Managing privileges

This section explains how to use Cypher® to manage privileges for Neo4j role-based access control and fine-grained security.

Privileges control the access rights to graph elements using a combined allowlist/denylist mechanism. It is possible to grant or deny access, or use a combination of the two. The user will be able to access the resource if they have a GRANT (allowlist) and do not have a DENY (denylist) relevant to that resource. All other combinations of GRANT and DENY will result in the matching path being inaccessible. What this means in practice depends on whether we are talking about a read privilege or a write privilege:

  • If an entity is not accessible due to read privileges, the data will become invisible. It will appear to the user as if they had a smaller database (smaller graph).

  • If an entity is not accessible due to write privileges, an error will occur on any attempt to write that data.

In this document we will often use the terms 'allows' and 'enables' in seemingly identical ways. However, there is a subtle difference. We will use 'enables' to refer to the consequences of read privileges where a restriction will not cause an error, only a reduction in the apparent graph size. We will use 'allows' to refer to the consequence of write privileges where a restriction can result in an error.

If a user was not also provided with the database ACCESS privilege, then access to the entire database will be denied. Information about the database access privilege can be found in The ACCESS privilege.

More details about the syntax descriptions can be found here.

Graph privilege commands (GRANT, DENY and REVOKE)

Administrators can use Cypher commands to manage Neo4j graph administrative rights. The components of the graph privilege commands are:

  • the command:

    • GRANT – gives privileges to roles.

    • DENY – denies privileges to roles.

    • REVOKE – removes granted or denied privileges from roles.

  • mutability:

    • IMMUTABLE can optionally be specified when performing a GRANT or DENY to indicate that the privilege cannot be subsequently removed unless auth is disabled. Auth must also be disabled in order to GRANT or DENY an immutable privilege. Contrastingly, when IMMUTABLE is specified in conjunction with a REVOKE command, it will act as a filter and only remove matching immutable privileges. See also immutable privileges.

  • graph-privilege:

  • name:

    • The graph or graphs to associate the privilege with. Because in Neo4j 5 you can have only one graph per database, this command uses the database name or alias to refer to that graph. When using an alias, the command will be executed on the resolved graph.

      If you delete a database and create a new one with the same name, the new one will NOT have the privileges previously assigned to the deleted graph.

    • It can be *, which means all graphs. Graphs created after this command execution will also be associated with these privileges.

    • HOME GRAPH refers to the graph associated with the home database for that user. The default database will be used as home database if a user does not have one configured. If the user’s home database changes for any reason after privileges have been created, then these privileges will be associated with the graph attached to the new database. This can be quite powerful as it allows permissions to be switched from one graph to another simply by changing a user’s home database.

  • entity

    • The graph elements this privilege applies to:

      • NODES label (nodes with the specified label(s)).

      • RELATIONSHIPS type (relationships of the specific type(s)).

      • ELEMENTS label (both nodes and relationships).

    • The label or type can be referred with *, which means all labels or types.

    • Multiple labels or types can be specified, comma-separated.

    • Defaults to ELEMENTS * if omitted.

    • Some of the commands for write privileges do not allow an entity part. See Write privileges for details.

  • role[, …​]

    • The role or roles to associate the privilege with, comma-separated.

Table 1. General grant ON GRAPH privilege syntax

Command

GRANT ... ON ... TO ...

Syntax

GRANT [IMMUTABLE] graph-privilege ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } [entity] TO role[, ...]

Description

Grants a privilege to one or multiple roles.

Table 2. General deny ON GRAPH privilege syntax

Command

DENY ... ON ... TO ...

Syntax

DENY [IMMUTABLE] graph-privilege ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } [entity] TO role[, ...]

Description

Denies a privilege to one or multiple roles.

Table 3. General revoke ON GRAPH privilege syntax

Command

REVOKE GRANT ... ON ... FROM ...

Syntax

REVOKE [IMMUTABLE] GRANT graph-privilege ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } [entity] FROM role[, ...]

Description

Revokes a granted privilege from one or multiple roles.

Table 4. General revoke ON GRAPH privilege syntax

Command

REVOKE DENY ... ON ... FROM ...

Syntax

REVOKE [IMMUTABLE] DENY graph-privilege ON { HOME GRAPH | GRAPH[S] {* | name[, ...] } } [entity] FROM role[, ...]

Description

Revokes a denied privilege from one or multiple roles.

Table 5. General revoke ON GRAPH privilege syntax

Command

REVOKE ... ON ... FROM ...

Syntax

REVOKE [IMMUTABLE] graph-privilege ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } [entity] FROM role[, ...]

Description

Revokes a granted or denied privilege from one or multiple roles.

DENY does NOT erase a granted privilege; they both exist. Use REVOKE if you want to remove a privilege.

The general GRANT and DENY syntaxes are illustrated in the following image:

privileges grant and deny syntax
Figure 1. GRANT and DENY Syntax

A more detailed syntax illustration for graph privileges would be the following:

privileges on graph syntax
Figure 2. Syntax of GRANT and DENY Graph Privileges. The { and } are part of the syntax and not used for grouping.

The following image shows the hierarchy between different graph privileges:

privileges hierarchy
Figure 3. Graph privileges hierarchy

Listing privileges

Available privileges can be displayed using the different SHOW PRIVILEGE[S] commands.

Table 6. Show privileges command syntax

Command

SHOW PRIVILEGE

Syntax

SHOW [ALL] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  [YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]

Description

List all privileges.

Table 7. Show role privileges syntax

Command

SHOW ROLE ... PRIVILEGE

Syntax

SHOW ROLE[S] name[, ...] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  [YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]

Description

Lists privileges for a specific role.

Table 8. Show user privileges syntax

Command

SHOW USER ... PRIVILEGE

Syntax

SHOW USER[S] [name[, ...]] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  [YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]

Description

Lists privileges for a specific user, or the current user.

[NOTE] ==== Please note that it is only possible for a user to show their own privileges. Therefore, if a non-native auth provider like LDAP is in use, SHOW USER PRIVILEGES will only work in a limited capacity.

Other users' privileges cannot be listed when using a non-native auth provider. ====

When using the RETURN clause, the YIELD clause is mandatory and must not be omitted.

For an easy overview of the existing privileges, it is recommended to use the AS COMMANDS version of the SHOW command. This returns the column command of type STRING containing the privileges as the commands that are granted or denied.

When omitting the AS COMMANDS clause, results will include multiple columns describing privileges:

Column Description Type

access

Whether the privilege is granted or denied.

STRING

action

The type of the privilege. E.g., traverse, read, index management, or role management.

STRING

resource

The scope of the privilege. E.g., the entire DBMS, a specific database, a graph, or sub-graph access.

STRING

graph

The specific database or graph the privilege applies to.

STRING

segment

The labels, relationship types, procedures, functions, transactions or settings the privilege applies to (if applicable).

STRING

role

The role the privilege is granted to.

STRING

immutable

Whether or not the privilege is immutable.

This column is also available for the AS COMMAND variant using YIELD.

BOOLEAN

user

The user the privilege belongs to.

Note that this is only returned for SHOW USER [username] PRIVILEGES.

STRING

Examples for listing all privileges

Available privileges can be displayed using the different SHOW PRIVILEGE[S] commands.

SHOW [ALL] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  [WHERE expression]

SHOW [ALL] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
SHOW PRIVILEGES

Lists all privileges for all roles:

Table 9. Result
access action resource graph segment role immutable

"GRANTED"

"execute"

"database"

"*"

"FUNCTION(*)"

"PUBLIC"

false

"GRANTED"

"execute"

"database"

"*"

"PROCEDURE(*)"

"PUBLIC"

false

"GRANTED"

"access"

"database"

"DEFAULT"

"database"

"PUBLIC"

false

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"admin"

false

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"admin"

false

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"admin"

false

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"admin"

false

"GRANTED"

"transaction_management"

"database"

"*"

"USER(*)"

"admin"

false

"GRANTED"

"access"

"database"

"*"

"database"

"admin"

false

"GRANTED"

"constraint"

"database"

"*"

"database"

"admin"

false

"GRANTED"

"dbms_actions"

"database"

"*"

"database"

"admin"

false

"GRANTED"

"index"

"database"

"*"

"database"

"admin"

false

"GRANTED"

"start_database"

"database"

"*"

"database"

"admin"

false

"GRANTED"

"stop_database"

"database"

"*"

"database"

"admin"

false

"GRANTED"

"token"

"database"

"*"

"database"

"admin"

false

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"architect"

false

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"architect"

false

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"architect"

false

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"architect"

false

"GRANTED"

"access"

"database"

"*"

"database"

"architect"

false

"GRANTED"

"constraint"

"database"

"*"

"database"

"architect"

false

"GRANTED"

"index"

"database"

"*"

"database"

"architect"

false

"GRANTED"

"token"

"database"

"*"

"database"

"architect"

false

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"editor"

false

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"editor"

false

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"editor"

false

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"editor"

false

"GRANTED"

"access"

"database"

"*"

"database"

"editor"

false

"DENIED"

"access"

"database"

"neo4j"

"database"

"noAccessUsers"

false

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"publisher"

false

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"publisher"

false

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"publisher"

false

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"publisher"

false

"GRANTED"

"access"

"database"

"*"

"database"

"publisher"

false

"GRANTED"

"token"

"database"

"*"

"database"

"publisher"

false

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"reader"

false

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"reader"

false

"GRANTED"

"access"

"database"

"*"

"database"

"reader"

false

"GRANTED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

false

It is also possible to filter and sort the results by using YIELD, ORDER BY and WHERE:

SHOW PRIVILEGES YIELD role, access, action, segment
ORDER BY action
WHERE role = 'admin'

In this example:

  • The number of columns returned has been reduced with the YIELD clause.

  • The order of the returned columns has been changed.

  • The results have been filtered to only return the admin role using a WHERE clause.

  • The results are ordered by the action column using ORDER BY.

SKIP and LIMIT can also be used to paginate the results.

Table 10. Result
role access action segment

"admin"

"GRANTED"

"access"

"database"

"admin"

"GRANTED"

"constraint"

"database"

"admin"

"GRANTED"

"dbms_actions"

"database"

"admin"

"GRANTED"

"index"

"database"

"admin"

"GRANTED"

"match"

"NODE(*)"

"admin"

"GRANTED"

"match"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"start_database"

"database"

"admin"

"GRANTED"

"stop_database"

"database"

"admin"

"GRANTED"

"token"

"database"

"admin"

"GRANTED"

"transaction_management"

"USER(*)"

"admin"

"GRANTED"

"write"

"NODE(*)"

"admin"

"GRANTED"

"write"

"RELATIONSHIP(*)"

Rows: 12

WHERE can also be used without YIELD:

SHOW PRIVILEGES
WHERE graph <> '*'

In this example, the WHERE clause is used to filter privileges down to those that target specific graphs only.

Table 11. Result
access action graph resource role segment

"GRANTED"

"access"

"DEFAULT"

"database"

"PUBLIC"

"database"

"DENIED"

"access"

"neo4j"

"database"

"noAccessUsers"

"database"

"GRANTED"

"access"

"neo4j"

"database"

"regularUsers"

"database"

Rows: 3

Aggregations in the RETURN clause can be used to group privileges. In this case, by user and GRANTED or DENIED:

SHOW PRIVILEGES YIELD * RETURN role, access, collect([graph, resource, segment, action]) AS privileges
Table 12. Result
role access privileges

"PUBLIC"

"GRANTED"

[["*","database","FUNCTION(*)","execute"],["*","database","PROCEDURE(*)","execute"],["DEFAULT","database","database","access"]]

"admin"

"GRANTED"

[["*","all_properties","NODE(*)","match"],["*","graph","NODE(*)","write"],["*","all_properties","RELATIONSHIP(*)","match"],["*","graph","RELATIONSHIP(*)","write"],["*","database","USER(*)","transaction_management"],["*","database","database","access"],["*","database","database","constraint"],["*","database","database","dbms_actions"],["*","database","database","index"],["*","database","database","start_database"],["*","database","database","stop_database"],["*","database","database","token"]]

"architect"

"GRANTED"

[["*","all_properties","NODE(*)","match"],["*","graph","NODE(*)","write"],["*","all_properties","RELATIONSHIP(*)","match"],["*","graph","RELATIONSHIP(*)","write"],["*","database","database","access"],["*","database","database","constraint"],["*","database","database","index"],["*","database","database","token"]]

"editor"

"GRANTED"

[["*","all_properties","NODE(*)","match"],["*","graph","NODE(*)","write"],["*","all_properties","RELATIONSHIP(*)","match"],["*","graph","RELATIONSHIP(*)","write"],["*","database","database","access"]]

"noAccessUsers"

"DENIED"

[["neo4j","database","database","access"]]

"publisher"

"GRANTED"

[["*","all_properties","NODE(*)","match"],["*","graph","NODE(*)","write"],["*","all_properties","RELATIONSHIP(*)","match"],["*","graph","RELATIONSHIP(*)","write"],["*","database","database","access"],["*","database","database","token"]]

"reader"

"GRANTED"

[["*","all_properties","NODE(*)","match"],["*","all_properties","RELATIONSHIP(*)","match"],["*","database","database","access"]]

"regularUsers"

"GRANTED"

[["neo4j","database","database","access"]]

Rows: 8

The RETURN clause can also be used to order and paginate the results, which is useful when combined with YIELD and WHERE. In this example the query returns privileges for display five-per-page, and skips the first five to display the second page.

SHOW PRIVILEGES YIELD * RETURN * ORDER BY role SKIP 5 LIMIT 5
Table 13. Result
access action graph resource role segment immutable

"GRANTED"

"match"

"*"

"all_properties"

"admin"

"RELATIONSHIP(*)"

false

"GRANTED"

"write"

"*"

"graph"

"admin"

"RELATIONSHIP(*)"

false

"GRANTED"

"transaction_management"

"*"

"database"

"admin"

"USER(*)"

false

"GRANTED"

"access"

"*"

"database"

"admin"

"database"

false

"GRANTED"

"constraint"

"*"

"database"

"admin"

"database"

false

Available privileges can also be displayed as Cypher commands by adding AS COMMAND[S]:

SHOW PRIVILEGES AS COMMANDS
Table 14. Result
command

"DENY ACCESS ON DATABASE neo4j TO `noAccessUsers`"

"GRANT ACCESS ON DATABASE * TO `admin`"

"GRANT ACCESS ON DATABASE * TO `architect`"

"GRANT ACCESS ON DATABASE * TO `editor`"

"GRANT ACCESS ON DATABASE * TO `publisher`"

"GRANT ACCESS ON DATABASE * TO `reader`"

"GRANT ACCESS ON DATABASE neo4j TO `regularUsers`"

"GRANT ACCESS ON HOME DATABASE TO `PUBLIC`"

"GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`"

"GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`"

"GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `architect`"

"GRANT EXECUTE FUNCTION * ON DBMS TO `PUBLIC`"

"GRANT EXECUTE PROCEDURE * ON DBMS TO `PUBLIC`"

"GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`"

"GRANT INDEX MANAGEMENT ON DATABASE * TO `architect`"

"GRANT MATCH {*} ON GRAPH * NODE * TO `admin`"

"GRANT MATCH {*} ON GRAPH * NODE * TO `architect`"

"GRANT MATCH {*} ON GRAPH * NODE * TO `editor`"

"GRANT MATCH {*} ON GRAPH * NODE * TO `publisher`"

"GRANT MATCH {*} ON GRAPH * NODE * TO `reader`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `architect`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `editor`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `publisher`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `reader`"

"GRANT NAME MANAGEMENT ON DATABASE * TO `admin`"

"GRANT NAME MANAGEMENT ON DATABASE * TO `architect`"

"GRANT NAME MANAGEMENT ON DATABASE * TO `publisher`"

"GRANT START ON DATABASE * TO `admin`"

"GRANT STOP ON DATABASE * TO `admin`"

"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`"

"GRANT WRITE ON GRAPH * TO `admin`"

"GRANT WRITE ON GRAPH * TO `architect`"

"GRANT WRITE ON GRAPH * TO `editor`"

"GRANT WRITE ON GRAPH * TO `publisher`"

Rows: 35

Like other SHOW commands, the output can also be processed using YIELD / WHERE / RETURN:

SHOW PRIVILEGES AS COMMANDS
WHERE command CONTAINS 'MANAGEMENT'
Table 15. Result
command

"GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`"

"GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `architect`"

"GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`"

"GRANT INDEX MANAGEMENT ON DATABASE * TO `architect`"

"GRANT NAME MANAGEMENT ON DATABASE * TO `admin`"

"GRANT NAME MANAGEMENT ON DATABASE * TO `architect`"

"GRANT NAME MANAGEMENT ON DATABASE * TO `publisher`"

"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`"

Rows: 8

It is also possible to get the privileges listed as revoking commands instead of granting or denying:

SHOW PRIVILEGES AS REVOKE COMMANDS
Table 16. Result
command

"REVOKE DENY ACCESS ON DATABASE neo4j FROM `noAccessUsers`"

"REVOKE GRANT ACCESS ON DATABASE * FROM `admin`"

"REVOKE GRANT ACCESS ON DATABASE * FROM `architect`"

"REVOKE GRANT ACCESS ON DATABASE * FROM `editor`"

"REVOKE GRANT ACCESS ON DATABASE * FROM `publisher`"

"REVOKE GRANT ACCESS ON DATABASE * FROM `reader`"

"REVOKE GRANT ACCESS ON DATABASE neo4j FROM `regularUsers`"

"REVOKE GRANT ACCESS ON HOME DATABASE FROM `PUBLIC`"

"REVOKE GRANT ALL DBMS PRIVILEGES ON DBMS FROM `admin`"

"REVOKE GRANT CONSTRAINT MANAGEMENT ON DATABASE * FROM `admin`"

"REVOKE GRANT CONSTRAINT MANAGEMENT ON DATABASE * FROM `architect`"

"REVOKE GRANT EXECUTE FUNCTION * ON DBMS FROM `PUBLIC`"

"REVOKE GRANT EXECUTE PROCEDURE * ON DBMS FROM `PUBLIC`"

"REVOKE GRANT INDEX MANAGEMENT ON DATABASE * FROM `admin`"

"REVOKE GRANT INDEX MANAGEMENT ON DATABASE * FROM `architect`"

"REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM `admin`"

"REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM `architect`"

"REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM `editor`"

"REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM `publisher`"

"REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM `reader`"

"REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM `admin`"

"REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM `architect`"

"REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM `editor`"

"REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM `publisher`"

"REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM `reader`"

"REVOKE GRANT NAME MANAGEMENT ON DATABASE * FROM `admin`"

"REVOKE GRANT NAME MANAGEMENT ON DATABASE * FROM `architect`"

"REVOKE GRANT NAME MANAGEMENT ON DATABASE * FROM `publisher`"

"REVOKE GRANT START ON DATABASE * FROM `admin`"

"REVOKE GRANT STOP ON DATABASE * FROM `admin`"

"REVOKE GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * FROM `admin`"

"REVOKE GRANT WRITE ON GRAPH * FROM `admin`"

"REVOKE GRANT WRITE ON GRAPH * FROM `architect`"

"REVOKE GRANT WRITE ON GRAPH * FROM `editor`"

"REVOKE GRANT WRITE ON GRAPH * FROM `publisher`"

Rows: 35

For more info about revoking privileges, please see The REVOKE command.

Examples for listing privileges for specific roles

Available privileges for specific roles can be displayed using SHOW ROLE name PRIVILEGE[S]:

SHOW ROLE[S] name[, ...] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  [WHERE expression]

SHOW ROLE[S] name[, ...] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
SHOW ROLE regularUsers PRIVILEGES

Lists all privileges for role regularUsers.

Table 17. Result
access action graph resource role segment immutable

"GRANTED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

false

SHOW ROLES regularUsers, noAccessUsers PRIVILEGES

Lists all privileges for roles regularUsers and noAccessUsers.

Table 18. Result
access action graph resource role segment immutable

"DENIED"

"access"

"database"

"neo4j"

"database"

"noAccessUsers"

false

"GRANTED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

false

Similar to the other SHOW PRIVILEGES commands, the available privileges for roles can also be listed as Cypher commands with the optional AS COMMAND[S].

SHOW ROLES regularUsers, noAccessUsers PRIVILEGES AS COMMANDS
Table 19. Result
command

"GRANT ACCESS ON DATABASE * TO `admin`"

"GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`"

"GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`"

"GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`"

"GRANT MATCH {*} ON GRAPH * NODE * TO `admin`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`"

"GRANT NAME MANAGEMENT ON DATABASE * TO `admin`"

"GRANT START ON DATABASE * TO `admin`"

"GRANT STOP ON DATABASE * TO `admin`"

"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`"

"GRANT WRITE ON GRAPH * TO `admin`"

Rows: 11

The output can be processed using YIELD / WHERE / RETURN here as well:

SHOW ROLE architect PRIVILEGES AS COMMANDS WHERE command CONTAINS 'MATCH'
Table 20. Result
command

"GRANT MATCH {*} ON GRAPH * NODE * TO `architect`"

"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `architect`"

Rows: 2

Again, it is possible to get the privileges listed as revoking commands instead of granting or denying. For more info about revoking privileges, please see The REVOKE command.

SHOW ROLE reader PRIVILEGES AS REVOKE COMMANDS
Table 21. Result
command

"REVOKE GRANT ACCESS ON DATABASE * FROM `reader`"

"REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM `reader`"

"REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM `reader`"

Rows: 3

Examples for listing privileges for specific users

Available privileges for specific users can be displayed using SHOW USER name PRIVILEGES.

Note that if a non-native auth provider like LDAP is in use, SHOW USER PRIVILEGES will only work with a limited capacity as it is only possible for a user to show their own privileges. Other users' privileges cannot be listed when using a non-native auth provider.

SHOW USER[S] [name[, ...]] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  [WHERE expression]

SHOW USER[S] [name[, ...]] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
SHOW USER jake PRIVILEGES

Lists all privileges for user jake.

Table 22. Result
access action resource graph resource role segment immutable

"GRANTED"

"execute"

"database"

"*"

"FUNCTION(*)"

"PUBLIC"

"jake"

false

"GRANTED"

"execute"

"database"

"*"

"PROCEDURE(*)"

"PUBLIC"

"jake"

false

"GRANTED"

"access"

"database"

"DEFAULT"

"database"

"PUBLIC"

"jake"

false

"GRANTED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"jake"

false

SHOW USERS jake, joe PRIVILEGES

Lists all privileges for users jake and joe.

Table 23. Result
access action resource graph resource role segment immutable

"GRANTED"

"execute"

"database"

"*"

"FUNCTION(*)"

"PUBLIC"

"jake"

false

"GRANTED"

"execute"

"database"

"*"

"PROCEDURE(*)"

"PUBLIC"

"jake"

false

"GRANTED"

"access"

"database"

"DEFAULT"

"database"

"PUBLIC"

"jake"

false

"GRANTED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"jake"

false

"GRANTED"

"execute"

"database"

"*"

"FUNCTION(*)"

"PUBLIC"

"joe"

false

"GRANTED"

"execute"

"database"

"*"

"PROCEDURE(*)"

"PUBLIC"

"joe"

false

"GRANTED"

"access"

"database"

"DEFAULT"

"database"

"PUBLIC"

"joe"

false

"DENIED"

"access"

"database"

"neo4j"

"database"

"noAccessUsers"

"joe"

false

The same command can be used at all times to review available privileges for the current user. For this purpose, there is a shorter form of the command: SHOW USER PRIVILEGES:

SHOW USER PRIVILEGES

As for the other privilege commands, available privileges for users can also be listed as Cypher commands with the optional AS COMMAND[S].

When showing user privileges as commands, the roles in the Cypher commands are replaced with a parameter. This can be used to quickly create new roles based on the privileges of specific users.

SHOW USER jake PRIVILEGES AS COMMANDS
Table 24. Result
command

"GRANT ACCESS ON DATABASE neo4j TO $role"

"GRANT ACCESS ON HOME DATABASE TO $role"

"GRANT EXECUTE FUNCTION * ON DBMS TO $role"

"GRANT EXECUTE PROCEDURE * ON DBMS TO $role"

Rows: 4

Like other SHOW commands, the output can also be processed using YIELD / WHERE / RETURN. Additionally, similar to the other show privilege commands, it is also possible to show the commands for revoking the privileges.

SHOW USER jake PRIVILEGES AS REVOKE COMMANDS
WHERE command CONTAINS 'EXECUTE'
Table 25. Result
command

"REVOKE GRANT EXECUTE FUNCTION * ON DBMS FROM $role"

"REVOKE GRANT EXECUTE PROCEDURE * ON DBMS FROM $role"

Rows: 2

Revoking privileges

Privileges that were granted or denied earlier can be revoked using the REVOKE command:

REVOKE
  [ IMMUTABLE ]
  [ GRANT | DENY ] graph-privilege
  FROM role[, ...]

An example usage of the REVOKE command is given here:

REVOKE GRANT TRAVERSE ON HOME GRAPH NODES Post FROM regularUsers

While it can be explicitly specified that REVOKE should remove a GRANT or DENY, it is also possible to REVOKE both by not specifying them at all, as the next example demonstrates. Because of this, if there happens to be a GRANT and a DENY for the same privilege, it would remove both.

REVOKE TRAVERSE ON HOME GRAPH NODES Payments FROM regularUsers

Adding IMMUTABLE explicitly specifies that only immutable privileges should be removed. Omitting it specifies that both immutable and regular privileges should be removed.