Security of administration
All of the commands described in the enclosing Administration section require that the user executing the commands has the rights to do so.
These privileges can be conferred either by granting the user the admin
role, which enables all administrative rights, or by granting specific combinations of privileges.
The admin
role
The built-in role admin
includes a number of privileges allowing users granted this role the ability to perform administrative tasks.
These include the rights to perform the following classes of tasks:
-
Manage database security for controlling the rights to perform actions on specific databases:
-
Manage access to a database and the right to start and stop a database
-
Manage indexes and constraints
-
Allow the creation of labels, relationship types or property names
-
-
Manage DBMS security for controlling the rights to perform actions on the entire system:
-
Manage multiple databases
-
Manage users and roles
-
Change configuration parameters
-
Manage transactions
-
Manage sub-graph privileges
-
Manage procedure security
-
These rights are conferred using privileges that can be managed using GRANT
, DENY
and REVOKE
commands,
with the exception of the DBMS Security privileges which are only available within the built-in admin
role.
SHOW ROLE admin PRIVILEGES
access | action | resource | graph | segment | role |
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 10 |
If the built-in admin role has been altered or dropped, and needs to be restored to its original state, see Operations Manual → Password and user recovery.
Database administration
As described in the section on sub-graph security, the GRANT
command allows an administrator to grant a privilege to a role in order to access an entity.
The DENY
command allows an administrator to deny a privilege to a role in order to prevent access to an entity.
The REVOKE
command allows an administrator to remove a previously granted or denied privilege.
The syntax is:
Command | Description |
---|---|
|
Grant a privilege to one or multiple roles |
|
Deny a privilege to one or multiple roles |
|
Revoke a granted privilege from one or multiple roles |
|
Revoke a denied privilege from one or multiple roles |
|
Revoke a granted or denied privilege from one or multiple roles |
Where the components are:
-
database-privilege
-
ACCESS
allows access for a specific database/graph
-
START
allows the specified database to be started
-
STOP
allows the specified database to be stopped
-
CREATE INDEX
allows indexes to be created on the specified database.
-
DROP INDEX
allows indexes to be deleted on the specified database.
-
INDEX [MANAGEMENT]
allows indexes to be created and deleted on the specified database.
-
CREATE CONSTRAINT
allows constraints to be created on the specified database.
-
DROP CONSTRAINT
allows constraints to be deleted on the specified database.
-
CONSTRAINT [MANAGEMENT]
allows constraints to be created and deleted on the specified database.
-
CREATE NEW [NODE] LABEL
allows labels to be created so that future nodes can be assigned them.
-
CREATE NEW [RELATIONSHIP] TYPE
allows relationship types to be created so that future relationships can be created with these types.
-
CREATE NEW [PROPERTY] NAME
allows property names to be created so that nodes and relationships can have properties with these names assigned.
-
NAME [MANAGEMENT]
allows all of the name management capabilities: node labels, relationship types and property names.
-
ALL [[DATABASE] PRIVILEGES]
allows access, start, stop, index, constraint, and name management for the specified database.
-
-
name
-
The database to associate the privilege with. Note that if you delete a database and create a new one with the same name, the new one will NOT have any of the privileges specifically assigned to the deleted database.
-
It can be
*
which means all databases. Any new databases created after this command will also be associated with these privileges.
-
-
role[, …]
-
The role or roles to associate the privilege with, comma-separated.
-
It is important to note that using DENY does NOT erase a GRANT command; they both exist. The only way to erase a privilege is with REVOKE. |
The hierarchy between the different database privileges is shown in the image below.

Command | Description |
---|---|
|
Allow the specified role or roles to access the database |
|
Enable the specified role or roles to start or stop the database |
|
Enable the specified role or roles to create or delete indexes on the database |
|
Enable the specified role or roles to create and delete indexes on the database |
|
Enable the specified role or roles to create or delete indexes on the database |
|
Enable the specified role or roles to create and delete constraints on the database |
|
Enable the specified role or roles to create new labels for nodes in the database |
|
Enable the specified role or roles to create new types for relationships in the database |
|
Enable the specified role or roles to create new names for properties in the database |
|
Enable the specified role or roles to create new labels, relationship types and property names in the database |
|
Enable the specified role or roles to access, start, and stop, as well as perform index, constraint, and name management on the database |

The database ACCESS
privilege
The ACCESS
privilege enables users to connect to a database.
With ACCESS
you can run calculations, for example, RETURN 2*5 AS answer
or call functions RETURN timestamp() AS time
.
GRANT ACCESS
ON DATABASE[S] {* | name}
TO role[, ...]
For example, granting the ability to access the database neo4j
to the role regularUsers
is done using the following query.
GRANT ACCESS ON DATABASE neo4j TO regularUsers
0 rows, System updates: 1
The ACCESS
privilege can also be denied.
DENY ACCESS
ON DATABASE[S] {* | name}
TO role[, ...]
For example, denying the ability to access to the database neo4j
to the role regularUsers
is done using the following query.
DENY ACCESS ON DATABASE neo4j TO regularUsers
0 rows, System updates: 1
The privileges granted can be seen using the SHOW PRIVILEGES
command:
SHOW ROLE regularUsers PRIVILEGES
access | action | resource | graph | segment | role |
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 2 |
Only the |
The database START
/STOP
privileges
The START
privilege can be used to enable the ability to start a database.
GRANT START
ON DATABASE[S] {* | name}
TO role[, ...]
For example, granting the ability to start the database neo4j
to the role regularUsers
is done using the following query.
GRANT START ON DATABASE neo4j TO regularUsers
0 rows, System updates: 1
The START
privilege can also be denied.
DENY START
ON DATABASE[S] {* | name}
TO role[, ...]
For example, denying the ability to start to the database neo4j
to the role regularUsers
is done using the following query.
DENY START ON DATABASE system TO regularUsers
0 rows, System updates: 1
The STOP
privilege can be used to enable the ability to stop a database.
GRANT STOP
ON DATABASE[S] {* | name}
TO role[, ...]
For example, granting the ability to stop the database neo4j
to the role regularUsers
is done using the following query.
GRANT STOP ON DATABASE neo4j TO regularUsers
0 rows, System updates: 1
The STOP
privilege can also be denied.
DENY STOP
ON DATABASE[S] {* | name}
TO role[, ...]
For example, denying the ability to stop to the database neo4j
to the role regularUsers
is done using the following query.
DENY STOP ON DATABASE system TO regularUsers
0 rows, System updates: 1
The privileges granted can be seen using the SHOW PRIVILEGES
command:
SHOW ROLE regularUsers PRIVILEGES
access | action | resource | graph | segment | role |
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 6 |
The INDEX MANAGEMENT
privileges
Indexes can be created or deleted with the CREATE INDEX
and DROP INDEX
commands.
The privilege to do this can be granted with GRANT CREATE INDEX
and GRANT DROP INDEX
commands.
Command | Description |
---|---|
|
Enable the specified role or roles to create or delete indexes on the database |
|
Enable the specified role or roles to create and delete indexes on the database |
For example, granting the ability to create indexes on the database neo4j
to the role regularUsers
is done using the following query.
GRANT CREATE INDEX ON DATABASE neo4j TO regularUsers
0 rows, System updates: 1
The CONSTRAINT MANAGEMENT
privileges
Constraints can be created or deleted with the CREATE CONSTRAINT
and DROP CONSTRAINT
commands.
The privilege to do this can be granted with GRANT CREATE CONSTRAINT
and GRANT DROP CONSTRAINT
commands.
Command | Description |
---|---|
|
Enable the specified role or roles to create or delete constraints on the database |
|
Enable the specified role or roles to create and delete constraints on the database |
For example, granting the ability to create constraints on the database neo4j
to the role regularUsers
is done using the following query.
GRANT CREATE CONSTRAINT ON DATABASE neo4j TO regularUsers
0 rows, System updates: 1
The NAME MANAGEMENT
privileges
The right to create new labels, relationship types, and property names is different from the right to create nodes, relationships, and properties.
The latter is managed using database WRITE
privileges, while the former is managed using specific GRANT/DENY CREATE NEW …
commands for each type.
Command | Description |
---|---|
|
Enable the specified role or roles to create new labels for nodes in the database |
|
Enable the specified role or roles to create new types for relationships in the database |
|
Enable the specified role or roles to create new names for properties in the database |
|
Enable the specified role or roles to create new labels, relationship types and property names in the database |
For example, granting the ability to create new properties on nodes or relationships in the database neo4j
to the role regularUsers
is done using the following query.
GRANT CREATE NEW PROPERTY NAME ON DATABASE neo4j TO regularUsers
0 rows, System updates: 1
Granting all database administration privileges
Conferring the right to access, start, and stop, as well as perform index, constraint, and name management can be achieved with a single command:
GRANT ALL [[DATABASE] PRIVILEGES]
ON DATABASE[S] {* | name}
TO role[, ...]
For example, granting the ability to access, start and stop all databases and create indexes, constraints, labels, relationship types and property names on the database neo4j
to the role regularUsers
is done using the following query.
GRANT ALL DATABASE PRIVILEGES ON DATABASE neo4j TO regularUsers
0 rows, System updates: 4
The privileges granted can be seen using the SHOW PRIVILEGES
command:
SHOW ROLE regularUsers PRIVILEGES
access | action | resource | graph | segment | role |
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 13 |
DBMS administration
All DBMS privileges are relevant system-wide. Like user management, they do not belong to one specific database or graph. For more details on the differences between graphs, databases and the DBMS, refer to Neo4j databases and graphs.
As described above, the admin
role has a number of built-in privileges that cannot be assigned using Cypher® commands.
These include:
-
Create or drop databases
-
Change configuration parameters
-
Manage transactions
-
Manage users and roles (role management by itself is assignable using Cypher commands)
-
Manage sub-graph privileges
-
Manage procedure security
The easiest way to enable a user to perform these tasks is to grant them the admin
role.
The only subset of these privileges that is assignable using Cypher commands is role management.
However, it is possible to make a custom role with a subset of these privileges.
Using a custom role to manage DBMS privileges
If it is desired to have an administrator with a subset of privileges that includes all DBMS privileges, but not all database privileges, this can be achieved by copying the admin
role and revoking or denying some privileges.
First we copy the 'admin' role:
CREATE ROLE usermanager AS COPY OF admin
0 rows, System updates: 2
Then we DENY ACCESS to normal databases:
DENY ACCESS ON DATABASE * TO usermanager
0 rows, System updates: 1
And DENY START and STOP for normal databases:
DENY START ON DATABASE * TO usermanager
0 rows, System updates: 1
DENY STOP ON DATABASE * TO usermanager
0 rows, System updates: 1
And DENY index and constraint management:
DENY INDEX MANAGEMENT ON DATABASE * TO usermanager
0 rows, System updates: 2
DENY CONSTRAINT MANAGEMENT ON DATABASE * TO usermanager
0 rows, System updates: 2
And finally DENY label, relationship type and property name:
DENY NAME MANAGEMENT ON DATABASE * TO usermanager
0 rows, System updates: 3
The resulting role should have privileges that only allow the DBMS capabilities, like user and role management:
SHOW ROLE usermanager PRIVILEGES
Lists all privileges for role 'usermanager'
access | action | resource | graph | segment | role |
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 20 |
The dbms ROLE MANAGEMENT
privileges
The dbms privileges for role management are assignable using Cypher administrative commands. They can be granted, denied and revoked like other privileges.

Command | Description |
---|---|
|
Enable the specified role or roles to create new roles |
|
Enable the specified role or roles to delete roles |
|
Enable the specified role or roles to assign roles to users |
|
Enable the specified role or roles to remove roles from users |
|
Enable the specified role or roles to list roles |
|
Enable the specified role or roles to create, delete, assign, remove and list roles |
Only the admin role has access to execute the SHOW PRIVILEGES command.
|
The ability to add roles can be granted via the CREATE ROLE
privilege. The following query shows an example of this:
GRANT CREATE ROLE ON DBMS TO roleAdder
0 rows, System updates: 1
The resulting role should have privileges that only allow adding roles:
SHOW ROLE roleAdder PRIVILEGES
Lists all privileges for role 'roleAdder'
access | action | resource | graph | segment | role |
---|---|---|---|---|---|
|
|
|
|
|
|
Rows: 1 |
The ability to delete roles can be granted via the DROP ROLE
privilege. The following query shows an example of this:
GRANT DROP ROLE ON DBMS TO roleDropper
0 rows, System updates: 1
The resulting role should have privileges that only allow deleting roles:
SHOW ROLE roleDropper PRIVILEGES
Lists all privileges for role 'roleDropper'
access | action | resource | graph | segment | role |
---|---|---|---|---|---|
|
|
|
|
|
|
Rows: 1 |
The ability to assign roles to users can be granted via the ASSIGN ROLE
privilege. The following query shows an example of this:
GRANT ASSIGN ROLE ON DBMS TO roleAssigner
0 rows, System updates: 1
The resulting role should have privileges that only allow assigning/granting roles:
SHOW ROLE roleAssigner PRIVILEGES
Lists all privileges for role 'roleAssigner'
access | action | resource | graph | segment | role |
---|---|---|---|---|---|
|
|
|
|
|
|
Rows: 1 |
The ability to remove roles from users can be granted via the REMOVE ROLE
privilege. The following query shows an example of this:
GRANT REMOVE ROLE ON DBMS TO roleRemover
0 rows, System updates: 1
The resulting role should have privileges that only allow removing/revoking roles:
SHOW ROLE roleRemover PRIVILEGES
Lists all privileges for role 'roleRemover'
access | action | resource | graph | segment | role |
---|---|---|---|---|---|
|
|
|
|
|
|
Rows: 1 |
The ability to show roles can be granted via the SHOW ROLE
privilege. The following query shows an example of this:
GRANT SHOW ROLE ON DBMS TO roleShower
0 rows, System updates: 1
The resulting role should have privileges that only allow showing roles, not privileges:
SHOW ROLE roleShower PRIVILEGES
Lists all privileges for role 'roleShower'
access | action | resource | graph | segment | role |
---|---|---|---|---|---|
|
|
|
|
|
|
Rows: 1 |
The privileges to create, delete, assign, remove, and list roles can be granted via the ROLE MANAGEMENT
privilege. The following query shows an example of this:
GRANT ROLE MANAGEMENT ON DBMS TO roleManager
0 rows, System updates: 1
The resulting role should have all privileges to manage roles:
SHOW ROLE roleManager PRIVILEGES
Lists all privileges for role 'roleManager'
access | action | resource | graph | segment | role |
---|---|---|---|---|---|
|
|
|
|
|
|
Rows: 1 |