Built-in roles and privileges
This section explains the default privileges of the built-in roles in Neo4j and how to recreate them if needed.
All of the commands described in this chapter require that the user executing the commands has the rights to do so. The privileges listed in the following sections are the default set of privileges for each built-in role:
The PUBLIC
role
All users are granted the PUBLIC
role, and it can not be revoked or dropped.
By default, it gives access to the default database and allows executing all procedures and user-defined functions.
The |
Listing PUBLIC
role privileges
SHOW ROLE PUBLIC PRIVILEGES AS COMMANDS
command |
---|
|
|
|
Rows: 3 |
Recreating the PUBLIC
role
The PUBLIC
role can not be dropped and thus there is no need to recreate the role itself.
To restore the role to its original capabilities, two steps are needed.
First, all GRANT
or DENY
privileges on this role should be revoked (see output of SHOW ROLE PUBLIC PRIVILEGES AS REVOKE COMMANDS
on what to revoke).
Secondly, run these queries:
GRANT ACCESS ON HOME DATABASE TO PUBLIC
GRANT EXECUTE PROCEDURES * ON DBMS TO PUBLIC
GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO PUBLIC
The resulting PUBLIC
role now has the same privileges as the original built-in PUBLIC
role.
The reader
role
The reader
role can perform read-only queries on all graphs except for the system
database.
Listing reader
role privileges
SHOW ROLE reader PRIVILEGES AS COMMANDS
command |
---|
|
|
|
|
|
Rows: 5 |
Recreating the reader
role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE reader
.
Secondly, run these queries:
CREATE ROLE reader
GRANT ACCESS ON DATABASE * TO reader
GRANT MATCH {*} ON GRAPH * TO reader
GRANT SHOW CONSTRAINT ON DATABASE * TO reader
GRANT SHOW INDEX ON DATABASE * TO reader
The resulting reader
role now has the same privileges as the original built-in reader
role.
The editor
role
The editor
role can perform read and write operations on all graphs except for the system
database, but it cannot create new labels, property keys or relationship types.
Listing editor
role privileges
SHOW ROLE editor PRIVILEGES AS COMMANDS
command |
---|
|
|
|
|
|
|
Rows: 6 |
Recreating the editor
role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE editor
.
Secondly, run these queries:
CREATE ROLE editor
GRANT ACCESS ON DATABASE * TO editor
GRANT MATCH {*} ON GRAPH * TO editor
GRANT WRITE ON GRAPH * TO editor
GRANT SHOW CONSTRAINT ON DATABASE * TO editor
GRANT SHOW INDEX ON DATABASE * TO editor
The resulting editor
role now has the same privileges as the original built-in editor
role.
The publisher
role
The publisher
role can do the same as editor
, as well as create new labels, property keys and relationship types.
Listing publisher
role privileges
SHOW ROLE publisher PRIVILEGES AS COMMANDS
command |
---|
|
|
|
|
|
|
|
Rows: 7 |
Recreating the publisher
role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE publisher
.
Secondly, run these queries:
CREATE ROLE publisher
GRANT ACCESS ON DATABASE * TO publisher
GRANT MATCH {*} ON GRAPH * TO publisher
GRANT WRITE ON GRAPH * TO publisher
GRANT NAME MANAGEMENT ON DATABASE * TO publisher
GRANT SHOW CONSTRAINT ON DATABASE * TO publisher
GRANT SHOW INDEX ON DATABASE * TO publisher
The resulting publisher
role now has the same privileges as the original built-in publisher
role.
The architect
role
The architect
role can do the same as the publisher
, as well as create and manage indexes and constraints.
Listing architect
role privileges
SHOW ROLE architect PRIVILEGES AS COMMANDS
command |
---|
|
|
|
|
|
|
|
|
|
Rows: 9 |
Recreating the architect
role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE architect
.
Secondly, run these queries:
CREATE ROLE architect
GRANT ACCESS ON DATABASE * TO architect
GRANT MATCH {*} ON GRAPH * TO architect
GRANT WRITE ON GRAPH * TO architect
GRANT NAME MANAGEMENT ON DATABASE * TO architect
GRANT SHOW CONSTRAINT ON DATABASE * TO architect
GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO architect
GRANT SHOW INDEX ON DATABASE * TO architect
GRANT INDEX MANAGEMENT ON DATABASE * TO architect
The resulting architect
role now has the same privileges as the original built-in architect
role.
The admin
role
The admin
role can do the same as the architect
, as well as manage databases, aliases, users, roles and privileges.
The admin
role has the ability to perform administrative tasks.
These include the rights to perform the following classes of tasks:
-
Manage database security to control the rights to perform actions on specific databases:
-
Manage access to a database and the right to start and stop a database.
-
Manage indexes and constraints.
-
Allow the creation of labels, relationship types or property names.
-
Manage transactions
-
-
Manage DBMS security to control the rights to perform actions on the entire system:
-
Manage multiple databases.
-
Change configuration parameters.
-
Manage sub-graph privileges.
-
Manage procedure security.
-
These rights are conferred using privileges that can be managed through the GRANT
, DENY
and REVOKE
commands.
Listing admin
role privileges
SHOW ROLE admin PRIVILEGES AS COMMANDS
command |
---|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 13 |
If the built-in admin
role has been altered or dropped, and needs to be restored to its original state, see Operations Manual → Password and user recovery.
Recreating the admin
role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE admin
.
Secondly, run these queries:
CREATE ROLE admin
GRANT ALL DBMS PRIVILEGES ON DBMS TO admin
GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin
GRANT START ON DATABASE * TO admin
GRANT STOP ON DATABASE * TO admin
GRANT MATCH {*} ON GRAPH * TO admin
GRANT WRITE ON GRAPH * TO admin
GRANT ALL ON DATABASE * TO admin
The resulting admin
role now has the same effective privileges as the original built-in admin
role.
Additional information about restoring the admin
role can be found in the Operations Manual → Recover the admin role.
Was this page helpful?