Built-in roles

This section explains the default privileges of the built-in roles in Neo4j and how to recreate them if needed.

All of the commands described in this chapter require that the user executing the commands has the rights to do so. The privileges listed in the following sections are the default set of privileges for each built-in role:

1. The PUBLIC role

All users are granted the PUBLIC role, and it can not be revoked or dropped. By default, it gives access to the default database.

1.1. Privileges of the PUBLIC role

Query
SHOW ROLE PUBLIC PRIVILEGES
Table 1. Result
access action resource graph segment role

"GRANTED"

"access"

"database"

"DEFAULT"

"database"

"PUBLIC"

1 row

1.2. How to recreate the PUBLIC role

The PUBLIC role can not be dropped and thus there is no need to recreate the role itself. To restore the role to its original capabilities, two steps are needed. First, all GRANT or DENY privileges on this role should be revoked (see output of SHOW ROLE PUBLIC PRIVILEGES on what to revoke). Secondly, the following query must be run:

Query
GRANT ACCESS
ON DEFAULT DATABASE TO PUBLIC

0 rows, System updates: 1

The resulting PUBLIC role now has the same privileges as the original built-in PUBLIC role.

2. The reader role

The reader role can perform read-only queries on all graphs except for the system database.

2.1. Privileges of the reader role

Query
SHOW ROLE reader PRIVILEGES
Table 2. Result
access action resource graph segment role

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"reader"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"reader"

"GRANTED"

"access"

"database"

"*"

"database"

"reader"

3 rows

2.2. How to recreate the reader role

To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE reader. Secondly, the following queries must be run:

Query
CREATE ROLE reader

0 rows, System updates: 1

Query
GRANT ACCESS
ON DATABASE * TO reader

0 rows, System updates: 1

Query
GRANT
MATCH { * }
ON GRAPH * TO reader

0 rows, System updates: 2

The resulting reader role now has the same privileges as the original built-in reader role.

3. The editor role

The editor role can perform read and write operations on all graphs except for the system database, but can not make new labels, property keys or relationship types.

3.1. Privileges of the editor role

Query
SHOW ROLE editor PRIVILEGES
Table 3. Result
access action resource graph segment role

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"editor"

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"editor"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"editor"

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"editor"

"GRANTED"

"access"

"database"

"*"

"database"

"editor"

5 rows

3.2. How to recreate the editor role

To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE editor. Secondly, the following queries must be run:

Query
CREATE ROLE editor

0 rows, System updates: 1

Query
GRANT ACCESS
ON DATABASE * TO editor

0 rows, System updates: 1

Query
GRANT
MATCH { * }
ON GRAPH * TO editor

0 rows, System updates: 2

Query
GRANT WRITE
ON GRAPH * TO editor

0 rows, System updates: 2

The resulting editor role now has the same privileges as the original built-in editor role.

4. The publisher role

The publisher role can do the same as editor, but can also create new labels, property keys and relationship types.

4.1. Privileges of the publisher role

Query
SHOW ROLE publisher PRIVILEGES
Table 4. Result
access action resource graph segment role

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"publisher"

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"publisher"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"publisher"

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"publisher"

"GRANTED"

"access"

"database"

"*"

"database"

"publisher"

"GRANTED"

"token"

"database"

"*"

"database"

"publisher"

6 rows

4.2. How to recreate the publisher role

To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE publisher. Secondly, the following queries must be run:

Query
CREATE ROLE publisher

0 rows, System updates: 1

Query
GRANT ACCESS
ON DATABASE * TO publisher

0 rows, System updates: 1

Query
GRANT
MATCH { * }
ON GRAPH * TO publisher

0 rows, System updates: 2

Query
GRANT WRITE
ON GRAPH * TO publisher

0 rows, System updates: 2

Query
GRANT NAME MANAGEMENT
ON DATABASE * TO publisher

0 rows, System updates: 1

The resulting publisher role now has the same privileges as the original built-in publisher role.

5. The architect role

The architect role can do the same as the publisher, as well as create and manage indexes and constraints.

5.1. Privileges of the architect role

Query
SHOW ROLE architect PRIVILEGES
Table 5. Result
access action resource graph segment role

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"architect"

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"architect"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"architect"

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"architect"

"GRANTED"

"access"

"database"

"*"

"database"

"architect"

"GRANTED"

"constraint"

"database"

"*"

"database"

"architect"

"GRANTED"

"index"

"database"

"*"

"database"

"architect"

"GRANTED"

"token"

"database"

"*"

"database"

"architect"

8 rows

5.2. How to recreate the architect role

To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE architect. Secondly, the following queries must be run:

Query
CREATE ROLE architect

0 rows, System updates: 1

Query
GRANT ACCESS
ON DATABASE * TO architect

0 rows, System updates: 1

Query
GRANT
MATCH { * }
ON GRAPH * TO architect

0 rows, System updates: 2

Query
GRANT WRITE
ON GRAPH * TO architect

0 rows, System updates: 2

Query
GRANT NAME MANAGEMENT
ON DATABASE * TO architect

0 rows, System updates: 1

Query
GRANT INDEX MANAGEMENT
ON DATABASE * TO architect

0 rows, System updates: 1

Query
GRANT CONSTRAINT MANAGEMENT
ON DATABASE * TO architect

0 rows, System updates: 1

The resulting architect role now has the same privileges as the original built-in architect role.

6. The admin role

The admin role can do the same as the architect, as well as manage databases, users, roles and privileges.

6.1. Privileges of the admin role

Query
SHOW ROLE admin PRIVILEGES
Table 6. Result
access action resource graph segment role

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"admin"

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"admin"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"access"

"database"

"*"

"database"

"admin"

"GRANTED"

"admin"

"database"

"*"

"database"

"admin"

"GRANTED"

"constraint"

"database"

"*"

"database"

"admin"

"GRANTED"

"index"

"database"

"*"

"database"

"admin"

"GRANTED"

"token"

"database"

"*"

"database"

"admin"

9 rows

6.2. How to recreate the admin role

To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE admin. Secondly, the following queries must be run in order to set up the privileges:

Query
CREATE ROLE admin

0 rows, System updates: 1

Query
GRANT ALL DBMS PRIVILEGES
ON DBMS TO admin

0 rows, System updates: 1

Query
GRANT TRANSACTION MANAGEMENT
ON DATABASE * TO admin

0 rows, System updates: 1

Query
GRANT
START
ON DATABASE * TO admin

0 rows, System updates: 1

Query
GRANT STOP
ON DATABASE * TO admin

0 rows, System updates: 1

Query
GRANT
MATCH { * }
ON GRAPH * TO admin

0 rows, System updates: 2

Query
GRANT WRITE
ON GRAPH * TO admin

0 rows, System updates: 2

Query
GRANT ALL ON DATABASE * TO admin

0 rows, System updates: 1

The queries above are enough to grant most of the full admin capabilities. Please note that the result of executing SHOW ROLE admin PRIVILEGES now appears to be slightly different from the privileges shown for the original built-in admin role. This does not make any functional difference.

Query
SHOW ROLE admin PRIVILEGES
Table 7. Result
access action resource graph segment role

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"admin"

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"admin"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"transaction_management"

"database"

"*"

"USER(*)"

"admin"

"GRANTED"

"database_actions"

"database"

"*"

"database"

"admin"

"GRANTED"

"dbms_actions"

"database"

"*"

"database"

"admin"

"GRANTED"

"start_database"

"database"

"*"

"database"

"admin"

"GRANTED"

"stop_database"

"database"

"*"

"database"

"admin"

9 rows

Additional information about restoring the admin role can be found in the Operations Manual → Recover the admin role.