5.5.4. Security of administration

This section explains how to use Cypher to manage Neo4j administrative privileges.

All of the commands described in the enclosing Administration section require that the user executing the commands has the rights to do so. These privileges can be conferred either by granting the user the admin role, which enables all administrative rights, or by granting specific combinations of privileges.

5.5.4.1. The admin role

The built-in role admin includes a number of privileges allowing users granted this role the ability to perform administrative tasks. These include the rights to perform the following classes of tasks:

  • Manage database security for controlling the rights to perform actions on specific databases:

    • Manage access to a database and the right to start and stop a database
    • Manage indexes and constraints
    • Allow the creation of labels, relationship types or property names
  • Manage DBMS security for controlling the rights to perform actions on the entire system:

These rights are conferred using privileges that can be managed using GRANT, DENY and REVOKE commands, with the exception of the DBMS Security privileges which are only available within the built-in admin role.

Query. 

SHOW ROLE admin PRIVILEGES

Table 5.37. Result
access action resource graph segment role

10 rows

"GRANTED"

"read"

"all_properties"

"*"

"NODE(*)"

"admin"

"GRANTED"

"write"

"all_properties"

"*"

"NODE(*)"

"admin"

"GRANTED"

"traverse"

"graph"

"*"

"NODE(*)"

"admin"

"GRANTED"

"read"

"all_properties"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"write"

"all_properties"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"traverse"

"graph"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"access"

"database"

"*"

"database"

"admin"

"GRANTED"

"admin"

"database"

"*"

"database"

"admin"

"GRANTED"

"schema"

"database"

"*"

"database"

"admin"

"GRANTED"

"token"

"database"

"*"

"database"

"admin"

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE admin PRIVILEGES

5.5.4.2. Database administration

This section explains how to use Cypher to manage privileges for Neo4j database administrative rights.

As described in the section on sub-graph security, the GRANT command allows an administrator to grant a privilege to a role in order to access an entity. The DENY command allows an administrator to deny a privilege to a role in order to prevent access to an entity. The REVOKE command allows an administrator to remove a previously granted or denied privilege. The syntax is:

Table 5.38. Privilege command syntax
Command Description
GRANT database-privilege ON DATABASE[S] {dbname | *} TO role[, ...]

Grant a privilege to one or multiple roles

DENY database-privilege ON DATABASE[S] {dbname | *} TO role[, ...]

Deny a privilege to one or multiple roles

REVOKE GRANT database-privilege ON DATABASE[S] {dbname | *} FROM role[, ...]

Revoke a granted privilege from one or multiple roles

REVOKE DENY database-privilege ON DATABASE[S] {dbname | *} FROM role[, ...]

Revoke a denied privilege from one or multiple roles

REVOKE database-privilege ON DATABASE[S] {dbname | *} FROM role[, ...]

Revoke a granted or denied privilege from one or multiple roles

These commands are very similar to the graph-privileges except for the use of the term DATABASE, no entity and and the set of available database-privileges differs from the graph-privileges.

Where the components are:

  • database-privilege

    • ACCESS

      allows access for a specific database/graph

    • START

      allows the specified database to be started

    • STOP

      allows the specified database to be stopped

    • CREATE INDEX

      allows indexes to be created on the specified database.

    • DROP INDEX

      allows indexes to be deleted on the specified database.

    • INDEX [MANAGEMENT]

      allows indexes to be created and deleted on the specified database.

    • CREATE CONSTRAINT

      allows constraints to be created on the specified database.

    • DROP CONSTRAINT

      allows constraints to be deleted on the specified database.

    • CONSTRAINT [MANAGEMENT]

      allows constraints to be created and deleted on the specified database.

    • CREATE NEW [NODE] LABEL

      allows labels to be created so that future nodes can be assigned them.

    • CREATE NEW [RELATIONSHIP] TYPE

      allows relationship types to be created so that future relationships can be created with these types.

    • CREATE NEW [PROPERTY] NAME

      allows property names to be created so that nodes and relationships can have properties with these names assigned.

    • NAME [MANAGEMENT]

      allows all of the name management capabilities: node labels, relationship types and property names.

    • ALL [[DATABASE] PRIVILEGES]

      allows all of the above privileges to be enabled for the specified database.

  • dbname

    • The database to associate the privilege with. Note that if you delete a database and create a new one with the same name, the new one will NOT have any of the privileges specifically assigned to the deleted database.
    • It can be * which means all databases. Any new databases created after this command will also be associated with these privileges.
  • role[, …​]

    • The role or roles to associate the privilege with, comma-separated.

It is important to note that using DENY does NOT erase a GRANT command; they both exist. The only way to erase a privilege is with REVOKE.

Table 5.39. Database management command syntax
Command Description
GRANT ACCESS
    ON DATABASE[S] {name | *}
    TO role[, ...]

Allow the specified role or roles to access the database name or all databases

GRANT {START | STOP}
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to start or stop the database name or all databases

GRANT {CREATE | DROP} INDEX[ES]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create or delete indexes on the database name or all databases

GRANT INDEX[ES] [MANAGEMENT]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create and delete indexes on the database name or all databases

GRANT {CREATE | DROP} CONSTRAINT[S]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create or delete indexes on the database name or all databases

GRANT CONSTRAINT[S] [MANAGEMENT]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create and delete constraints on the database name or all databases

GRANT CREATE NEW [NODE] LABEL[S]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create new labels for nodes in the database name or all databases

GRANT CREATE NEW [RELATIONSHIP] TYPE[S]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create new types for relationships in the database name or all databases

GRANT CREATE NEW [PROPERTY] NAME[S]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create new names for properties in the database name or all databases

GRANT NAME [MANAGEMENT]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create new labels, relationship types and property names in the database name or all databases

GRANT ALL [[DATABASE] PRIVILEGES]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to perform all of the above database actions on the database name or all databases

Figure 5.2. Syntax of GRANT and DENY Database Privileges
grant privileges database
The database ACCESS privilege

The ACCESS privilege enables users to connect to a database. With ACCESS you can run calculations, for example, RETURN 2*5 AS answer or call functions RETURN timestamp() AS time.

Command syntax. 

GRANT ACCESS
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, granting the ability to access the database neo4j to the role regularUsers is done using the following query.

Query. 

GRANT ACCESS
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT ACCESS ON DATABASE neo4j TO regularUsers

The ACCESS privilege can also be denied.

Command syntax. 

DENY ACCESS
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, denying the ability to access to the database neo4j to the role regularUsers is done using the following query.

Query. 

DENY ACCESS
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers DENY ACCESS ON DATABASE neo4j TO regularUsers

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query. 

SHOW ROLE regularUsers PRIVILEGES

Table 5.40. Result
access action resource graph segment role

2 rows

"DENIED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE regularUsers PRIVILEGES

The database START/STOP privileges

The START privilege can be used to enable the ability to start a database.

Command syntax. 

GRANT START
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, granting the ability to start the database neo4j to the role regularUsers is done using the following query.

Query. 

GRANT
START
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT START ON DATABASE neo4j TO regularUsers

The START privilege can also be denied.

Command syntax. 

DENY START
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, denying the ability to start to the database neo4j to the role regularUsers is done using the following query.

Query. 

DENY
START
ON DATABASE system TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers DENY START ON DATABASE system TO regularUsers

The STOP privilege can be used to enable the ability to stop a database.

Command syntax. 

GRANT STOP
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, granting the ability to stop the database neo4j to the role regularUsers is done using the following query.

Query. 

GRANT STOP
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT STOP ON DATABASE neo4j TO regularUsers

The STOP privilege can also be denied.

Command syntax. 

DENY STOP
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, denying the ability to stop to the database neo4j to the role regularUsers is done using the following query.

Query. 

DENY STOP
ON DATABASE system TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers DENY STOP ON DATABASE system TO regularUsers

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query. 

SHOW ROLE regularUsers PRIVILEGES

Table 5.41. Result
access action resource graph segment role

6 rows

"DENIED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"start_database"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"stop_database"

"database"

"neo4j"

"database"

"regularUsers"

"DENIED"

"start_database"

"database"

"system"

"database"

"regularUsers"

"DENIED"

"stop_database"

"database"

"system"

"database"

"regularUsers"

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE regularUsers PRIVILEGES

The INDEX MANAGEMENT privileges

Indexes can be created or deleted with the CREATE INDEX and DROP INDEX commands. The privilege to do this can be granted with GRANT CREATE INDEX and GRANT DROP INDEX commands.

Table 5.42. Index management command syntax
Command Description
GRANT {CREATE | DROP} INDEX[ES]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create or delete indexes on the database name or all databases

GRANT INDEX[ES] [MANAGEMENT]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create and delete indexes on the database name or all databases

For example, granting the ability to create indexes on the database neo4j to the role regularUsers is done using the following query.

Query. 

GRANT
CREATE INDEX ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT CREATE INDEX ON DATABASE neo4j TO regularUsers

The CONSTRAINT MANAGEMENT privileges

Constraints can be created or deleted with the CREATE CONSTRAINT and DROP CONSTRAINT commands. The privilege to do this can be granted with GRANT CREATE CONSTRAINT and GRANT DROP CONSTRAINT commands.

Table 5.43. Constraint management command syntax
Command Description
GRANT {CREATE | DROP} CONSTRAINT[S]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create or delete constraints on the database name or all databases

GRANT CONSTRAINT[S] [MANAGEMENT]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create and delete constraints on the database name or all databases

For example, granting the ability to create constraints on the database neo4j to the role regularUsers is done using the following query.

Query. 

GRANT
CREATE CONSTRAINT ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT CREATE CONSTRAINT ON DATABASE neo4j TO regularUsers

The NAME MANAGEMENT privileges

The right to create new labels, relationship types or propery names is different from the right to create nodes, relationships or properties. The latter is managed using database WRITE privileges, while the former is managed using specific GRANT/DENY CREATE NEW …​ commands for each type.

Table 5.44. Label, relationship type and property name management command syntax
Command Description
GRANT CREATE NEW [NODE] LABEL[S]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create new labels for nodes in the database name or all databases

GRANT CREATE NEW [RELATIONSHIP] TYPE[S]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create new types for relationships in the database name or all databases

GRANT CREATE NEW [PROPERTY] NAME[S]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create new names for properties in the database name or all databases

GRANT NAME [MANAGEMENT]
    ON DATABASE[S] {name | *}
    TO role[, ...]

Enable the specified role or roles to create new labels, relationship types and property names in the database name or all databases

For example, granting the ability to create new properties on nodes or relationships in the database neo4j to the role regularUsers is done using the following query.

Query. 

GRANT
CREATE NEW PROPERTY NAME
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT CREATE NEW PROPERTY NAME ON DATABASE neo4j TO regularUsers

Granting all database administration privileges

Conferring the right to perform all of the above tasks can be achieved with a single command:

Command syntax. 

GRANT ALL [[DATABASE] PRIVILEGES]
    ON DATABASE[S] {name | *}
    TO role[, ...]

For example, granting the ability to access, start and stop all databases and create indexes, constraints, labels, relationship types and property names on the database neo4j to the role regularUsers is done using the following query.

Query. 

GRANT ALL DATABASE PRIVILEGES
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 4

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT ALL DATABASE PRIVILEGES ON DATABASE neo4j TO regularUsers

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query. 

SHOW ROLE regularUsers PRIVILEGES

Table 5.45. Result
access action resource graph segment role

13 rows

"DENIED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"access"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"create_constraint"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"create_index"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"create_label"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"create_propertykey"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"create_reltype"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"drop_constraint"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"drop_index"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"start_database"

"database"

"neo4j"

"database"

"regularUsers"

"GRANTED"

"stop_database"

"database"

"neo4j"

"database"

"regularUsers"

"DENIED"

"start_database"

"database"

"system"

"database"

"regularUsers"

"DENIED"

"stop_database"

"database"

"system"

"database"

"regularUsers"

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE regularUsers PRIVILEGES

5.5.4.3. DBMS administration

All DBMS privileges are relevant system-wide. Like user management, they do not belong to one specific database or graph. For more details on the differences between graphs, databases and the DBMS, refer to Section 1.2, “Neo4j databases and graphs”.

As described above, the admin role has a number of built-in privileges that cannot be assigned using Cypher commands. These include:

  • Create or drop databases
  • Change configuration parameters
  • Manage transactions
  • Manage users and roles (role management by itself is assignable using Cypher commands)
  • Manage sub-graph privileges
  • Manage procedure security

The easiest way to enable a user to perform these tasks is to grant them the admin role. The only subset of these privileges that is assignable using Cypher commands is role management. However, it is possible to make a custom role with a subset of these privileges.

Using a custom role to manage DBMS privileges

If it is desired to have an administrator with a subset of privileges that includes all DBMS privileges, but not all database privileges, this can be achieved by copying the admin role and revoking or denying some privileges.

First we copy the 'admin' role:

Query. 

CREATE ROLE usermanager AS COPY OF admin

0 rows, System updates: 2

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers CREATE ROLE usermanager AS COPY OF admin

Then we DENY ACCESS to normal databases:

Query. 

DENY ACCESS
ON DATABASE * TO usermanager

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers DENY ACCESS ON DATABASE * TO usermanager

And DENY START and STOP for normal databases:

Query. 

DENY
START
ON DATABASE * TO usermanager

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers DENY START ON DATABASE * TO usermanager

Query. 

DENY STOP
ON DATABASE * TO usermanager

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers DENY STOP ON DATABASE * TO usermanager

And DENY index and constraint management:

Query. 

DENY INDEX MANAGEMENT
ON DATABASE * TO usermanager

0 rows, System updates: 2

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers DENY INDEX MANAGEMENT ON DATABASE * TO usermanager

Query. 

DENY CONSTRAINT MANAGEMENT
ON DATABASE * TO usermanager

0 rows, System updates: 2

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers DENY CONSTRAINT MANAGEMENT ON DATABASE * TO usermanager

And finally DENY label, relationship type and property name:

Query. 

DENY NAME MANAGEMENT
ON DATABASE * TO usermanager

0 rows, System updates: 3

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers DENY NAME MANAGEMENT ON DATABASE * TO usermanager

The resulting role should have privileges that only allow the DBMS capabilities, like user and role management:

Query. 

SHOW ROLE usermanager PRIVILEGES

Lists all privileges for role 'usermanager'

Table 5.46. Result
access action resource graph segment role

20 rows

"GRANTED"

"read"

"all_properties"

"*"

"NODE(*)"

"usermanager"

"GRANTED"

"write"

"all_properties"

"*"

"NODE(*)"

"usermanager"

"GRANTED"

"traverse"

"graph"

"*"

"NODE(*)"

"usermanager"

"GRANTED"

"read"

"all_properties"

"*"

"RELATIONSHIP(*)"

"usermanager"

"GRANTED"

"write"

"all_properties"

"*"

"RELATIONSHIP(*)"

"usermanager"

"GRANTED"

"traverse"

"graph"

"*"

"RELATIONSHIP(*)"

"usermanager"

"DENIED"

"access"

"database"

"*"

"database"

"usermanager"

"GRANTED"

"access"

"database"

"*"

"database"

"usermanager"

"GRANTED"

"admin"

"database"

"*"

"database"

"usermanager"

"DENIED"

"create_constraint"

"database"

"*"

"database"

"usermanager"

"DENIED"

"create_index"

"database"

"*"

"database"

"usermanager"

"DENIED"

"create_label"

"database"

"*"

"database"

"usermanager"

"DENIED"

"create_propertykey"

"database"

"*"

"database"

"usermanager"

"DENIED"

"create_reltype"

"database"

"*"

"database"

"usermanager"

"DENIED"

"drop_constraint"

"database"

"*"

"database"

"usermanager"

"DENIED"

"drop_index"

"database"

"*"

"database"

"usermanager"

"GRANTED"

"schema"

"database"

"*"

"database"

"usermanager"

"DENIED"

"start_database"

"database"

"*"

"database"

"usermanager"

"DENIED"

"stop_database"

"database"

"*"

"database"

"usermanager"

"GRANTED"

"token"

"database"

"*"

"database"

"usermanager"

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE usermanager PRIVILEGES

The dbms ROLE MANAGEMENT privileges

The dbms privileges for role management are assignable using Cypher administrative commands. They can be granted, denied and revoked like other privileges.

Table 5.47. Role management privileges command syntax
Command Description
GRANT CREATE ROLE
    ON DBMS
    TO role[, ...]

Enable the specified role or roles to create new roles

GRANT DROP ROLE
    ON DBMS
    TO role[, ...]

Enable the specified role or roles to delete roles

GRANT ASSIGN ROLE
    ON DBMS
    TO role[, ...]

Enable the specified role or roles to assign roles to users

GRANT REMOVE ROLE
    ON DBMS
    TO role[, ...]

Enable the specified role or roles to remove roles from users

GRANT SHOW ROLE
ON DBMS
TO role[, ...]

Enable the specified role or roles to list roles

GRANT ROLE MANAGEMENT
    ON DBMS
    TO role[, ...]

Enable the specified role or roles to create, delete, assign, remove and list roles

The ability to add roles can be granted via the CREATE ROLE privilege. The following query shows an example of this:

Query. 

GRANT
CREATE ROLE
ON DBMS TO roleAdder

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT CREATE ROLE ON DBMS TO roleAdder

The resulting role should have privileges that only allow adding roles:

Query. 

SHOW ROLE roleAdder PRIVILEGES

Lists all privileges for role 'roleAdder'

Table 5.48. Result
access action resource graph segment role

1 row

"GRANTED"

"create_role"

"database"

"*"

"database"

"roleAdder"

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE roleAdder PRIVILEGES

The ability to delete roles can be granted via the DROP ROLE privilege. The following query shows an example of this:

Query. 

GRANT DROP ROLE
ON DBMS TO roleDropper

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT DROP ROLE ON DBMS TO roleDropper

The resulting role should have privileges that only allow deleting roles:

Query. 

SHOW ROLE roleDropper PRIVILEGES

Lists all privileges for role 'roleDropper'

Table 5.49. Result
access action resource graph segment role

1 row

"GRANTED"

"drop_role"

"database"

"*"

"database"

"roleDropper"

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE roleDropper PRIVILEGES

The ability to assign roles to users can be granted via the ASSIGN ROLE privilege. The following query shows an example of this:

Query. 

GRANT ASSIGN ROLE
ON DBMS TO roleAssigner

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT ASSIGN ROLE ON DBMS TO roleAssigner

The resulting role should have privileges that only allow assigning/granting roles:

Query. 

SHOW ROLE roleAssigner PRIVILEGES

Lists all privileges for role 'roleAssigner'

Table 5.50. Result
access action resource graph segment role

1 row

"GRANTED"

"assign_role"

"database"

"*"

"database"

"roleAssigner"

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE roleAssigner PRIVILEGES

The ability to remove roles from users can be granted via the REMOVE ROLE privilege. The following query shows an example of this:

Query. 

GRANT
REMOVE ROLE
ON DBMS TO roleRemover

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT REMOVE ROLE ON DBMS TO roleRemover

The resulting role should have privileges that only allow removing/revoking roles:

Query. 

SHOW ROLE roleRemover PRIVILEGES

Lists all privileges for role 'roleRemover'

Table 5.51. Result
access action resource graph segment role

1 row

"GRANTED"

"remove_role"

"database"

"*"

"database"

"roleRemover"

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE roleRemover PRIVILEGES

The ability to show roles can be granted via the SHOW ROLE privilege. The following query shows an example of this:

Query. 

GRANT SHOW ROLE
ON DBMS TO roleShower

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT SHOW ROLE ON DBMS TO roleShower

The resulting role should have privileges that only allow showing roles:

Query. 

SHOW ROLE roleShower PRIVILEGES

Lists all privileges for role 'roleShower'

Table 5.52. Result
access action resource graph segment role

1 row

"GRANTED"

"show_role"

"database"

"*"

"database"

"roleShower"

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE roleShower PRIVILEGES

All of the above mentioned privileges can be granted via the ROLE MANAGEMENT privilege. The following query shows an example of this:

Query. 

GRANT ROLE MANAGEMENT
ON DBMS TO roleManager

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers GRANT ROLE MANAGEMENT ON DBMS TO roleManager

The resulting role should have all privileges to manage roles:

Query. 

SHOW ROLE roleManager PRIVILEGES

Lists all privileges for role 'roleManager'

Table 5.53. Result
access action resource graph segment role

1 row

"GRANTED"

"role_management"

"database"

"*"

"database"

"roleManager"

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE roleManager PRIVILEGES