5.5.6. Security of administration

This section explains how to use Cypher to manage Neo4j administrative privileges.

All of the commands described in the enclosing Administration section require that the user executing the commands has the rights to do so. These privileges can be conferred either by granting the user the admin role, which enables all administrative rights, or by granting specific combinations of privileges.

The admin role
Database administration
DBMS administration

5.5.6.1. The `admin` role

The built-in role admin includes a number of privileges allowing users granted this role the ability to perform administrative tasks. These include the rights to perform the following classes of tasks:

Manage database security for controlling the rights to perform actions on specific databases:
- Manage access to a database and the right to start and stop a database
- Manage indexes and constraints
- Allow the creation of labels, relationship types or property names
Manage DBMS security for controlling the rights to perform actions on the entire system:
- Manage multiple databases
- Manage users and roles
- Change configuration parameters
- Manage transactions
- Manage sub-graph privileges
- Manage procedure security

These rights are conferred using privileges that can be managed using GRANT, DENY and REVOKE commands, with the exception of changing configuration parameters and procedure security. Those are only available within the built-in admin role, or in the case of procedure security, through the dbms.security.procedures.default_allowed and dbms.security.procedures.roles configuration parameters.

Query.

SHOW ROLE admin PRIVILEGES

Table 5.40. Result
access	action	resource	graph	segment	role
9 rows
`"GRANTED"`	`"match"`	`"all_properties"`	`"*"`	`"NODE(*)"`	`"admin"`
`"GRANTED"`	`"write"`	`"graph"`	`"*"`	`"NODE(*)"`	`"admin"`
`"GRANTED"`	`"match"`	`"all_properties"`	`"*"`	`"RELATIONSHIP(*)"`	`"admin"`
`"GRANTED"`	`"write"`	`"graph"`	`"*"`	`"RELATIONSHIP(*)"`	`"admin"`
`"GRANTED"`	`"access"`	`"database"`	`"*"`	`"database"`	`"admin"`
`"GRANTED"`	`"admin"`	`"database"`	`"*"`	`"database"`	`"admin"`
`"GRANTED"`	`"constraint"`	`"database"`	`"*"`	`"database"`	`"admin"`
`"GRANTED"`	`"index"`	`"database"`	`"*"`	`"database"`	`"admin"`
`"GRANTED"`	`"token"`	`"database"`	`"*"`	`"database"`	`"admin"`

Try this query live. CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE databaseAdminUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager CREATE ROLE userAdder CREATE ROLE userDropper CREATE ROLE userModifier CREATE ROLE passwordModifier CREATE ROLE statusModifier CREATE ROLE userShower CREATE ROLE userManager CREATE ROLE databaseAdder CREATE ROLE databaseDropper CREATE ROLE databaseManager CREATE ROLE privilegeShower CREATE ROLE privilegeAssigner CREATE ROLE privilegeRemover CREATE ROLE privilegeManager CREATE ROLE dbmsManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE admin PRIVILEGES

If the built-in admin role has been altered or dropped, and needs to be restored to its original state, see Operations Manual → Password and user recovery.

5.5.6.2. Database administration

The administrators can use the following Cypher commands to manage Neo4j database administrative rights. The components of the database privilege commands are:

the command:
- GRANT – gives privileges to roles.
- DENY – denies privileges to roles.
- REVOKE – removes granted or denied privilege from roles.
database-privilege
- ACCESS - allows access to a specific database.
- START - allows the specified database to be started.
- STOP - allows the specified database to be stopped.
- CREATE INDEX - allows indexes to be created on the specified database.
- DROP INDEX - allows indexes to be deleted on the specified database.
- INDEX [MANAGEMENT] - allows indexes to be created and deleted on the specified database.
- CREATE CONSTRAINT - allows constraints to be created on the specified database.
- DROP CONSTRAINT - allows constraints to be deleted on the specified database.
- CONSTRAINT [MANAGEMENT] - allows constraints to be created and deleted on the specified database.
- CREATE NEW [NODE] LABEL - allows labels to be created so that future nodes can be assigned them.
- CREATE NEW [RELATIONSHIP] TYPE - allows relationship types to be created, so that future relationships can be created with these types.
- CREATE NEW [PROPERTY] NAME - allows property names to be created, so that nodes and relationships can have properties with these names assigned.
- NAME [MANAGEMENT] - allows all of the name management capabilities: node labels, relationship types, and property names.
- ALL [[DATABASE] PRIVILEGES] - allows access, index, constraint, and name management for the specified database.
- SHOW TRANSACTION {* | user[, …]} - allows listing transactions and queries for the specified users on the specified database.
- TERMINATE TRANSACTION {* | user[, …]} - allows ending transactions and queries for the specified users on the specified database.
- TRANSACTION [MANAGEMENT] {* | user[, …]} - allows listing and ending transactions and queries for the specified users on the specified database.

name

The database to associate the privilege with.

If you delete a database and create a new one with the same name, the new one will NOT have the privileges assigned to the deleted database.

The name component can be *, which means all databases. Databases created after this command execution will also be associated with these privileges.
The DATABASE[S] *name* part of the command can be replaced by DEFAULT DATABASE. If you restart the server and choose a new default database after this command execution, the new one will be associated with these privileges.

role[, …]
- The role or roles to associate the privilege with, comma-separated.

Table 5.41. Privilege command syntax
Command	Description
`GRANT database-privilege ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant a privilege to one or multiple roles.
`DENY database-privilege ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Deny a privilege to one or multiple roles.
`REVOKE GRANT database-privilege ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} FROM role[, ...]`	Revoke a granted privilege from one or multiple roles.
`REVOKE DENY database-privilege ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} FROM role[, ...]`	Revoke a denied privilege from one or multiple roles.
`REVOKE database-privilege ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} FROM role[, ...]`	Revoke a granted or denied privilege from one or multiple roles.

DENY does NOT erase a granted privilege; they both exist. Use REVOKE if you want to remove a privilege.

Table 5.42. Database management command syntax
Command	Description
`GRANT ACCESS ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to access the default database, specific database(s), or all databases.
`GRANT {START \| STOP} ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to start and stop the default database, specific database(s), or all databases.
`GRANT {CREATE \| DROP} INDEX[ES] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to create and delete indexes on the default database, specific database(s), or all databases.
`GRANT INDEX[ES] [MANAGEMENT] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to manage indexes on the default database, specific database(s), or all databases.
`GRANT {CREATE \| DROP} CONSTRAINT[S] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to create and delete constraints on the default database, specific database(s), or all databases.
`GRANT CONSTRAINT[S] [MANAGEMENT] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to manage constraints on the default database, specific database(s), or all databases.
`GRANT CREATE NEW [NODE] LABEL[S] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to create new node labels in the default database, specific database(s), or all databases.
`GRANT CREATE NEW [RELATIONSHIP] TYPE[S] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to create new relationships types in the default database, specific database(s), or all databases.
`GRANT CREATE NEW [PROPERTY] NAME[S] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to create new property names in the default database, specific database(s), or all databases.
`GRANT NAME [MANAGEMENT] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to manage new labels, relationship types, and property names in the default database, specific database(s), or all databases.
`GRANT ALL [[DATABASE] PRIVILEGES] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles all privileges for the default database, specific database(s), or all databases.
`GRANT {SHOW \| TERMINATE} TRANSACTION[S] [(* \| user[, ...])] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to list and end the transactions and queries of all users or a particular user(s) in the default database, specific database(s), or all databases.
`GRANT TRANSACTION [MANAGEMENT] [(* \| user[, ...])] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role[, ...]`	Grant the specified roles the privilege to manage the transactions and queries of all users or a particular user(s) in the default database, specific database(s), or all databases.

Figure 5.2. Syntax of GRANT and DENY Database Privileges

The database `ACCESS` privilege

The ACCESS privilege enables users to connect to a database. With ACCESS you can run calculations, for example, RETURN 2*5 AS answer or call functions RETURN timestamp() AS time.

Command syntax.

GRANT ACCESS
    ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}}
    TO role [, ...]

For example, granting the ability to access the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT ACCESS
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The ACCESS privilege can also be denied.

Command syntax.

DENY ACCESS
    ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}}
    TO role [, ...]

For example, denying the ability to access to the database neo4j to the role regularUsers is done using the following query.

Query.

DENY ACCESS
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query.

SHOW ROLE regularUsers PRIVILEGES

Table 5.43. Result
access	action	resource	graph	segment	role
2 rows
`"DENIED"`	`"access"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"access"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`

The database `START`/`STOP` privileges

The START privilege can be used to enable the ability to start a database.

Command syntax.

GRANT START
    ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}}
    TO role [, ...]

For example, granting the ability to start the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT
START
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The START privilege can also be denied.

Command syntax.

DENY START
    ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}}
    TO role [, ...]

For example, denying the ability to start to the database neo4j to the role regularUsers is done using the following query.

Query.

DENY
START
ON DATABASE system TO regularUsers

0 rows, System updates: 1

The STOP privilege can be used to enable the ability to stop a database.

Command syntax.

GRANT STOP
    ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}}
    TO role [, ...]

For example, granting the ability to stop the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT STOP
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The STOP privilege can also be denied.

Command syntax.

DENY STOP
    ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}}
    TO role [, ...]

For example, denying the ability to stop to the database neo4j to the role regularUsers is done using the following query.

Query.

DENY STOP
ON DATABASE system TO regularUsers

0 rows, System updates: 1

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query.

SHOW ROLE regularUsers PRIVILEGES

Table 5.44. Result
access	action	resource	graph	segment	role
6 rows
`"DENIED"`	`"access"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"access"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"start_database"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"stop_database"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"DENIED"`	`"start_database"`	`"database"`	`"system"`	`"database"`	`"regularUsers"`
`"DENIED"`	`"stop_database"`	`"database"`	`"system"`	`"database"`	`"regularUsers"`

Note that START and STOP privileges are not included in the ALL DATABASE PRIVILEGES.

The `INDEX MANAGEMENT` privileges

Indexes can be created or deleted with the CREATE INDEX and DROP INDEX commands. The privilege to do this can be granted with GRANT CREATE INDEX and GRANT DROP INDEX commands.

Table 5.45. Index management command syntax
Command	Description
`GRANT {CREATE \| DROP} INDEX[ES] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role [, ...]`	Enable the specified roles to create or delete indexes in the default database, specific database(s), or all databases.
`GRANT INDEX[ES] [MANAGEMENT] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role [, ...]`	Enable the specified roles to manage indexes in the default database, specific database(s), or all databases.

For example, granting the ability to create indexes on the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT
CREATE INDEX ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The `CONSTRAINT MANAGEMENT` privileges

Constraints can be created or deleted with the CREATE CONSTRAINT and DROP CONSTRAINT commands. The privilege to do this can be granted with GRANT CREATE CONSTRAINT and GRANT DROP CONSTRAINT commands.

Table 5.46. Constraint management command syntax
Command	Description
`GRANT {CREATE \| DROP} CONSTRAINT[S] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role [, ...]`	Enable the specified roles to create or delete constraints on the default database, specific database(s), or all databases.
`GRANT CONSTRAINT[S] [MANAGEMENT] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role [, ...]`	Enable the specified roles to manage constraints on the default database, specific database(s), or all databases.

For example, granting the ability to create constraints on the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT
CREATE CONSTRAINT ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The `NAME MANAGEMENT` privileges

The right to create new labels, relationship types or property names is different from the right to create nodes, relationships or properties. The latter is managed using database WRITE privileges, while the former is managed using specific GRANT/DENY CREATE NEW … commands for each type.

Table 5.47. Label, relationship type and property name management command syntax
Command	Description
`GRANT CREATE NEW [NODE] LABEL[S] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role [, ...]`	Enable the specified roles to create new node labels in the default database, specific database(s), or all databases.
`GRANT CREATE NEW [RELATIONSHIP] TYPE[S] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role [, ...]`	Enable the specified roles to create new relationship types in the default database, specific database(s), or all databases.
`GRANT CREATE NEW [PROPERTY] NAME[S] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role [, ...]`	Enable the specified roles to create new property names in the default database, specific database(s), or all databases.
`GRANT NAME [MANAGEMENT] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}} TO role [, ...]`	Enable the specified roles to create new labels, relationship types, and property names in the default database, specific database(s), or all databases.

For example, granting the ability to create new properties on nodes or relationships in the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT
CREATE NEW PROPERTY NAME
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

Granting `ALL DATABASE PRIVILEGES`

The right to access a database, create and drop indexes and constraints and create new labels, relationship types or property names can be achieved with a single command:

Command syntax.

GRANT ALL [[DATABASE] PRIVILEGES]
    ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...] \| *}}
    TO role[, ...]

Note that the privileges for starting and stopping all databases, and transaction management, are not included in the ALL DATABASE PRIVILEGES grant. These privileges are associated with administrators while other database privileges are of use to domain and application developers.

For example, granting the abilities above on the database neo4j to the role databaseAdminUsers is done using the following query.

Query.

GRANT ALL DATABASE PRIVILEGES
ON DATABASE neo4j TO databaseAdminUsers

0 rows, System updates: 1

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query.

SHOW ROLE databaseAdminUsers PRIVILEGES

Table 5.48. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"database_actions"`	`"database"`	`"neo4j"`	`"database"`	`"databaseAdminUsers"`

Granting `TRANSACTION MANAGEMENT` privileges

The right to run the procedures dbms.listTransactions, dbms.listQueries, dbms.killQuery, dbms.killQueries, dbms.killTransaction and dbms.killTransactions are managed through the SHOW TRANSACTION and TERMINATE TRANSACTION privileges.

Table 5.49. Transaction management command syntax
Command	Description
`GRANT SHOW TRANSACTION[S] [(* \| user[, ...])] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...]\| *}} TO role [, ...]`	Enable the specified roles to list transactions and queries for user(s) or all users in the default database, specific database(s), or all databases.
`GRANT TERMINATE TRANSACTION[S] [(* \| user[, ...])] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...]\| *}} TO role [, ...]`	Enable the specified roles to end running transactions and queries for user(s) or all users in the default database, specific database(s), or all databases.
`GRANT TRANSACTION [MANAGEMENT] [(* \| user[, ...])] ON {DEFAULT DATABASE \| DATABASE[S] {name [, ...]\| *}} TO role [, ...]`	Enable the specified roles to manage transactions and queries for user(s) or all users in the default database, specific database(s), or all databases.

Note that the TRANSACTION MANAGEMENT privileges are not included in the ALL DATABASE PRIVILEGES.

For example, granting the ability to list transactions for user jake in the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT SHOW TRANSACTION(jake)
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

5.5.6.3. DBMS administration

All DBMS privileges are relevant system-wide. Like user management, they do not belong to one specific database or graph. For more details on the differences between graphs, databases and the DBMS, refer to Section 1.2, “Neo4j databases and graphs”.

As described above, the admin role has a number of built-in privileges. These include:

Create and drop databases
Change configuration parameters
Manage transactions
Manage users and roles
Manage sub-graph privileges
Manage procedure security

The easiest way to enable a user to perform these tasks is to grant them the admin role. All of these privileges, except change configuration parameters and manage procedure security, are also assignable using Cypher commands. See the sections on role management, user management, database management, privilege management and transaction management for details. It is possible to make a custom role with a subset of these privileges.

Using a custom role to manage DBMS privileges

If it is desired to have an administrator with a subset of privileges that includes all DBMS privileges, but not all database privileges, this can be achieved by copying the admin role and revoking or denying some privileges.

First we copy the 'admin' role:

Query.

CREATE ROLE usermanager AS COPY OF admin

0 rows, System updates: 2

Then we DENY ACCESS to normal databases:

Query.

DENY ACCESS
ON DATABASE * TO usermanager

0 rows, System updates: 1

And DENY START and STOP for normal databases:

Query.

DENY
START
ON DATABASE * TO usermanager

0 rows, System updates: 1

Query.

DENY STOP
ON DATABASE * TO usermanager

0 rows, System updates: 1

And DENY index and constraint management:

Query.

DENY INDEX MANAGEMENT
ON DATABASE * TO usermanager

0 rows, System updates: 1

Query.

DENY CONSTRAINT MANAGEMENT
ON DATABASE * TO usermanager

0 rows, System updates: 1

And finally DENY label, relationship type and property name:

Query.

DENY NAME MANAGEMENT
ON DATABASE * TO usermanager

0 rows, System updates: 1

The resulting role should have privileges that only allow the DBMS capabilities, like user and role management:

Query.

SHOW ROLE usermanager PRIVILEGES

Lists all privileges for role 'usermanager'

Table 5.50. Result
access	action	resource	graph	segment	role
15 rows
`"GRANTED"`	`"match"`	`"all_properties"`	`"*"`	`"NODE(*)"`	`"usermanager"`
`"GRANTED"`	`"write"`	`"graph"`	`"*"`	`"NODE(*)"`	`"usermanager"`
`"GRANTED"`	`"match"`	`"all_properties"`	`"*"`	`"RELATIONSHIP(*)"`	`"usermanager"`
`"GRANTED"`	`"write"`	`"graph"`	`"*"`	`"RELATIONSHIP(*)"`	`"usermanager"`
`"DENIED"`	`"access"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"GRANTED"`	`"access"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"GRANTED"`	`"admin"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"constraint"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"GRANTED"`	`"constraint"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"index"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"GRANTED"`	`"index"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"start_database"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"stop_database"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"token"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"GRANTED"`	`"token"`	`"database"`	`"*"`	`"database"`	`"usermanager"`

The dbms `ROLE MANAGEMENT` privileges

The dbms privileges for role management are assignable using Cypher administrative commands. They can be granted, denied and revoked like other privileges.

Table 5.51. Role management privileges command syntax
Command	Description
`GRANT CREATE ROLE ON DBMS TO role[, ...]`	Enable the specified roles to create new roles.
`GRANT DROP ROLE ON DBMS TO role[, ...]`	Enable the specified roles to delete roles.
`GRANT ASSIGN ROLE ON DBMS TO role[, ...]`	Enable the specified roles to assign roles to users.
`GRANT REMOVE ROLE ON DBMS TO role[, ...]`	Enable the specified roles to remove roles from users.
`GRANT SHOW ROLE ON DBMS TO role[, ...]`	Enable the specified roles to list roles.
`GRANT ROLE MANAGEMENT ON DBMS TO role[, ...]`	Enable the specified roles to create, delete, assign, remove, and list roles.

The ability to add roles can be granted via the CREATE ROLE privilege. The following query shows an example of this:

Query.

GRANT
CREATE ROLE
ON DBMS TO roleAdder

0 rows, System updates: 1

The resulting role should have privileges that only allow adding roles:

Query.

SHOW ROLE roleAdder PRIVILEGES

Lists all privileges for role 'roleAdder'

Table 5.52. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"create_role"`	`"database"`	`"*"`	`"database"`	`"roleAdder"`

The ability to delete roles can be granted via the DROP ROLE privilege. The following query shows an example of this:

Query.

GRANT DROP ROLE
ON DBMS TO roleDropper

0 rows, System updates: 1

The resulting role should have privileges that only allow deleting roles:

Query.

SHOW ROLE roleDropper PRIVILEGES

Lists all privileges for role 'roleDropper'

Table 5.53. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"drop_role"`	`"database"`	`"*"`	`"database"`	`"roleDropper"`

The ability to assign roles to users can be granted via the ASSIGN ROLE privilege. The following query shows an example of this:

Query.

GRANT ASSIGN ROLE
ON DBMS TO roleAssigner

0 rows, System updates: 1

The resulting role should have privileges that only allow assigning/granting roles:

Query.

SHOW ROLE roleAssigner PRIVILEGES

Lists all privileges for role 'roleAssigner'

Table 5.54. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"assign_role"`	`"database"`	`"*"`	`"database"`	`"roleAssigner"`

The ability to remove roles from users can be granted via the REMOVE ROLE privilege. The following query shows an example of this:

Query.

GRANT
REMOVE ROLE
ON DBMS TO roleRemover

0 rows, System updates: 1

The resulting role should have privileges that only allow removing/revoking roles:

Query.

SHOW ROLE roleRemover PRIVILEGES

Lists all privileges for role 'roleRemover'

Table 5.55. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"remove_role"`	`"database"`	`"*"`	`"database"`	`"roleRemover"`

The ability to show roles can be granted via the SHOW ROLE privilege. A user with this privilege is allowed to execute the SHOW ROLES and SHOW POPULATED ROLES administration commands. For the SHOW ROLES WITH USERS and SHOW POPULATED ROLES WITH USERS administration commands, both this privilege and the SHOW USER privilege are required. The following query shows an example of how to grant the SHOW ROLE privilege:

Query.

GRANT SHOW ROLE
ON DBMS TO roleShower

0 rows, System updates: 1

The resulting role should have privileges that only allow showing roles:

Query.

SHOW ROLE roleShower PRIVILEGES

Lists all privileges for role 'roleShower'

Table 5.56. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"show_role"`	`"database"`	`"*"`	`"database"`	`"roleShower"`

All of the above mentioned privileges can be granted via the ROLE MANAGEMENT privilege. The following query shows an example of this:

Query.

GRANT ROLE MANAGEMENT
ON DBMS TO roleManager

0 rows, System updates: 1

The resulting role should have all privileges to manage roles:

Query.

SHOW ROLE roleManager PRIVILEGES

Lists all privileges for role 'roleManager'

Table 5.57. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"role_management"`	`"database"`	`"*"`	`"database"`	`"roleManager"`

The dbms `USER MANAGEMENT` privileges

The dbms privileges for user management are assignable using Cypher administrative commands. They can be granted, denied and revoked like other privileges.

Table 5.58. User management privileges command syntax
Command	Description
`GRANT CREATE USER ON DBMS TO role[, ...]`	Enable the specified roles to create new users.
`GRANT DROP USER ON DBMS TO role[, ...]`	Enable the specified roles to delete users.
`GRANT ALTER USER ON DBMS TO role[, ...]`	Enable the specified roles to modify users.
`GRANT SET PASSWORD[S] ON DBMS TO role[, ...]`	Enable the specified roles to modify users' passwords and whether those passwords must be changed upon first login.
`GRANT SET USER STATUS ON DBMS TO role[, ...]`	Enable the specified roles to modify the account status of users.
`GRANT SHOW USER ON DBMS TO role[, ...]`	Enable the specified roles to list users.
`GRANT USER MANAGEMENT ON DBMS TO role[, ...]`	Enable the specified roles to create, delete, modify, and list users.

The ability to add users can be granted via the CREATE USER privilege. The following query shows an example of this:

Query.

GRANT
CREATE USER
ON DBMS TO userAdder

0 rows, System updates: 1

The resulting role should have privileges that only allow adding users:

Query.

SHOW ROLE userAdder PRIVILEGES

Lists all privileges for role 'userAdder'

Table 5.59. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"create_user"`	`"database"`	`"*"`	`"database"`	`"userAdder"`

The ability to delete users can be granted via the DROP USER privilege. The following query shows an example of this:

Query.

GRANT DROP USER
ON DBMS TO userDropper

0 rows, System updates: 1

The resulting role should have privileges that only allow deleting users:

Query.

SHOW ROLE userDropper PRIVILEGES

Lists all privileges for role 'userDropper'

Table 5.60. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"drop_user"`	`"database"`	`"*"`	`"database"`	`"userDropper"`

The ability to modify users can be granted via the ALTER USER privilege. The following query shows an example of this:

Query.

GRANT ALTER USER
ON DBMS TO userModifier

0 rows, System updates: 1

The resulting role should have privileges that only allow modifying users:

Query.

SHOW ROLE userModifier PRIVILEGES

Lists all privileges for role 'userModifier'

Table 5.61. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"alter_user"`	`"database"`	`"*"`	`"database"`	`"userModifier"`

A user that is granted ALTER USER is allowed to run the ALTER USER administration command with one or several of the SET PASSWORD, SET PASSWORD CHANGE [NOT] REQUIRED and SET STATUS parts:

Query.

ALTER USER jake
SET PASSWORD 'secret'
SET STATUS SUSPENDED

0 rows, System updates: 1

The ability to modify users' passwords and whether those passwords must be changed upon first login can be granted via the SET PASSWORDS privilege. The following query shows an example of this:

Query.

GRANT
SET PASSWORDS
ON DBMS TO passwordModifier

0 rows, System updates: 1

The resulting role should have privileges that only allow modifying users' passwords and whether those passwords must be changed upon first login:

Query.

SHOW ROLE passwordModifier PRIVILEGES

Lists all privileges for role 'passwordModifier'

Table 5.62. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"set_passwords"`	`"database"`	`"*"`	`"database"`	`"passwordModifier"`

A user that is granted SET PASSWORDS is allowed to run the ALTER USER administration command with one or both of the SET PASSWORD and SET PASSWORD CHANGE [NOT] REQUIRED parts:

Query.

ALTER USER jake
SET PASSWORD 'abc123' CHANGE NOT REQUIRED

0 rows, System updates: 1

The ability to modify the account status of users can be granted via the SET USER STATUS privilege. The following query shows an example of this:

Query.

GRANT
SET USER STATUS
ON DBMS TO statusModifier

0 rows, System updates: 1

The resulting role should have privileges that only allow modifying the account status of users:

Query.

SHOW ROLE statusModifier PRIVILEGES

Lists all privileges for role 'statusModifier'

Table 5.63. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"set_user_status"`	`"database"`	`"*"`	`"database"`	`"statusModifier"`

A user that is granted SET USER STATUS is allowed to run the ALTER USER administration command with only the SET STATUS part:

Query.

ALTER USER jake
SET STATUS ACTIVE

0 rows, System updates: 1

Note that the combination of the SET PASSWORDS and the SET USER STATUS privilege actions is equivalent to the ALTER USER privilege action.

The ability to show users can be granted via the SHOW USER privilege. The following query shows an example of this:

Query.

GRANT SHOW USER
ON DBMS TO userShower

0 rows, System updates: 1

The resulting role should have privileges that only allow showing users:

Query.

SHOW ROLE userShower PRIVILEGES

Lists all privileges for role 'userShower'

Table 5.64. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"show_user"`	`"database"`	`"*"`	`"database"`	`"userShower"`

All of the above mentioned privileges can be granted via the USER MANAGEMENT privilege. The following query shows an example of this:

Query.

GRANT USER MANAGEMENT
ON DBMS TO userManager

0 rows, System updates: 1

The resulting role should have all privileges to manage users:

Query.

SHOW ROLE userManager PRIVILEGES

Lists all privileges for role 'userManager'

Table 5.65. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"user_management"`	`"database"`	`"*"`	`"database"`	`"userManager"`

The dbms `DATABASE MANAGEMENT` privileges

The dbms privileges for database management are assignable using Cypher administrative commands. They can be granted, denied and revoked like other privileges.

Table 5.66. Database management privileges command syntax
Command	Description
`GRANT CREATE DATABASE ON DBMS TO role[, ...]`	Enable the specified roles to create new databases.
`GRANT DROP DATABASE ON DBMS TO role[, ...]`	Enable the specified roles to delete databases.
`GRANT DATABASE MANAGEMENT ON DBMS TO role[, ...]`	Enable the specified roles to manage databases.

The ability to create databases can be granted via the CREATE DATABASE privilege. The following query shows an example of this:

Query.

GRANT
CREATE DATABASE
ON DBMS TO databaseAdder

0 rows, System updates: 1

The resulting role should have privileges that only allow creating databases:

Query.

SHOW ROLE databaseAdder PRIVILEGES

Lists all privileges for role 'databaseAdder'

Table 5.67. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"create_database"`	`"database"`	`"*"`	`"database"`	`"databaseAdder"`

The ability to delete databases can be granted via the DROP DATABASE privilege. The following query shows an example of this:

Query.

GRANT DROP DATABASE
ON DBMS TO databaseDropper

0 rows, System updates: 1

The resulting role should have privileges that only allow deleting databases:

Query.

SHOW ROLE databaseDropper PRIVILEGES

Lists all privileges for role 'databaseDropper'

Table 5.68. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"drop_database"`	`"database"`	`"*"`	`"database"`	`"databaseDropper"`

Both of the above mentioned privileges can be granted via the DATABASE MANAGEMENT privilege. The following query shows an example of this:

Query.

GRANT DATABASE MANAGEMENT
ON DBMS TO databaseManager

0 rows, System updates: 1

The resulting role should have all privileges to manage databases:

Query.

SHOW ROLE databaseManager PRIVILEGES

Lists all privileges for role 'databaseManager'

Table 5.69. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"database_management"`	`"database"`	`"*"`	`"database"`	`"databaseManager"`

The dbms `PRIVILEGE MANAGEMENT` privileges

The dbms privileges for privilege management are assignable using Cypher administrative commands. They can be granted, denied and revoked like other privileges.

Table 5.70. Privilege management privileges command syntax
Command	Description
`GRANT SHOW PRIVILEGE ON DBMS TO role[, ...]`	Enable the specified roles to list privileges.
`GRANT ASSIGN PRIVILEGE ON DBMS TO role[, ...]`	Enable the specified roles to assign privileges using the `GRANT` and `DENY` commands.
`GRANT REMOVE PRIVILEGE ON DBMS TO role[, ...]`	Enable the specified roles to remove privileges using the `REVOKE` command.
`GRANT PRIVILEGE MANAGEMENT ON DBMS TO role[, ...]`	Enable the specified roles to list, assign, and remove privileges.

The ability to list privileges can be granted via the SHOW PRIVILEGE privilege. A user with this privilege is allowed to execute the SHOW PRIVILEGES and SHOW ROLE roleName PRIVILEGES administration commands. For the SHOW USER username PRIVILEGES administration command, both this privilege and the SHOW USER privilege are required. The following query shows an example of how to grant the SHOW PRIVILEGE privilege:

Query.

GRANT SHOW PRIVILEGE
ON DBMS TO privilegeShower

0 rows, System updates: 1

The resulting role should have privileges that only allow showing privileges:

Query.

SHOW ROLE privilegeShower PRIVILEGES

Lists all privileges for role 'privilegeShower'

Table 5.71. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"show_privilege"`	`"database"`	`"*"`	`"database"`	`"privilegeShower"`

Note that no specific privileges are required for showing the current user’s privileges using either SHOW USER *username* PRIVILEGES, or SHOW USER PRIVILEGES.

Please note that if a non-native auth provider like LDAP is in use, SHOW USER PRIVILEGES will only work in a limited capacity; It is only possible for a user to show their own privileges. Other users' privileges cannot be listed when using a non-native auth provider.

The ability to assign privileges to roles can be granted via the ASSIGN PRIVILEGE privilege. A user with this privilege is allowed to execute GRANT and DENY administration commands. The following query shows an example of how to grant this privilege:

Query.

GRANT ASSIGN PRIVILEGE
ON DBMS TO privilegeAssigner

0 rows, System updates: 1

The resulting role should have privileges that only allow assigning privileges:

Query.

SHOW ROLE privilegeAssigner PRIVILEGES

Lists all privileges for role 'privilegeAssigner'

Table 5.72. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"assign_privilege"`	`"database"`	`"*"`	`"database"`	`"privilegeAssigner"`

The ability to remove privileges from roles can be granted via the REMOVE PRIVILEGE privilege. A user with this privilege is allowed to execute REVOKE administration commands. The following query shows an example of how to grant this privilege:

Query.

GRANT
REMOVE PRIVILEGE
ON DBMS TO privilegeRemover

0 rows, System updates: 1

The resulting role should have privileges that only allow removing privileges:

Query.

SHOW ROLE privilegeRemover PRIVILEGES

Lists all privileges for role 'privilegeRemover'

Table 5.73. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"remove_privilege"`	`"database"`	`"*"`	`"database"`	`"privilegeRemover"`

All of the above mentioned privileges can be granted via the PRIVILEGE MANAGEMENT privilege. The following query shows an example of this:

Query.

GRANT PRIVILEGE MANAGEMENT
ON DBMS TO privilegeManager

0 rows, System updates: 1

The resulting role should have all privileges to manage privileges:

Query.

SHOW ROLE privilegeManager PRIVILEGES

Lists all privileges for role 'privilegeManager'

Table 5.74. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"privilege_management"`	`"database"`	`"*"`	`"database"`	`"privilegeManager"`

Granting `ALL DBMS PRIVILEGES`

The right to create, drop, assign, remove and show roles, create, alter, drop and show users, create and drop databases and show, assign and remove privileges can be achieved with a single command:

Command syntax.

GRANT ALL [[DBMS] PRIVILEGES]
    ON DBMS
    TO role[, ...]

For example, granting the abilities above to the role dbmsManager is done using the following query.

Query.

GRANT ALL DBMS PRIVILEGES
ON DBMS TO dbmsManager

0 rows, System updates: 1

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query.

SHOW ROLE dbmsManager PRIVILEGES

Table 5.75. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"dbms_actions"`	`"database"`	`"*"`	`"database"`	`"dbmsManager"`