DBMS privilegesAuraDB Business CriticalAuraDB Virtual Dedicated CloudEnterprise Edition
All DBMS privileges are relevant system-wide. Like user management, they do not belong to one specific database or graph. For more details on the differences between graphs, databases, and the DBMS, refer to Cypher Manual → Cypher and Neo4j.
GRANT and DENY DBMS privileges
|
You can only grant, deny, or revoke privileges to or from existing roles. |
Granting ALL DBMS PRIVILEGES
You can grant the ALL DBMS PRIVILEGES privilege to a role.
The ALL DBMS PRIVILEGES privilege is equivalent to granting the following privileges:
-
Create, drop, assign, remove, and show roles.
-
Create, alter, drop, show, and impersonate users.
-
Create, alter, drop, and show databases and aliases.
-
Enable, alter, rename, reallocate, deallocate, drop, and show servers.
-
Show, assign, and remove privileges.
-
Execute all procedures with elevated privileges.
-
Execute all user-defined functions with elevated privileges.
-
Show all configuration settings.
|
For more details about the syntax descriptions, see Reading the administration commands syntax. |
GRANT [IMMUTABLE] ALL [[DBMS] PRIVILEGES]
ON DBMS
TO role[, ...]For example, to grant the role dbmsManager all DBMS abilities, use the following query:
GRANT ALL DBMS PRIVILEGES ON DBMS TO dbmsManager;To list all privileges for the role dbmsManager as commands, use the following query:
SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS;| command |
|---|
|
Rows: 1 |
Name-globbing for procedures, user-defined functions, and settings
The name-globbing for procedures, user-defined functions, and setting names is a simplified version of globbing for filename expansions.
It only allows two wildcard characters: * and ?, which are used for multiple and single-character matches.
In this case, * means 0 or more characters, and ? matches exactly one character.
|
The name-globbing is subject to the Cypher Manual → Naming rules and recommendations, with the exception that it may include dots, stars, and question marks without the need for escaping using backticks. Each part of the name-globbing separated by dots may be individually quoted.
For example, |
Given the following list of procedures:
-
mine.public.exampleProcedure -
mine.public.exampleProcedure1 -
mine.public.exampleProcedure2 -
mine.public.with#Special§Characters -
mine.private.exampleProcedure -
mine.private.exampleProcedure1 -
mine.private.exampleProcedure2 -
mine.private.with#Special§Characters -
your.exampleProcedure
The following examples demonstrate how name-globbing patterns can be used in controlling access to procedures. Note that the same rules apply to user-defined functions and settings.
GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1;Users with the role globbing1 can run all the procedures.
GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2;Users with the role globbing2 can run procedures mine.public.exampleProcedure and mine.private.exampleProcedure, but no other procedures.
GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3;Users with the role globbing3 can run procedures mine.public.exampleProcedure1, mine.private.exampleProcedure1, and mine.private.exampleProcedure2, but no other procedures.
GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4;Users with the role globbing4 can run procedures your.exampleProcedure, mine.public.exampleProcedure, and mine.private.exampleProcedure, but no other procedures.
GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5;Users with the role globbing5 can run procedures mine.public.exampleProcedure, mine.public.exampleProcedure1 and mine.public.exampleProcedure42, but no other procedures.
GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6;Users with the role globbing6 can run procedures mine.public.with#Special§Characters, and mine.private.with#Special§Characters, but no other procedures.
|
The name-globbing may be fully or partially quoted.
Both |