5.5.7. Built-in roles

This section explains the default privileges of the built-in roles in Neo4j and how to recreate them if needed.

All of the commands described in this chapter require that the user executing the commands has the rights to do so. The privileges listed in the following sections are the default set of privileges for each built-in role:

5.5.7.1. The PUBLIC role

All users are granted the PUBLIC role, and it can not be revoked or dropped. By default, it gives access to the default database.

Privileges of the PUBLIC role

Query. 

SHOW ROLE PUBLIC PRIVILEGES

Table 5.76. Result
access action resource graph segment role

1 row

"GRANTED"

"access"

"database"

"DEFAULT"

"database"

"PUBLIC"

Try this query live.  none SHOW ROLE PUBLIC PRIVILEGES

How to recreate the PUBLIC role

The PUBLIC role can not be dropped and thus there is no need to recreate the role itself. To restore the role to its original capabilities, two steps are needed. First, all GRANT or DENY privileges on this role should be revoked (see output of SHOW ROLE PUBLIC PRIVILEGES on what to revoke). Secondly, the following query must be run:

Query. 

GRANT ACCESS
ON DEFAULT DATABASE TO PUBLIC

0 rows, System updates: 1

Try this query live.  none GRANT ACCESS ON DEFAULT DATABASE TO PUBLIC

The resulting PUBLIC role now has the same privileges as the original built-in PUBLIC role.

5.5.7.2. The reader role

The reader role can perform read-only queries on all graphs except for the system database.

Privileges of the reader role

Query. 

SHOW ROLE reader PRIVILEGES

Table 5.77. Result
access action resource graph segment role

3 rows

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"reader"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"reader"

"GRANTED"

"access"

"database"

"*"

"database"

"reader"

Try this query live.  none SHOW ROLE reader PRIVILEGES

How to recreate the reader role

To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE reader. Secondly, the following queries must be run:

Query. 

CREATE ROLE reader

0 rows, System updates: 1

Try this query live.  none CREATE ROLE reader

Query. 

GRANT ACCESS
ON DATABASE * TO reader

0 rows, System updates: 1

Try this query live.  none GRANT ACCESS ON DATABASE * TO reader

Query. 

GRANT
MATCH { * }
ON GRAPH * TO reader

0 rows, System updates: 2

Try this query live.  none GRANT MATCH {*} ON GRAPH * TO reader

The resulting reader role now has the same privileges as the original built-in reader role.

5.5.7.3. The editor role

The editor role can perform read and write operations on all graphs except for the system database, but can not make new labels, property keys or relationship types.

Privileges of the editor role

Query. 

SHOW ROLE editor PRIVILEGES

Table 5.78. Result
access action resource graph segment role

5 rows

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"editor"

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"editor"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"editor"

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"editor"

"GRANTED"

"access"

"database"

"*"

"database"

"editor"

Try this query live.  none SHOW ROLE editor PRIVILEGES

How to recreate the editor role

To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE editor. Secondly, the following queries must be run:

Query. 

CREATE ROLE editor

0 rows, System updates: 1

Try this query live.  none CREATE ROLE editor

Query. 

GRANT ACCESS
ON DATABASE * TO editor

0 rows, System updates: 1

Try this query live.  none GRANT ACCESS ON DATABASE * TO editor

Query. 

GRANT
MATCH { * }
ON GRAPH * TO editor

0 rows, System updates: 2

Try this query live.  none GRANT MATCH {*} ON GRAPH * TO editor

Query. 

GRANT WRITE
ON GRAPH * TO editor

0 rows, System updates: 2

Try this query live.  none GRANT WRITE ON GRAPH * TO editor

The resulting editor role now has the same privileges as the original built-in editor role.

5.5.7.4. The publisher role

The publisher role can do the same as editor, but can also create new labels, property keys and relationship types.

Privileges of the publisher role

Query. 

SHOW ROLE publisher PRIVILEGES

Table 5.79. Result
access action resource graph segment role

6 rows

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"publisher"

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"publisher"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"publisher"

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"publisher"

"GRANTED"

"access"

"database"

"*"

"database"

"publisher"

"GRANTED"

"token"

"database"

"*"

"database"

"publisher"

Try this query live.  none SHOW ROLE publisher PRIVILEGES

How to recreate the publisher role

To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE publisher. Secondly, the following queries must be run:

Query. 

CREATE ROLE publisher

0 rows, System updates: 1

Try this query live.  none CREATE ROLE publisher

Query. 

GRANT ACCESS
ON DATABASE * TO publisher

0 rows, System updates: 1

Try this query live.  none GRANT ACCESS ON DATABASE * TO publisher

Query. 

GRANT
MATCH { * }
ON GRAPH * TO publisher

0 rows, System updates: 2

Try this query live.  none GRANT MATCH {*} ON GRAPH * TO publisher

Query. 

GRANT WRITE
ON GRAPH * TO publisher

0 rows, System updates: 2

Try this query live.  none GRANT WRITE ON GRAPH * TO publisher

Query. 

GRANT NAME MANAGEMENT
ON DATABASE * TO publisher

0 rows, System updates: 1

Try this query live.  none GRANT NAME MANAGEMENT ON DATABASE * TO publisher

The resulting publisher role now has the same privileges as the original built-in publisher role.

5.5.7.5. The architect role

The architect role can do the same as the publisher, as well as create and manage indexes and constraints.

Privileges of the architect role

Query. 

SHOW ROLE architect PRIVILEGES

Table 5.80. Result
access action resource graph segment role

8 rows

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"architect"

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"architect"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"architect"

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"architect"

"GRANTED"

"access"

"database"

"*"

"database"

"architect"

"GRANTED"

"constraint"

"database"

"*"

"database"

"architect"

"GRANTED"

"index"

"database"

"*"

"database"

"architect"

"GRANTED"

"token"

"database"

"*"

"database"

"architect"

Try this query live.  none SHOW ROLE architect PRIVILEGES

How to recreate the architect role

To restore the role to its original capabilities two steps are needed. First, if not already done, execute DROP ROLE architect. Secondly, the following queries must be run:

Query. 

CREATE ROLE architect

0 rows, System updates: 1

Try this query live.  none CREATE ROLE architect

Query. 

GRANT ACCESS
ON DATABASE * TO architect

0 rows, System updates: 1

Try this query live.  none GRANT ACCESS ON DATABASE * TO architect

Query. 

GRANT
MATCH { * }
ON GRAPH * TO architect

0 rows, System updates: 2

Try this query live.  none GRANT MATCH {*} ON GRAPH * TO architect

Query. 

GRANT WRITE
ON GRAPH * TO architect

0 rows, System updates: 2

Try this query live.  none GRANT WRITE ON GRAPH * TO architect

Query. 

GRANT NAME MANAGEMENT
ON DATABASE * TO architect

0 rows, System updates: 1

Try this query live.  none GRANT NAME MANAGEMENT ON DATABASE * TO architect

Query. 

GRANT INDEX MANAGEMENT
ON DATABASE * TO architect

0 rows, System updates: 1

Try this query live.  none GRANT INDEX MANAGEMENT ON DATABASE * TO architect

Query. 

GRANT CONSTRAINT MANAGEMENT
ON DATABASE * TO architect

0 rows, System updates: 1

Try this query live.  none GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO architect

The resulting architect role now has the same privileges as the original built-in architect role.

5.5.7.6. The admin role

The admin role can do the same as the architect, as well as manage databases, users, roles and privileges.

Privileges of the admin role

Query. 

SHOW ROLE admin PRIVILEGES

Table 5.81. Result
access action resource graph segment role

9 rows

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"admin"

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"admin"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"access"

"database"

"*"

"database"

"admin"

"GRANTED"

"admin"

"database"

"*"

"database"

"admin"

"GRANTED"

"constraint"

"database"

"*"

"database"

"admin"

"GRANTED"

"index"

"database"

"*"

"database"

"admin"

"GRANTED"

"token"

"database"

"*"

"database"

"admin"

Try this query live.  none SHOW ROLE admin PRIVILEGES

How to recreate the admin role

In Neo4j 4.1.1 it is not possible to fully recreate a dropped admin role. Specifically, the ability to run procedures with the @Admin annotation, such as dbms.listConfig, can not be restored. Because of that, dropping the admin role is strongly discouraged.

To restore the role to its original capabilities (minus the ability to run admin procedures) two steps are needed. First, if not already done, execute DROP ROLE admin. Secondly, the following queries must be run in order to set up the privileges:

Query. 

CREATE ROLE admin

0 rows, System updates: 1

Try this query live.  none CREATE ROLE admin

Query. 

GRANT ALL DBMS PRIVILEGES
ON DBMS TO admin

0 rows, System updates: 1

Try this query live.  none GRANT ALL DBMS PRIVILEGES ON DBMS TO admin

Query. 

GRANT TRANSACTION MANAGEMENT
ON DATABASE * TO admin

0 rows, System updates: 1

Try this query live.  none GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin

Query. 

GRANT
START
ON DATABASE * TO admin

0 rows, System updates: 1

Try this query live.  none GRANT START ON DATABASE * TO admin

Query. 

GRANT STOP
ON DATABASE * TO admin

0 rows, System updates: 1

Try this query live.  none GRANT STOP ON DATABASE * TO admin

Query. 

GRANT
MATCH { * }
ON GRAPH * TO admin

0 rows, System updates: 2

Try this query live.  none GRANT MATCH {*} ON GRAPH * TO admin

Query. 

GRANT WRITE
ON GRAPH * TO admin

0 rows, System updates: 2

Try this query live.  none GRANT WRITE ON GRAPH * TO admin

Query. 

GRANT ALL ON DATABASE * TO admin

0 rows, System updates: 1

Try this query live.  none GRANT ALL ON DATABASE * TO admin

The queries above are enough to grant most of the full admin capabilities. Please note that the result of executing SHOW ROLE admin PRIVILEGES now appears to be slightly different from the privileges shown for the original built-in admin role. This does not make any functional difference.

Query. 

SHOW ROLE admin PRIVILEGES

Table 5.82. Result
access action resource graph segment role

9 rows

"GRANTED"

"match"

"all_properties"

"*"

"NODE(*)"

"admin"

"GRANTED"

"write"

"graph"

"*"

"NODE(*)"

"admin"

"GRANTED"

"match"

"all_properties"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"write"

"graph"

"*"

"RELATIONSHIP(*)"

"admin"

"GRANTED"

"transaction_management"

"database"

"*"

"USER(*)"

"admin"

"GRANTED"

"database_actions"

"database"

"*"

"database"

"admin"

"GRANTED"

"dbms_actions"

"database"

"*"

"database"

"admin"

"GRANTED"

"start_database"

"database"

"*"

"database"

"admin"

"GRANTED"

"stop_database"

"database"

"*"

"database"

"admin"

Try this query live.  none SHOW ROLE admin PRIVILEGES

Additional information about restoring the admin role can be found in the Operations Manual → Recover the admin role.