Built-in roles and privileges
This section explains the default privileges of the built-in roles in Neo4j and how to recreate them if needed.
All of the commands described in this chapter require that the user executing the commands has the rights to do so. The privileges listed in the following sections are the default set of privileges for each built-in role:
The PUBLIC role
All users are granted the PUBLIC role, and it can not be revoked or dropped.
By default, it gives access to the default database and allows executing all procedures and user-defined functions.
|
The |
Listing PUBLIC role privileges
SHOW ROLE PUBLIC PRIVILEGES AS COMMANDS| command |
|---|
|
|
|
Rows: 3 |
Recreating the PUBLIC role
The PUBLIC role can not be dropped and thus there is no need to recreate the role itself.
To restore the role to its original capabilities, two steps are needed.
First, all GRANT or DENY privileges on this role should be revoked (see output of SHOW ROLE PUBLIC PRIVILEGES AS REVOKE COMMANDS on what to revoke).
Secondly, run these queries:
GRANT ACCESS ON HOME DATABASE TO PUBLICGRANT EXECUTE PROCEDURES * ON DBMS TO PUBLICGRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO PUBLICThe resulting PUBLIC role now has the same privileges as the original built-in PUBLIC role.
The reader role
The reader role can perform read-only queries on all graphs except for the system database.
Listing reader role privileges
SHOW ROLE reader PRIVILEGES AS COMMANDS| command |
|---|
|
|
|
|
|
Rows: 5 |
Recreating the reader role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE reader.
Secondly, run these queries:
CREATE ROLE readerGRANT ACCESS ON DATABASE * TO readerGRANT MATCH {*} ON GRAPH * TO readerGRANT SHOW CONSTRAINT ON DATABASE * TO readerGRANT SHOW INDEX ON DATABASE * TO readerThe resulting reader role now has the same privileges as the original built-in reader role.
The editor role
The editor role can perform read and write operations on all graphs except for the system database, but it cannot create new labels, property keys or relationship types.
Listing editor role privileges
SHOW ROLE editor PRIVILEGES AS COMMANDS| command |
|---|
|
|
|
|
|
|
Rows: 6 |
Recreating the editor role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE editor.
Secondly, run these queries:
CREATE ROLE editorGRANT ACCESS ON DATABASE * TO editorGRANT MATCH {*} ON GRAPH * TO editorGRANT WRITE ON GRAPH * TO editorGRANT SHOW CONSTRAINT ON DATABASE * TO editorGRANT SHOW INDEX ON DATABASE * TO editorThe resulting editor role now has the same privileges as the original built-in editor role.
The publisher role
The publisher role can do the same as editor, as well as create new labels, property keys and relationship types.
Listing publisher role privileges
SHOW ROLE publisher PRIVILEGES AS COMMANDS| command |
|---|
|
|
|
|
|
|
|
Rows: 7 |
Recreating the publisher role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE publisher.
Secondly, run these queries:
CREATE ROLE publisherGRANT ACCESS ON DATABASE * TO publisherGRANT MATCH {*} ON GRAPH * TO publisherGRANT WRITE ON GRAPH * TO publisherGRANT NAME MANAGEMENT ON DATABASE * TO publisherGRANT SHOW CONSTRAINT ON DATABASE * TO publisherGRANT SHOW INDEX ON DATABASE * TO publisherThe resulting publisher role now has the same privileges as the original built-in publisher role.
The architect role
The architect role can do the same as the publisher, as well as create and manage indexes and constraints.
Listing architect role privileges
SHOW ROLE architect PRIVILEGES AS COMMANDS| command |
|---|
|
|
|
|
|
|
|
|
|
Rows: 9 |
Recreating the architect role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE architect.
Secondly, run these queries:
CREATE ROLE architectGRANT ACCESS ON DATABASE * TO architectGRANT MATCH {*} ON GRAPH * TO architectGRANT WRITE ON GRAPH * TO architectGRANT NAME MANAGEMENT ON DATABASE * TO architectGRANT SHOW CONSTRAINT ON DATABASE * TO architectGRANT CONSTRAINT MANAGEMENT ON DATABASE * TO architectGRANT SHOW INDEX ON DATABASE * TO architectGRANT INDEX MANAGEMENT ON DATABASE * TO architectThe resulting architect role now has the same privileges as the original built-in architect role.
The admin role
The admin role can do the same as the architect, as well as manage databases, aliases, users, roles and privileges.
The admin role has the ability to perform administrative tasks.
These include the rights to perform the following classes of tasks:
-
Manage database security to control the rights to perform actions on specific databases:
-
Manage access to a database and the right to start and stop a database.
-
Manage indexes and constraints.
-
Allow the creation of labels, relationship types or property names.
-
Manage transactions
-
-
Manage DBMS security to control the rights to perform actions on the entire system:
-
Manage multiple databases.
-
Change configuration parameters.
-
Manage sub-graph privileges.
-
Manage procedure security.
-
These rights are conferred using privileges that can be managed through the GRANT, DENY and REVOKE commands.
Listing admin role privileges
SHOW ROLE admin PRIVILEGES AS COMMANDS| command |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 13 |
If the built-in admin role has been altered or dropped, and needs to be restored to its original state, see Operations Manual → Password and user recovery.
Recreating the admin role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE admin.
Secondly, run these queries:
CREATE ROLE adminGRANT ALL DBMS PRIVILEGES ON DBMS TO adminGRANT TRANSACTION MANAGEMENT ON DATABASE * TO adminGRANT START ON DATABASE * TO adminGRANT STOP ON DATABASE * TO adminGRANT MATCH {*} ON GRAPH * TO adminGRANT WRITE ON GRAPH * TO adminGRANT ALL ON DATABASE * TO adminThe resulting admin role now has the same effective privileges as the original built-in admin role.
Additional information about restoring the admin role can be found in the Operations Manual → Recover the admin role.
Was this page helpful?