5.5.4. Security of administration

This section explains how to use Cypher to manage Neo4j administrative privileges.

All of the commands described in the enclosing Administration section require that the user executing the commands has the rights to do so. These privileges can be conferred either by granting the user the admin role, which enables all administrative rights, or by granting specific combinations of privileges.

The admin role
Database administration
DBMS administration
- Using a custom role to manage DBMS privileges
- The dbms ROLE MANAGEMENT privileges

5.5.4.1. The `admin` role

The built-in role admin includes a number of privileges allowing users granted this role the ability to perform administrative tasks. These include the rights to perform the following classes of tasks:

Manage database security for controlling the rights to perform actions on specific databases:
- Manage access to a database and the right to start and stop a database
- Manage indexes and constraints
- Allow the creation of labels, relationship types or property names
Manage DBMS security for controlling the rights to perform actions on the entire system:
- Manage multiple databases
- Manage users and roles
- Change configuration parameters
- Manage transactions
- Manage sub-graph privileges
- Manage procedure security

These rights are conferred using privileges that can be managed using GRANT, DENY and REVOKE commands, with the exception of the DBMS Security privileges which are only available within the built-in admin role.

Query.

SHOW ROLE admin PRIVILEGES

Table 5.35. Result
access	action	resource	graph	segment	role
10 rows
`"GRANTED"`	`"read"`	`"all_properties"`	`"*"`	`"NODE(*)"`	`"admin"`
`"GRANTED"`	`"write"`	`"all_properties"`	`"*"`	`"NODE(*)"`	`"admin"`
`"GRANTED"`	`"traverse"`	`"graph"`	`"*"`	`"NODE(*)"`	`"admin"`
`"GRANTED"`	`"read"`	`"all_properties"`	`"*"`	`"RELATIONSHIP(*)"`	`"admin"`
`"GRANTED"`	`"write"`	`"all_properties"`	`"*"`	`"RELATIONSHIP(*)"`	`"admin"`
`"GRANTED"`	`"traverse"`	`"graph"`	`"*"`	`"RELATIONSHIP(*)"`	`"admin"`
`"GRANTED"`	`"access"`	`"database"`	`"*"`	`"database"`	`"admin"`
`"GRANTED"`	`"admin"`	`"database"`	`"*"`	`"database"`	`"admin"`
`"GRANTED"`	`"schema"`	`"database"`	`"*"`	`"database"`	`"admin"`
`"GRANTED"`	`"token"`	`"database"`	`"*"`	`"database"`	`"admin"`

Try this query live. CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers CREATE ROLE noAccessUsers CREATE ROLE roleAdder CREATE ROLE roleDropper CREATE ROLE roleAssigner CREATE ROLE roleRemover CREATE ROLE roleShower CREATE ROLE roleManager GRANT ROLE regularUsers TO jake DENY ACCESS ON DATABASE neo4j TO noAccessUsers SHOW ROLE admin PRIVILEGES

5.5.4.2. Database administration

This section explains how to use Cypher to manage privileges for Neo4j database administrative rights.

As described in the section on sub-graph security, the GRANT command allows an administrator to grant a privilege to a role in order to access an entity. The DENY command allows an administrator to deny a privilege to a role in order to prevent access to an entity. The REVOKE command allows an administrator to remove a previously granted or denied privilege. The syntax is:

Table 5.36. Privilege command syntax
Command	Description
`GRANT database-privilege ON DATABASE[S] {dbname \| *} TO role[, ...]`	Grant a privilege to one or multiple roles
`DENY database-privilege ON DATABASE[S] {dbname \| *} TO role[, ...]`	Deny a privilege to one or multiple roles
`REVOKE GRANT database-privilege ON DATABASE[S] {dbname \| *} FROM role[, ...]`	Revoke a granted privilege from one or multiple roles
`REVOKE DENY database-privilege ON DATABASE[S] {dbname \| *} FROM role[, ...]`	Revoke a denied privilege from one or multiple roles
`REVOKE database-privilege ON DATABASE[S] {dbname \| *} FROM role[, ...]`	Revoke a granted or denied privilege from one or multiple roles

These commands are very similar to the graph-privileges except for the use of the term DATABASE, no entity and and the set of available database-privileges differs from the graph-privileges.

Where the components are:

database-privilege
- ACCESS
  
  allows access for a specific database/graph
- START
  
  allows the specified database to be started
- STOP
  
  allows the specified database to be stopped
- CREATE INDEX
  
  allows indexes to be created on the specified database.
- DROP INDEX
  
  allows indexes to be deleted on the specified database.
- INDEX [MANAGEMENT]
  
  allows indexes to be created and deleted on the specified database.
- CREATE CONSTRAINT
  
  allows constraints to be created on the specified database.
- DROP CONSTRAINT
  
  allows constraints to be deleted on the specified database.
- CONSTRAINT [MANAGEMENT]
  
  allows constraints to be created and deleted on the specified database.
- CREATE NEW [NODE] LABEL
  
  allows labels to be created so that future nodes can be assigned them.
- CREATE NEW [RELATIONSHIP] TYPE
  
  allows relationship types to be created so that future relationships can be created with these types.
- CREATE NEW [PROPERTY] NAME
  
  allows property names to be created so that nodes and relationships can have properties with these names assigned.
- NAME [MANAGEMENT]
  
  allows all of the name management capabilities: node labels, relationship types and property names.
- ALL [[DATABASE] PRIVILEGES]
  
  allows all of the above privileges to be enabled for the specified database.
dbname
- The database to associate the privilege with. Note that if you delete a database and create a new one with the same name, the new one will NOT have any of the privileges specifically assigned to the deleted database.
- It can be * which means all databases. Any new databases created after this command will also be associated with these privileges.
role[, …]
- The role or roles to associate the privilege with, comma-separated.

It is important to note that using DENY does NOT erase a GRANT command; they both exist. The only way to erase a privilege is with REVOKE.

Table 5.37. Database management command syntax
Command	Description
`GRANT ACCESS ON DATABASE[S] {name \| *} TO role[, ...]`	Allow the specified role or roles to access the database `name` or all databases
`GRANT {START \| STOP} ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to start or stop the database `name` or all databases
`GRANT {CREATE \| DROP} INDEX[ES] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create or delete indexes on the database `name` or all databases
`GRANT INDEX[ES] [MANAGEMENT] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create and delete indexes on the database `name` or all databases
`GRANT {CREATE \| DROP} CONSTRAINT[S] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create or delete indexes on the database `name` or all databases
`GRANT CONSTRAINT[S] [MANAGEMENT] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create and delete constraints on the database `name` or all databases
`GRANT CREATE NEW [NODE] LABEL[S] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create new labels for nodes in the database `name` or all databases
`GRANT CREATE NEW [RELATIONSHIP] TYPE[S] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create new types for relationships in the database `name` or all databases
`GRANT CREATE NEW [PROPERTY] NAME[S] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create new names for properties in the database `name` or all databases
`GRANT NAME [MANAGEMENT] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create new labels, relationship types and property names in the database `name` or all databases
`GRANT ALL [[DATABASE] PRIVILEGES] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to perform all of the above database actions on the database `name` or all databases

Figure 5.2. Syntax of GRANT and DENY Database Privileges

The database `ACCESS` privilege

The ACCESS privilege can be used to enable the ability to access a database. If this is not granted to users, they will not even be able to start transactions on the relevant database.

Command syntax.

GRANT ACCESS
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, granting the ability to access the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT ACCESS
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The ACCESS privilege can also be denied.

Command syntax.

DENY ACCESS
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, denying the ability to access to the database neo4j to the role regularUsers is done using the following query.

Query.

DENY ACCESS
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query.

SHOW ROLE regularUsers PRIVILEGES

Table 5.38. Result
access	action	resource	graph	segment	role
2 rows
`"DENIED"`	`"access"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"access"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`

The database `START`/`STOP` privileges

The START privilege can be used to enable the ability to start a database.

Command syntax.

GRANT START
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, granting the ability to start the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT
START
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The START privilege can also be denied.

Command syntax.

DENY START
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, denying the ability to start to the database neo4j to the role regularUsers is done using the following query.

Query.

DENY
START
ON DATABASE system TO regularUsers

0 rows, System updates: 1

The STOP privilege can be used to enable the ability to stop a database.

Command syntax.

GRANT STOP
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, granting the ability to stop the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT STOP
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The STOP privilege can also be denied.

Command syntax.

DENY STOP
    ON DATABASE[S] {dbname | *}
    TO role[, ...]

For example, denying the ability to stop to the database neo4j to the role regularUsers is done using the following query.

Query.

DENY STOP
ON DATABASE system TO regularUsers

0 rows, System updates: 1

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query.

SHOW ROLE regularUsers PRIVILEGES

Table 5.39. Result
access	action	resource	graph	segment	role
6 rows
`"DENIED"`	`"access"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"access"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"start_database"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"stop_database"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"DENIED"`	`"start_database"`	`"database"`	`"system"`	`"database"`	`"regularUsers"`
`"DENIED"`	`"stop_database"`	`"database"`	`"system"`	`"database"`	`"regularUsers"`

The `INDEX MANAGEMENT` privileges

Indexes can be created or deleted with the CREATE INDEX and DROP INDEX commands. The privilege to do this can be granted with GRANT CREATE INDEX and GRANT DROP INDEX commands.

Table 5.40. Index management command syntax
Command	Description
`GRANT {CREATE \| DROP} INDEX[ES] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create or delete indexes on the database `name` or all databases
`GRANT INDEX[ES] [MANAGEMENT] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create and delete indexes on the database `name` or all databases

For example, granting the ability to create indexes on the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT
CREATE INDEX ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The `CONSTRAINT MANAGEMENT` privileges

Constraints can be created or deleted with the CREATE CONSTRAINT and DROP CONSTRAINT commands. The privilege to do this can be granted with GRANT CREATE CONSTRAINT and GRANT DROP CONSTRAINT commands.

Table 5.41. Constraint management command syntax
Command	Description
`GRANT {CREATE \| DROP} CONSTRAINT[S] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create or delete constraints on the database `name` or all databases
`GRANT CONSTRAINT[S] [MANAGEMENT] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create and delete constraints on the database `name` or all databases

For example, granting the ability to create constraints on the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT
CREATE CONSTRAINT ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

The `NAME MANAGEMENT` privileges

The right to create new labels, relationship types or propery names is different from the right to create nodes, relationships or properties. The latter is managed using database WRITE privileges, while the former is managed using specific GRANT/DENY CREATE NEW … commands for each type.

Table 5.42. Label, relationship type and property name management command syntax
Command	Description
`GRANT CREATE NEW [NODE] LABEL[S] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create new labels for nodes in the database `name` or all databases
`GRANT CREATE NEW [RELATIONSHIP] TYPE[S] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create new types for relationships in the database `name` or all databases
`GRANT CREATE NEW [PROPERTY] NAME[S] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create new names for properties in the database `name` or all databases
`GRANT NAME [MANAGEMENT] ON DATABASE[S] {name \| *} TO role[, ...]`	Enable the specified role or roles to create new labels, relationship types and property names in the database `name` or all databases

For example, granting the ability to create new properties on nodes or relationships in the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT
CREATE NEW PROPERTY NAME
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 1

Granting all database administration privileges

Conferring the right to perform all of the above tasks can be achieved with a single command:

Command syntax.

GRANT ALL [[DATABASE] PRIVILEGES]
    ON DATABASE[S] {name | *}
    TO role[, ...]

For example, granting the ability to access, start and stop all databases and create indexes, constraints, labels, relationship types and property names on the database neo4j to the role regularUsers is done using the following query.

Query.

GRANT ALL DATABASE PRIVILEGES
ON DATABASE neo4j TO regularUsers

0 rows, System updates: 4

The privileges granted can be seen using the SHOW PRIVILEGES command:

Query.

SHOW ROLE regularUsers PRIVILEGES

Table 5.43. Result
access	action	resource	graph	segment	role
13 rows
`"DENIED"`	`"access"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"access"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"create_constraint"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"create_index"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"create_label"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"create_propertykey"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"create_reltype"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"drop_constraint"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"drop_index"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"start_database"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"GRANTED"`	`"stop_database"`	`"database"`	`"neo4j"`	`"database"`	`"regularUsers"`
`"DENIED"`	`"start_database"`	`"database"`	`"system"`	`"database"`	`"regularUsers"`
`"DENIED"`	`"stop_database"`	`"database"`	`"system"`	`"database"`	`"regularUsers"`

5.5.4.3. DBMS administration

All DBMS privileges are relevant system-wide. Like user management, they do not belong to one specific database or graph. For more details on the differences between graphs, databases and the DBMS, refer to Section 1.2, “Neo4j databases and graphs”.

As described above, the admin role has a number of built-in privileges that cannot be assigned using Cypher commands. These include:

Create or drop databases
Change configuration parameters
Manage transactions
Manage users and roles (role management by itself is assignable using Cypher commands)
Manage sub-graph privileges
Manage procedure security

The easiest way to enable a user to perform these tasks is to grant them the admin role. The only subset of these privileges that is assignable using Cypher commands is role management. However, it is possible to make a custom role with a subset of these privileges.

Using a custom role to manage DBMS privileges

If it is desired to have an administrator with a subset of privileges that includes all DBMS privileges, but not all database privileges, this can be achieved by copying the admin role and revoking or denying some privileges.

First we copy the 'admin' role:

Query.

CREATE ROLE usermanager AS COPY OF admin

0 rows, System updates: 2

Then we DENY ACCESS to normal databases:

Query.

DENY ACCESS
ON DATABASE * TO usermanager

0 rows, System updates: 1

And DENY START and STOP for normal databases:

Query.

DENY
START
ON DATABASE * TO usermanager

0 rows, System updates: 1

Query.

DENY STOP
ON DATABASE * TO usermanager

0 rows, System updates: 1

And DENY index and constraint management:

Query.

DENY INDEX MANAGEMENT
ON DATABASE * TO usermanager

0 rows, System updates: 2

Query.

DENY CONSTRAINT MANAGEMENT
ON DATABASE * TO usermanager

0 rows, System updates: 2

And finally DENY label, relationship type and property name:

Query.

DENY NAME MANAGEMENT
ON DATABASE * TO usermanager

0 rows, System updates: 3

The resulting role should have privileges that only allow the DBMS capabilities, like user and role management:

Query.

SHOW ROLE usermanager PRIVILEGES

Lists all privileges for role 'usermanager'

Table 5.44. Result
access	action	resource	graph	segment	role
20 rows
`"GRANTED"`	`"read"`	`"all_properties"`	`"*"`	`"NODE(*)"`	`"usermanager"`
`"GRANTED"`	`"write"`	`"all_properties"`	`"*"`	`"NODE(*)"`	`"usermanager"`
`"GRANTED"`	`"traverse"`	`"graph"`	`"*"`	`"NODE(*)"`	`"usermanager"`
`"GRANTED"`	`"read"`	`"all_properties"`	`"*"`	`"RELATIONSHIP(*)"`	`"usermanager"`
`"GRANTED"`	`"write"`	`"all_properties"`	`"*"`	`"RELATIONSHIP(*)"`	`"usermanager"`
`"GRANTED"`	`"traverse"`	`"graph"`	`"*"`	`"RELATIONSHIP(*)"`	`"usermanager"`
`"DENIED"`	`"access"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"GRANTED"`	`"access"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"GRANTED"`	`"admin"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"create_constraint"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"create_index"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"create_label"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"create_propertykey"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"create_reltype"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"drop_constraint"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"drop_index"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"GRANTED"`	`"schema"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"start_database"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"DENIED"`	`"stop_database"`	`"database"`	`"*"`	`"database"`	`"usermanager"`
`"GRANTED"`	`"token"`	`"database"`	`"*"`	`"database"`	`"usermanager"`

The dbms `ROLE MANAGEMENT` privileges

The dbms privileges for role management are assignable using Cypher administrative commands. They can be granted, denied and revoked like other privileges.

Table 5.45. Role management privileges command syntax
Command	Description
`GRANT CREATE ROLE ON DBMS TO role[, ...]`	Enable the specified role or roles to create new roles
`GRANT DROP ROLE ON DBMS TO role[, ...]`	Enable the specified role or roles to delete roles
`GRANT ASSIGN ROLE ON DBMS TO role[, ...]`	Enable the specified role or roles to assign roles to users
`GRANT REMOVE ROLE ON DBMS TO role[, ...]`	Enable the specified role or roles to remove roles from users
`GRANT SHOW ROLE ON DBMS TO role[, ...]`	Enable the specified role or roles to list roles
`GRANT ROLE MANAGEMENT ON DBMS TO role[, ...]`	Enable the specified role or roles to create, delete, assign, remove and list roles

The ability to add roles can be granted via the CREATE ROLE privilege. The following query shows an example of this:

Query.

GRANT
CREATE ROLE
ON DBMS TO roleAdder

0 rows, System updates: 1

The resulting role should have privileges that only allow adding roles:

Query.

SHOW ROLE roleAdder PRIVILEGES

Lists all privileges for role 'roleAdder'

Table 5.46. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"create_role"`	`"database"`	`"*"`	`"database"`	`"roleAdder"`

The ability to delete roles can be granted via the DROP ROLE privilege. The following query shows an example of this:

Query.

GRANT DROP ROLE
ON DBMS TO roleDropper

0 rows, System updates: 1

The resulting role should have privileges that only allow deleting roles:

Query.

SHOW ROLE roleDropper PRIVILEGES

Lists all privileges for role 'roleDropper'

Table 5.47. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"drop_role"`	`"database"`	`"*"`	`"database"`	`"roleDropper"`

The ability to assign roles to users can be granted via the ASSIGN ROLE privilege. The following query shows an example of this:

Query.

GRANT ASSIGN ROLE
ON DBMS TO roleAssigner

0 rows, System updates: 1

The resulting role should have privileges that only allow assigning/granting roles:

Query.

SHOW ROLE roleAssigner PRIVILEGES

Lists all privileges for role 'roleAssigner'

Table 5.48. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"assign_role"`	`"database"`	`"*"`	`"database"`	`"roleAssigner"`

The ability to remove roles from users can be granted via the REMOVE ROLE privilege. The following query shows an example of this:

Query.

GRANT
REMOVE ROLE
ON DBMS TO roleRemover

0 rows, System updates: 1

The resulting role should have privileges that only allow removing/revoking roles:

Query.

SHOW ROLE roleRemover PRIVILEGES

Lists all privileges for role 'roleRemover'

Table 5.49. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"remove_role"`	`"database"`	`"*"`	`"database"`	`"roleRemover"`

The ability to show roles can be granted via the SHOW ROLE privilege. The following query shows an example of this:

Query.

GRANT SHOW ROLE
ON DBMS TO roleShower

0 rows, System updates: 1

The resulting role should have privileges that only allow showing roles:

Query.

SHOW ROLE roleShower PRIVILEGES

Lists all privileges for role 'roleShower'

Table 5.50. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"show_role"`	`"database"`	`"*"`	`"database"`	`"roleShower"`

All of the above mentioned privileges can be granted via the ROLE MANAGEMENT privilege. The following query shows an example of this:

Query.

GRANT ROLE MANAGEMENT
ON DBMS TO roleManager

0 rows, System updates: 1

The resulting role should have all privileges to manage roles:

Query.

SHOW ROLE roleManager PRIVILEGES

Lists all privileges for role 'roleManager'

Table 5.51. Result
access	action	resource	graph	segment	role
1 row
`"GRANTED"`	`"role_management"`	`"database"`	`"*"`	`"database"`	`"roleManager"`