Built-in roles
All of the commands described in this chapter require that the user executing the commands has the rights to do so. The privileges listed in the following sections are the default set of privileges for each built-in role:
The PUBLIC role
All users are granted the PUBLIC role, and it can not be revoked or dropped. By default, it gives access to the default database and allows executing all procedures and user defined functions.
Privileges of the PUBLIC role
SHOW ROLE PUBLIC PRIVILEGES| access | action | resource | graph | segment | role |
|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 3 |
|||||
How to recreate the PUBLIC role
The PUBLIC role can not be dropped and thus there is no need to recreate the role itself.
To restore the role to its original capabilities, two steps are needed. First, all GRANT or DENY privileges on this role should be revoked (see output of SHOW ROLE PUBLIC PRIVILEGES AS REVOKE COMMANDS on what to revoke).
Secondly, the following queries must be run:
GRANT ACCESS ON DEFAULT DATABASE TO PUBLIC0 rows, System updates: 1
GRANT EXECUTE PROCEDURES * ON DBMS TO PUBLIC0 rows, System updates: 1
GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO PUBLIC0 rows, System updates: 1
The resulting PUBLIC role now has the same privileges as the original built-in PUBLIC role.
The reader role
The reader role can perform read-only queries on all graphs except for the system database.
Privileges of the reader role
SHOW ROLE reader PRIVILEGES| access | action | resource | graph | segment | role |
|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 3 |
|||||
How to recreate the reader role
To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE reader.
Secondly, the following queries must be run:
CREATE ROLE reader0 rows, System updates: 1
GRANT ACCESS ON DATABASE * TO reader0 rows, System updates: 1
GRANT MATCH {*} ON GRAPH * TO reader0 rows, System updates: 2
The resulting reader role now has the same privileges as the original built-in reader role.
The editor role
The editor role can perform read and write operations on all graphs except for the system database, but can not make new labels, property keys or relationship types.
Privileges of the editor role
SHOW ROLE editor PRIVILEGES| access | action | resource | graph | segment | role |
|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 5 |
|||||
How to recreate the editor role
To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE editor.
Secondly, the following queries must be run:
CREATE ROLE editor0 rows, System updates: 1
GRANT ACCESS ON DATABASE * TO editor0 rows, System updates: 1
GRANT MATCH {*} ON GRAPH * TO editor0 rows, System updates: 2
GRANT WRITE ON GRAPH * TO editor0 rows, System updates: 2
The resulting editor role now has the same privileges as the original built-in editor role.
The publisher role
The publisher role can do the same as editor, but can also create new labels, property keys and relationship types.
Privileges of the publisher role
SHOW ROLE publisher PRIVILEGES| access | action | resource | graph | segment | role |
|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 6 |
|||||
How to recreate the publisher role
To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE publisher.
Secondly, the following queries must be run:
CREATE ROLE publisher0 rows, System updates: 1
GRANT ACCESS ON DATABASE * TO publisher0 rows, System updates: 1
GRANT MATCH {*} ON GRAPH * TO publisher0 rows, System updates: 2
GRANT WRITE ON GRAPH * TO publisher0 rows, System updates: 2
GRANT NAME MANAGEMENT ON DATABASE * TO publisher0 rows, System updates: 1
The resulting publisher role now has the same privileges as the original built-in publisher role.
The architect role
The architect role can do the same as the publisher, as well as create and manage indexes and constraints.
Privileges of the architect role
SHOW ROLE architect PRIVILEGES| access | action | resource | graph | segment | role |
|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 8 |
|||||
How to recreate the architect role
To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE architect.
Secondly, the following queries must be run:
CREATE ROLE architect0 rows, System updates: 1
GRANT ACCESS ON DATABASE * TO architect0 rows, System updates: 1
GRANT MATCH {*} ON GRAPH * TO architect0 rows, System updates: 2
GRANT WRITE ON GRAPH * TO architect0 rows, System updates: 2
GRANT NAME MANAGEMENT ON DATABASE * TO architect0 rows, System updates: 1
GRANT INDEX MANAGEMENT ON DATABASE * TO architect0 rows, System updates: 1
GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO architect0 rows, System updates: 1
The resulting architect role now has the same privileges as the original built-in architect role.
The admin role
The admin role can do the same as the architect, as well as manage databases, users, roles and privileges.
Privileges of the admin role
SHOW ROLE admin PRIVILEGES| access | action | resource | graph | segment | role |
|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 9 |
|||||
How to recreate the admin role
To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE admin.
Secondly, the following queries must be run in order to set up the privileges:
CREATE ROLE admin0 rows, System updates: 1
GRANT ALL DBMS PRIVILEGES ON DBMS TO admin0 rows, System updates: 1
GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin0 rows, System updates: 1
GRANT START ON DATABASE * TO admin0 rows, System updates: 1
GRANT STOP ON DATABASE * TO admin0 rows, System updates: 1
GRANT MATCH {*} ON GRAPH * TO admin0 rows, System updates: 2
GRANT WRITE ON GRAPH * TO admin0 rows, System updates: 2
GRANT ALL ON DATABASE * TO admin0 rows, System updates: 1
The queries above are enough to grant most of the full admin capabilities. Please note that the result of executing SHOW ROLE admin PRIVILEGES now appears to be slightly different from the privileges shown for the original built-in admin role. This does not make any functional difference.
SHOW ROLE admin PRIVILEGES| access | action | resource | graph | segment | role |
|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 9 |
|||||
Additional information about restoring the admin role can be found in the Operations Manual → Recover the admin role.