Built-in roles and privileges

Introduction

Neo4j provides a set of built-in roles that can be used to control access to the database. The PUBLIC role is the default role for all users. It does not give any rights or capabilities regarding the data, not even read privileges. The rest of the built-in roles are hierarchical, with the reader role at the bottom and the admin role at the top with all privileges.

A user may have more than one assigned role, and the union of these determines what action(s) on the data may be undertaken by the user. For instance, a user assigned to the reader role can execute procedures, because all users are also assigned to the PUBLIC role, which enables that capability.

The built-in roles have the following default privileges:

PUBLIC
  • Access to the home database.

  • Execute procedures with the users' own privileges.

  • Execute user-defined functions with the users' own privileges.

  • Load data.

reader
  • Access to all databases.

  • Traverse and read on the data graph (all nodes, relationships, properties).

  • Show indexes and constraints along with any other future schema constructs.

editor
  • Access to all databases.

  • Traverse, read, and write on the data graph.

  • Write access, limited to creating and changing existing property keys, node labels, and relationship types of the graph. In other words, the editor role cannot add to the schema but can only make changes to already existing objects.

  • Show indexes and constraints along with any other future schema constructs.

publisher
  • Access to all databases.

  • Traverse, read, and write on the data graph.

  • Show indexes and constraints along with any other future schema constructs.

architect
  • Access to all databases.

  • Traverse, read, and write on the data graph.

  • Create/drop/show indexes and constraints along with any other future schema constructs.

admin
  • Access to all databases.

  • Traverse, read, and write on the data graph.

  • Load data.

  • Create/drop/show indexes and constraints along with any other future schema constructs.

  • Execute procedures using boosted privileges.

  • Execute admin procedures.

  • Execute user-defined functions using boosted privileges.

  • View/terminate queries.

  • Manage databases, users, roles, and privileges.

When an administrator suspends or deletes another user, the following rules apply:

  • Administrators can suspend or delete any other user (including other administrators), but not themselves.

  • When suspended, the user is no longer able to log back in until re-activated by an administrator.

  • There is no need to remove assigned roles from a user before deleting the user.

Deleting a user does not automatically terminate associated connections, sessions, transactions, or queries.

Neo4j provides the following built-in roles with default privileges and capabilities. The subset of the functionality that is available with Community Edition is also included. All of the commands require that the user executing the commands has the rights to do so.

Table 1. Built-in roles capabilities
Action reader editor publisher architect admin PUBLIC Available in Community Edition

Change own password

View own details

View own transactions

Terminate own transactions

View own privileges

View all databases

Access home database

Access all databases

Read data

View index/constraint

Write/update/delete existing data

Create new types of properties key

Create new types of nodes labels

Create new types of relationship types

Create/drop index/constraint

Create/delete user

Change another user’s name

Change another user’s password

Change another user’s home database

Suspend/activate user

Create/drop roles

Change role names

Assign/remove role to/from user

Create/drop/alter databases

Start/stop databases

Manage database access

Grant/deny/revoke privileges

View all users

View all roles

View all roles for a user

View all users for a role

View another user’s privileges

View all transactions

Terminate all transactions

Load data

Execute procedures

Execute functions

Execute admin procedures

Dynamically change configuration [1]

1. For more information, see Update dynamic settings

The PUBLIC role

All users are granted the PUBLIC role, and it can not be revoked or dropped. By default, it gives access to the default database and allows loading data, executing all procedures and user-defined functions.

The PUBLIC role cannot be dropped or revoked from any user, but the specific privileges for the role can be modified. In contrast to the PUBLIC role, the other built-in roles can be granted, revoked, dropped, and re-created.

Listing PUBLIC role privileges

SHOW ROLE PUBLIC PRIVILEGES AS COMMANDS
Table 2. Result
command

"GRANT ACCESS ON HOME DATABASE TO `PUBLIC`"

"GRANT EXECUTE FUNCTION * ON DBMS TO `PUBLIC`"

"GRANT EXECUTE PROCEDURE * ON DBMS TO `PUBLIC`"

"GRANT LOAD ON ALL DATA TO `PUBLIC`"

Rows: 4

Recreating the PUBLIC role

The PUBLIC role can not be dropped and thus there is no need to recreate the role itself. To restore the role to its original capabilities, two steps are needed.

First, all GRANT or DENY privileges on this role should be revoked (see output of SHOW ROLE PUBLIC PRIVILEGES AS REVOKE COMMANDS on what to revoke). Secondly, run these queries:

GRANT ACCESS ON HOME DATABASE TO PUBLIC
GRANT EXECUTE PROCEDURES * ON DBMS TO PUBLIC
GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO PUBLIC
GRANT LOAD ON ALL DATA TO PUBLIC

The resulting PUBLIC role now has the same privileges as the original built-in PUBLIC role.

The reader role

The reader role can perform read-only queries on all graphs except for the system database.

Listing reader role privileges

SHOW ROLE reader PRIVILEGES AS COMMANDS
Table 3. Result
command

"GRANT ACCESS ON DATABASE * TO `reader`"

"GRANT MATCH {*} ON GRAPH * NODE * TO `reader`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `reader`"

"GRANT SHOW CONSTRAINT ON DATABASE * TO `reader`"

"GRANT SHOW INDEX ON DATABASE * TO `reader`"

Rows: 5

Recreating the reader role

To restore the role to its original capabilities two steps are needed. First, execute DROP ROLE reader. Secondly, run these queries:

CREATE ROLE reader
GRANT ACCESS ON DATABASE * TO reader
GRANT MATCH {*} ON GRAPH * TO reader
GRANT SHOW CONSTRAINT ON DATABASE * TO reader
GRANT SHOW INDEX ON DATABASE * TO reader

The resulting reader role now has the same privileges as the original built-in reader role.

The editor role

The editor role can perform read and write operations on all graphs except for the system database, but it cannot create new labels, property keys or relationship types.

Listing editor role privileges

SHOW ROLE editor PRIVILEGES AS COMMANDS
Table 4. Result
command

"GRANT ACCESS ON DATABASE * TO `editor`"

"GRANT MATCH {*} ON GRAPH * NODE * TO `editor`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `editor`"

"GRANT SHOW CONSTRAINT ON DATABASE * TO `editor`"

"GRANT SHOW INDEX ON DATABASE * TO `editor`"

"GRANT WRITE ON GRAPH * TO `editor`"

Rows: 6

Recreating the editor role

To restore the role to its original capabilities two steps are needed. First, execute DROP ROLE editor. Secondly, run these queries:

CREATE ROLE editor
GRANT ACCESS ON DATABASE * TO editor
GRANT MATCH {*} ON GRAPH * TO editor
GRANT WRITE ON GRAPH * TO editor
GRANT SHOW CONSTRAINT ON DATABASE * TO editor
GRANT SHOW INDEX ON DATABASE * TO editor

The resulting editor role now has the same privileges as the original built-in editor role.

The publisher role

The publisher role can do the same as editor, as well as create new labels, property keys and relationship types.

Listing publisher role privileges

SHOW ROLE publisher PRIVILEGES AS COMMANDS
Table 5. Result
command

"GRANT ACCESS ON DATABASE * TO `publisher`"

"GRANT MATCH {*} ON GRAPH * NODE * TO `publisher`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `publisher`"

"GRANT NAME MANAGEMENT ON DATABASE * TO `publisher`"

"GRANT SHOW CONSTRAINT ON DATABASE * TO `publisher`"

"GRANT SHOW INDEX ON DATABASE * TO `publisher`"

"GRANT WRITE ON GRAPH * TO `publisher`"

Rows: 7

Recreating the publisher role

To restore the role to its original capabilities two steps are needed. First, execute DROP ROLE publisher. Secondly, run these queries:

CREATE ROLE publisher
GRANT ACCESS ON DATABASE * TO publisher
GRANT MATCH {*} ON GRAPH * TO publisher
GRANT WRITE ON GRAPH * TO publisher
GRANT NAME MANAGEMENT ON DATABASE * TO publisher
GRANT SHOW CONSTRAINT ON DATABASE * TO publisher
GRANT SHOW INDEX ON DATABASE * TO publisher

The resulting publisher role now has the same privileges as the original built-in publisher role.

The architect role

The architect role can do the same as the publisher, as well as create and manage indexes and constraints.

Listing architect role privileges

SHOW ROLE architect PRIVILEGES AS COMMANDS
Table 6. Result
command

"GRANT ACCESS ON DATABASE * TO `architect`"

"GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `architect`"

"GRANT INDEX MANAGEMENT ON DATABASE * TO `architect`"

"GRANT MATCH {*} ON GRAPH * NODE * TO `architect`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `architect`"

"GRANT NAME MANAGEMENT ON DATABASE * TO `architect`"

"GRANT SHOW CONSTRAINT ON DATABASE * TO `architect`"

"GRANT SHOW INDEX ON DATABASE * TO `architect`"

"GRANT WRITE ON GRAPH * TO `architect`"

Rows: 9

Recreating the architect role

To restore the role to its original capabilities two steps are needed. First, execute DROP ROLE architect. Secondly, run these queries:

CREATE ROLE architect
GRANT ACCESS ON DATABASE * TO architect
GRANT MATCH {*} ON GRAPH * TO architect
GRANT WRITE ON GRAPH * TO architect
GRANT NAME MANAGEMENT ON DATABASE * TO architect
GRANT SHOW CONSTRAINT ON DATABASE * TO architect
GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO architect
GRANT SHOW INDEX ON DATABASE * TO architect
GRANT INDEX MANAGEMENT ON DATABASE * TO architect

The resulting architect role now has the same privileges as the original built-in architect role.

The admin role

The admin role can do the same as the architect, as well as manage databases, aliases, users, roles and privileges.

The admin role can perform administrative tasks. These include the rights to perform the following classes of tasks:

  • Manage database privileges to control the rights to perform actions on specific databases:

    • Manage access to a database and the right to start and stop a database.

    • Manage indexes and constraints.

    • Allow the creation of labels, relationship types, or property names.

    • Manage transactions.

  • Manage DBMS privileges to control the rights to perform actions on the entire system:

    • Manage multiple databases.

    • Manage users and roles.

    • Change configuration parameters.

    • Manage sub-graph privileges.

    • Manage procedure security.

    • Manage load privileges to control the rights to load data from external sources.

These rights are conferred using privileges that can be managed through the GRANT, DENY and REVOKE commands.

Listing admin role privileges

SHOW ROLE admin PRIVILEGES AS COMMANDS
Table 7. Result
command

"GRANT ACCESS ON DATABASE * TO `admin`"

"GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`"

"GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`"

"GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`"

"GRANT LOAD ON ALL DATA TO `admin`"

"GRANT MATCH {*} ON GRAPH * NODE * TO `admin`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`"

"GRANT NAME MANAGEMENT ON DATABASE * TO `admin`"

"GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`"

"GRANT SHOW INDEX ON DATABASE * TO `admin`"

"GRANT START ON DATABASE * TO `admin`"

"GRANT STOP ON DATABASE * TO `admin`"

"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`"

"GRANT WRITE ON GRAPH * TO `admin`"

Rows: 14

If the built-in admin role has been altered or dropped and needs to be restored to its original state, see Password and user recovery.

Recreating the admin role

To restore the role to its original capabilities two steps are needed. First, execute DROP ROLE admin. Secondly, run these queries:

CREATE ROLE admin
GRANT ALL DBMS PRIVILEGES ON DBMS TO admin
GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin
GRANT START ON DATABASE * TO admin
GRANT STOP ON DATABASE * TO admin
GRANT MATCH {*} ON GRAPH * TO admin
GRANT WRITE ON GRAPH * TO admin
GRANT LOAD ON ALL DATA TO admin
GRANT ALL ON DATABASE * TO admin

The resulting admin role now has the same effective privileges as the original built-in admin role.

Additional information about restoring the admin role can be found in the Recover the admin role.