5.5.4. Read privileges

This section explains how to use Cypher to manage read privileges on graphs.

There are three separate read privileges:

5.5.4.1. The TRAVERSE privilege

Users can be granted the right to find nodes and relationships using the GRANT TRAVERSE privilege.

Command syntax. 

GRANT TRAVERSE
    ON GRAPH[S] {name [, ...] | *}
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO role [, ...]

For example, we can enable the user jake, who has role 'regularUsers' to find all nodes with the label Post.

Query. 

GRANT TRAVERSE
ON GRAPH neo4j NODES Post TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers GRANT TRAVERSE ON GRAPH neo4j NODES Post TO regularUsers

The TRAVERSE privilege can also be denied.

Command syntax. 

DENY TRAVERSE
    ON GRAPH[S] {name [, ...] | *}
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO role [, ...]

For example, we can disable the user jake, who has role 'regularUsers' from finding all nodes with the label Payments.

Query. 

DENY TRAVERSE
ON GRAPH neo4j NODES Payments TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers DENY TRAVERSE ON GRAPH neo4j NODES Payments TO regularUsers

5.5.4.2. The READ privilege

Users can be granted the right to do property reads on nodes and relationships using the GRANT READ privilege. It is very important to note that users can only read properties on entities that they are enabled to find in the first place.

Command syntax. 

GRANT READ
    "{" { * | properties } "}"
    ON GRAPH[S] {name [, ...] | *}
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO role [, ...]

For example, we can enable the user jake, who has role 'regularUsers' to read all properties on nodes with the label Post. The * implies that the ability to read all properties also extends to properties that might be added in the future.

Query. 

GRANT READ { * }
ON GRAPH neo4j NODES Post TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers GRANT READ { * } ON GRAPH neo4j NODES Post TO regularUsers

Granting property READ access does not imply that the entities with that property can be found. For example, if there is also a DENY TRAVERSE present on the same entity as a GRANT READ, the entity will not be found by a Cypher MATCH statement.

The READ privilege can also be denied.

Command syntax. 

DENY READ
    "{" { * | properties } "}"
    ON GRAPH[S] {name [, ...] | *}
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO role [, ...]

Although we just granted the user 'jake' the right to read all properties, we may want to hide the secret property. The following example shows how to do that.

Query. 

DENY READ { secret }
ON GRAPH neo4j NODES Post TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers DENY READ { secret } ON GRAPH neo4j NODES Post TO regularUsers

5.5.4.3. The MATCH privilege

Users can be granted the right to find and do property reads on nodes and relationships using the GRANT MATCH privilege. This is semantically the same as having both TRAVERSE and READ privileges.

Command syntax. 

GRANT MATCH
    "{" { * | properties } "}"
    ON GRAPH[S] {name [, ...] | *}
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO role [, ...]

For example if you want to grant the ability to read the properties language and length for nodes with the label Message, as well as the ability to find these nodes, to a role regularUsers you can use the following GRANT MATCH query.

Query. 

GRANT
MATCH { language, length }
ON GRAPH neo4j NODES Message TO regularUsers

0 rows, System updates: 2

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers GRANT MATCH { language, length } ON GRAPH neo4j NODES Message TO regularUsers

Like all other privileges, the MATCH privilege can also be denied.

Command syntax. 

DENY MATCH
    "{" { * | properties } "}"
    ON GRAPH[S] {name [, ...] | *}
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO role [, ...]

Please note that the effect of denying a MATCH privilege depends on whether concrete property keys are specified or a *. If you specify concrete property keys then DENY MATCH will only deny reading those properties. Finding the elements to traverse would still be enabled. If you specify * instead then both traversal of the element and all property reads will be disabled. The following queries will show examples for this.

Denying to read the property ´content´ on nodes with the label Message for the role regularUsers would look like the following query. Although not being able to read this specific property, nodes with that label can still be traversed (and, depending on other grants, other properties on it could still be read).

Query. 

DENY
MATCH { content }
ON GRAPH neo4j NODES Message TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers DENY MATCH { content } ON GRAPH neo4j NODES Message TO regularUsers

The following query exemplifies how it would look like if you want to deny both reading all properties and traversing nodes labeled with Account.

Query. 

DENY
MATCH { * }
ON GRAPH neo4j NODES Account TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers DENY MATCH { * } ON GRAPH neo4j NODES Account TO regularUsers