT]
    ON DATABASE[S] {* | name}
    TO role[, ...]

Enable the specified role or roles to create new labels, relationship types and property names in the database name or all databases

For example, granting the ability to create new properties on nodes or relationships in the database neo4j to the role regularUsers is done using the following query.

Query
GRANT CREATE NEW PROPERTY NAME ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

Granting all database administration privileges

Conferring the right to access, start, and stop, as well as perform index, constraint, and name management can be achieved with a single command:

Command syntax
GRANT ALL [[DATABASE] PRIVILEGES]
    ON DATABASE[S] {* | name}
    TO role[, ...]

For example, granting the ability to access, start and stop all databases and create indexes, constraints, labels, relationship types and property names on the database neo4j to the role regularUsers is done using the following query.

Query
GRANT ALL DATABASE PRIVILEGES ON DATABASE neo4j TO regularUsers

0 rows, System updates: 4

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query
SHOW ROLE regularUsers PRIVILEGES
Table 9. Result
access action resource graph segment role

"DENIED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"create_constraint"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"create_index"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"create_label"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"create_propertykey"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"create_reltype"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"drop_constraint"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"drop_index"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"start_database"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"stop_database"

"database"

"neo4j"

"database"

"regularUsers"

"DENIED"

"start_database"

"database"

"system"

"database"

"regularUsers"

"DENIED"

"stop_database"

"database"

"system"

"database"

"regularUsers"

Rows: 13

DBMS administration

All DBMS privileges are relevant system-wide. Like user management, they do not belong to one specific database or graph. For more details on the differences between graphs, databases and the DBMS, refer to Neo4j databases and graphs.

As described above, the admin role has a number of built-in privileges that cannot be assigned using Cypher® commands. These include:

  • Create or drop databases

  • Change configuration parameters

  • Manage transactions

  • Manage users and roles (role management by itself is assignable using Cypher commands)

  • Manage sub-graph privileges

  • Manage procedure security

The easiest way to enable a user to perform these tasks is to grant them the admin role. The only subset of these privileges that is assignable using Cypher commands is role management. However, it is possible to make a custom role with a subset of these privileges.

Using a custom role to manage DBMS privileges

If it is desired to have an administrator with a subset of privileges that includes all DBMS privileges, but not all database privileges, this can be achieved by copying the admin role and revoking or denying some privileges.

First we copy the 'admin' role:

Query
CREATE ROLE usermanager AS COPY OF admin

0 rows, System updates: 2

Then we DENY ACCESS to normal databases:

Query
DENY ACCESS ON DATABASE * TO usermanager

0 rows, System updates: 1

And DENY START and STOP for normal databases:

Query
DENY START ON DATABASE * TO usermanager

0 rows, System updates: 1

Query
DENY STOP ON DATABASE * TO usermanager

0 rows, System updates: 1

And DENY index and constraint management:

Query
DENY INDEX MANAGEMENT ON DATABASE * TO usermanager

0 rows, System updates: 2

Query
DENY CONSTRAINT MANAGEMENT ON DATABASE * TO usermanager

0 rows, System updates: 2

And finally DENY label, relationship type and property name:

Query
DENY NAME MANAGEMENT ON DATABASE * TO usermanager

0 rows, System updates: 3

The resulting role should have privileges that only allow the DBMS capabilities, like user and role management:

Query
SHOW ROLE usermanager PRIVILEGES

Lists all privileges for role 'usermanager'

Table 10. Result
access action resource graph segment role

"GRANTED"

"read"

"all_properties"

"*"

"NODE(*)"

"usermanager"

"GRANTED"

"write"

"all_properties"

"*"

"NODE(*)"

"usermanager"

"GRANTED"

"traverse"

"graph"

"*"

"NODE(*)"

"usermanager"

"GRANTED"

"read"

"all_properties"

"*"

"RELATIONSHIP(*)"

"usermanager"

"GRANTED"

"write"

"all_properties"

"*"

"RELATIONSHIP(*)"

"usermanager"

"GRANTED"

"traverse"

"graph"

"*"

"RELATIONSHIP(*)"

"usermanager"

"DENIED"

"access"

"database"

"*"

"database"

"usermanager"

"GRANTED"

"access"

"database"

"*"

"database"

"usermanager"

"GRANTED"

"admin"

"database"

"*"

"database"

"usermanager"

"DENIED"

"create_constraint"

"database"

"*"

"database"

"usermanager"

"DENIED"

"create_index"

"database"

"*"

"database"

"usermanager"

"DENIED"

"create_label"

"database"

"*"

"database"

"usermanager"

"DENIED"

"create_propertykey"

"database"

"*"

"database"

"usermanager"

"DENIED"

"create_reltype"

"database"

"*"

"database"

"usermanager"

"DENIED"

"drop_constraint"

"database"

"*"

"database"

"usermanager"

"DENIED"

"drop_index"

"database"

"*"

"database"

"usermanager"

"GRANTED"

"schema"

"database"

"*"

"database"

"usermanager"

"DENIED"

"start_database"

"database"

"*"

"database"

"usermanager"

"DENIED"

"stop_database"

"database"

"*"

"database"

"usermanager"

"GRANTED"

"token"

"database"

"*"

"database"

"usermanager"

Rows: 20

The dbms ROLE MANAGEMENT privileges

The dbms privileges for role management are assignable using Cypher administrative commands. They can be granted, denied and revoked like other privileges.

privilege hierarchy dbms
Figure 3. Role management privileges hierarchy
Table 11. Role management privileges command syntax
Command Description
GRANT CREATE ROLE
    ON DBMS
    TO role[, ...]

Enable the specified role or roles to create new roles

GRANT DROP ROLE
    ON DBMS
    TO role[, ...]

Enable the specified role or roles to delete roles

GRANT ASSIGN ROLE
    ON DBMS
    TO role[, ...]

Enable the specified role or roles to assign roles to users

GRANT REMOVE ROLE
    ON DBMS
    TO role[, ...]

Enable the specified role or roles to remove roles from users

GRANT SHOW ROLE
ON DBMS
TO role[, ...]

Enable the specified role or roles to list roles

GRANT ROLE MANAGEMENT
    ON DBMS
    TO role[, ...]

Enable the specified role or roles to create, delete, assign, remove and list roles

Only the admin role has access to execute the SHOW PRIVILEGES command.

The ability to add roles can be granted via the CREATE ROLE privilege. The following query shows an example of this:

Query
GRANT CREATE ROLE ON DBMS TO roleAdder

0 rows, System updates: 1

The resulting role should have privileges that only allow adding roles:

Query
SHOW ROLE roleAdder PRIVILEGES

Lists all privileges for role 'roleAdder'

Table 12. Result
access action resource graph segment role

"GRANTED"

"create_role"

"database"

"*"

"database"

"roleAdder"

Rows: 1

The ability to delete roles can be granted via the DROP ROLE privilege. The following query shows an example of this:

Query
GRANT DROP ROLE ON DBMS TO roleDropper

0 rows, System updates: 1

The resulting role should have privileges that only allow deleting roles:

Query
SHOW ROLE roleDropper PRIVILEGES

Lists all privileges for role 'roleDropper'

Table 13. Result
access action resource graph segment role

"GRANTED"

"drop_role"

"database"

"*"

"database"

"roleDropper"

Rows: 1

The ability to assign roles to users can be granted via the ASSIGN ROLE privilege. The following query shows an example of this:

Query
GRANT ASSIGN ROLE ON DBMS TO roleAssigner

0 rows, System updates: 1

The resulting role should have privileges that only allow assigning/granting roles:

Query
SHOW ROLE roleAssigner PRIVILEGES

Lists all privileges for role 'roleAssigner'

Table 14. Result
access action resource graph segment role

"GRANTED"

"assign_role"

"database"

"*"

"database"

"roleAssigner"

Rows: 1

The ability to remove roles from users can be granted via the REMOVE ROLE privilege. The following query shows an example of this:

Query
GRANT REMOVE ROLE ON DBMS TO roleRemover

0 rows, System updates: 1

The resulting role should have privileges that only allow removing/revoking roles:

Query
SHOW ROLE roleRemover PRIVILEGES

Lists all privileges for role 'roleRemover'

Table 15. Result
access action resource graph segment role

"GRANTED"

"remove_role"

"database"

"*"

"database"

"roleRemover"

Rows: 1

The ability to show roles can be granted via the SHOW ROLE privilege. The following query shows an example of this:

Query
GRANT SHOW ROLE ON DBMS TO roleShower

0 rows, System updates: 1

The resulting role should have privileges that only allow showing roles, not privileges:

Query
SHOW ROLE roleShower PRIVILEGES

Lists all privileges for role 'roleShower'

Table 16. Result
access action resource graph segment role

"GRANTED"

"show_role"

"database"

"*"

"database"

"roleShower"

Rows: 1

The privileges to create, delete, assign, remove, and list roles can be granted via the ROLE MANAGEMENT privilege. The following query shows an example of this:

Query
GRANT ROLE MANAGEMENT ON DBMS TO roleManager

0 rows, System updates: 1

The resulting role should have all privileges to manage roles:

Query
SHOW ROLE roleManager PRIVILEGES

Lists all privileges for role 'roleManager'

Table 17. Result
access action resource graph segment role

"GRANTED"

"role_management"

"database"

"*"

"database"

"roleManager"

Rows: 1