Manage users

Users can be created and managed using a set of Cypher administration commands executed against the system database. When connected to the DBMS over bolt, administration commands are automatically routed to the system database.

User states

There are two types of user states in the system database:

ACTIVE state: (default for new users) Users can log into Neo4j and perform queries according to their privileges.

SUSPENDED state Enterprise Edition

Native users who authenticate and authorize against the system graph cannot log into Neo4j. If suspended while using Neo4j, they lose all assigned roles with their privileges, including the PUBLIC role, until reactivated.
Users who authenticate and authorize against an external ID provider (e.g., LDAP) can still log in. If suspended while using Neo4j, they retain the roles and the privileges assigned by the external provider, including the PUBLIC role. To prevent any of these, you need to use the mechanisms of their identity provider.

User management command syntax

For more details about the syntax descriptions, see Cypher syntax for administration commands.

Command

SHOW CURRENT USER

Syntax

SHOW CURRENT USER
  [YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]

Description

Lists the current user.

When using the RETURN clause, the YIELD clause is mandatory and must not be omitted.

For more information, see Listing current user.

Required privilege

None

Command

SHOW USERS

Syntax

SHOW USER[S]
  [WITH AUTH]
  [YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]

Description

Lists all users.

When using the RETURN clause, the YIELD clause is mandatory and must not be omitted.

For more information, see Listing users.

Required privilege

GRANT SHOW USER

For more information, see DBMS USER MANAGEMENT privileges.

Command

SHOW USER PRIVILEGES

Syntax

SHOW USER[S] [name[, ...]] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  [YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]

Description

Lists the privileges granted to the specified users or the current user if no user is specified.

When using the RETURN clause, the YIELD clause is mandatory and must not be omitted.

The SHOW USER name PRIVILEGES command is described in Listing privileges.

Required privilege

GRANT SHOW PRIVILEGE

For more information, see DBMS PRIVILEGE MANAGEMENT privileges.

GRANT SHOW USER

For more information, see DBMS USER MANAGEMENT privileges.

Command

CREATE USER

Syntax

CREATE USER name [IF NOT EXISTS]
  [SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password']
  [[SET PASSWORD] CHANGE [NOT] REQUIRED]
  [SET STATUS {ACTIVE | SUSPENDED}]
  [SET HOME DATABASE name]
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]... # Introduced in Neo4j 5.24

<key><value> pairs for the SET AUTH clause could include:

SET AUTH [PROVIDER] 'provider' "{"
    {
        SET ID 'id' # a unique identifier of the user in an external system
        | SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password' # only applicable to the 'native' provider
        | SET PASSWORD CHANGE [NOT] REQUIRED # only applicable to the 'native' provider
    }
"}"

Description

Creates a new user.

It is mandatory to specify a SET PASSWORD and/or at least one SET AUTH clause because users must have at least one auth provider.

For more information, see Creating users.

Required privilege

GRANT CREATE USER

For more information, see DBMS USER MANAGEMENT privileges.

Command

CREATE OR REPLACE USER

Syntax

CREATE OR REPLACE USER name
  [SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password']
  [[SET PASSWORD] CHANGE [NOT] REQUIRED]
  [SET STATUS {ACTIVE | SUSPENDED}]
  [SET HOME DATABASE name]
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]... # Introduced in Neo4j 5.24

<key><value> pairs for the SET AUTH clause could include:

SET AUTH [PROVIDER] 'provider' "{"
    {
        SET ID 'id' # a unique identifier of the user in an external system
        | SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password' # only applicable to the 'native' provider
        | SET PASSWORD CHANGE [NOT] REQUIRED # only applicable to the 'native' provider
    }
"}"

Description

Creates a new user, or if a user with the same name exists, replace it.

It is mandatory to specify a SET PASSWORD and/or at least one SET AUTH clause because users must have at least one auth provider.

For more information, see Creating users.

Required privilege

GRANT CREATE USER

For more information, see DBMS USER MANAGEMENT privileges.

GRANT DROP USER

For more information, see DBMS USER MANAGEMENT privileges.

Command

RENAME USER

Syntax

RENAME USER name [IF EXISTS] TO otherName

Description

Changes the name of a user.

For more information, see Renaming users.

Required privilege

GRANT RENAME USER

For more information, see DBMS USER MANAGEMENT privileges.

Command

ALTER USER

Syntax

ALTER USER name [IF EXISTS]
  [REMOVE HOME DATABASE]
  [REMOVE { AUTH [PROVIDER[S]] provider[, ...] | ALL AUTH [PROVIDER[S]] }]...
  [SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password']
  [[SET PASSWORD] CHANGE [NOT] REQUIRED]
  [SET STATUS {ACTIVE | SUSPENDED} ]
  [SET HOME DATABASE name]
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]... # Introduced in Neo4j 5.24

<key><value> pairs for the SET AUTH clause could include:

SET AUTH [PROVIDER] 'provider' "{"
    {
        SET ID 'id' # a unique identifier of the user in an external system
        | SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password' # PASSWORD clauses are only applicable to the 'native' provider
        | SET PASSWORD CHANGE [NOT] REQUIRED # PASSWORD clauses are only applicable to the 'native' provider
    }
"}"

Description

Modifies the settings for an existing user.

At least one SET or REMOVE clause is required.
Any REMOVE clause(s) must appear before the first SET clause.

For more information, see Modifying users.

Required privilege

GRANT SET PASSWORD

GRANT SET USER STATUS

GRANT SET USER HOME DATABASE

GRANT SET AUTH

For more information, see DBMS USER MANAGEMENT privileges.

Command

ALTER CURRENT USER SET PASSWORD

Syntax

ALTER CURRENT USER SET PASSWORD FROM 'oldPassword' TO 'newPassword'

Description

Changes the current user’s password.

For more information, see Changing the current user’s password.

Required privilege

None

Command

DROP USER

Syntax

DROP USER name [IF EXISTS]

Description

Removes an existing user.

For more information, see Delete users.

Required privilege

GRANT DROP USER

For more information, see DBMS USER MANAGEMENT privileges.

The SHOW USER[S] PRIVILEGES command is described in Listing privileges.

Listing current user

You can view the currently logged-in user using the Cypher command SHOW CURRENT USER. It produces a table with the following columns:

Column Description Type Community Edition Enterprise Edition

Column	Description	Type
user	User name	`STRING`
roles	Roles granted to the user. It returns `null` in Community edition.	`LIST OF STRING`
passwordChangeRequired	If `true`, the user must change their password at the next login. This is `null` if the user has `native` auth disabled.	`BOOLEAN`
suspended	If `true`, the user is currently suspended. It returns `null` in Community edition.	`BOOLEAN`
home	The home database configured by the user, or `null` if no home database has been configured. If this database is unavailable and the user does not specify a database to use, they will not be able to log in. It returns `null` in Community edition.	`STRING`

user

User name

STRING

roles

Roles granted to the user.

It returns null in Community edition.

LIST OF STRING

passwordChangeRequired

If true, the user must change their password at the next login. This is null if the user has native auth disabled.

BOOLEAN

suspended

If true, the user is currently suspended.

It returns null in Community edition.

BOOLEAN

home

The home database configured by the user, or null if no home database has been configured. If this database is unavailable and the user does not specify a database to use, they will not be able to log in.

It returns null in Community edition.

STRING

SHOW CURRENT USER

Table 1. Result
user	roles	passwordChangeRequired	suspended	home
`"jake"`	`["PUBLIC"]`	`false`	`false`	`<null>`
Rows: 1

This command is only supported for a logged-in user and returns an empty result if authorization has been disabled.

Listing users

You can list all available users using the Cypher command SHOW USERS. It produces a table containing a single row per user with the following columns:

Column Description Type Community Edition Enterprise Edition

Column	Description	Type
user	User name	`STRING`
roles	Native roles granted to the user using the `GRANT ROLE` command. The set of roles a user receives in practice may differ from those in this column. It depends on DMBS configuration and the user’s auth providers. For example, if they use external (e.g. LDAP or OIDC) auth, or if `native` is not listed in the `dbms.security.authorization_providers` configuration setting. It returns `null` in Community edition.	`LIST OF STRING`
passwordChangeRequired	If `true`, the user must change their password at the next login. This is `null` if the user has `native` auth disabled.	`BOOLEAN`
suspended	If `true`, the user is currently suspended. It returns `null` in Community edition.	`BOOLEAN`
home	The home database configured for the user, otherwise `null`. A home database is resolved if it is pointing to a database or a database alias. If the configured home database is unavailable and the user does not specify another database, the login will fail. It returns `null` in Community edition.	`STRING`

user

User name

STRING

roles

Native roles granted to the user using the GRANT ROLE command.

The set of roles a user receives in practice may differ from those in this column. It depends on DMBS configuration and the user’s auth providers.

For example, if they use external (e.g. LDAP or OIDC) auth, or if native is not listed in the dbms.security.authorization_providers configuration setting.

It returns null in Community edition.

LIST OF STRING

passwordChangeRequired

If true, the user must change their password at the next login. This is null if the user has native auth disabled.

BOOLEAN

suspended

If true, the user is currently suspended.

It returns null in Community edition.

BOOLEAN

home

The home database configured for the user, otherwise null. A home database is resolved if it is pointing to a database or a database alias. If the configured home database is unavailable and the user does not specify another database, the login will fail.

It returns null in Community edition.

STRING

When first starting a Neo4j DBMS, there is always a single default user neo4j with administrative privileges. It is possible to set the initial password using neo4j-admin dbms set-initial-password <password>, otherwise you must change the password after the first login.

Example 1. Show users

SHOW USERS

Table 2. Result
user	roles	passwordChangeRequired	suspended	home
`"neo4j"`	`["admin","PUBLIC"]`	`false`	`false`	`<null>`
`"jake"`	`["PUBLIC"]`	`false`	`false`	`<null>`
Rows: 2

Example 2. Show user with column reorder and filtering

This example shows how to:

Reorder the columns using a YIELD clause.
Filter the results using a WHERE clause.

SHOW USER YIELD user, suspended, passwordChangeRequired, roles, home
WHERE user = 'jake'

Table 3. Result
user	suspended	passwordChangeRequired	roles	home
`"jake"`	`false`	`false`	`["PUBLIC"]`	`<null>`
Rows: 1

Example 3. Show user with RETURN clause

It is possible to add a RETURN clause to further manipulate the results after filtering. In this example, the RETURN clause is used to filter out the roles column and rename the user column to adminUser.

SHOW USERS YIELD roles, user
WHERE 'admin' IN roles
RETURN user AS adminUser

Table 4. Result
adminUser
`"neo4j"`
Rows: 1

Listing user auth providers

To inspect users' auth providers, use SHOW USERS WITH AUTH. The command produces a row per user per auth provider and yields the following two columns in addition to those output by SHOW USERS:

Column Description Type Community Edition Enterprise Edition

Column	Description	Type	Community Edition	Enterprise Edition
provider	The name of the auth provider.	`STRING`
auth	A map containing configuration for the user. For example, dn of the user for an `ldap` auth provider, the unique external identifier for an `oidc` auth provider, or password status for a `native` auth provider.	`MAP`

provider

The name of the auth provider.

STRING

auth

A map containing configuration for the user. For example, dn of the user for an ldap auth provider, the unique external identifier for an oidc auth provider, or password status for a native auth provider.

MAP

Example 4. Show users with auth

SHOW USERS WITH AUTH

Table 5. Result
user	roles	passwordChangeRequired	suspended	home	provider	auth
`"neo4j"`	`["admin","PUBLIC"]`	`false`	`false`	`<null>`	`"native"`	`{ "password": "***", "changeRequired": false }`
`"jack"`	`["PUBLIC"]`	`false`	`false`	`<null>`	`"native"`	`{ "password": "***", "changeRequired": false }`
`"jack"`	`["PUBLIC"]`	`false`	`false`	`<null>`	`"oidc1"`	`{ "id": "jacksIdForOidc1" }`
Rows: 3

Example 5. Show user with auth using filtering

Show all users with the oidc auth provider.

SHOW USERS WITH AUTH
WHERE provider = 'oidc1'

Table 6. Result
user	roles	passwordChangeRequired	suspended	home	provider	auth
`"jack"`	`["PUBLIC"]`	`false`	`false`	`<null>`	`"oidc1"`	`{ "id": "jacksIdForOidc1" }`
Rows: 1

Creating users

You can create users using one of the following Cypher commands, depending on whether you want to create a new user or replace an existing one. In both cases, you can specify the user’s password, whether they must change it at the next login, their status, home database, and auth provider settings. The SET clauses can be applied in any order. It is mandatory to specify a SET PASSWORD and/or at least one SET AUTH clause because users must have at least one auth provider. SET AUTH is available from Neo4j 5.24 onwards.

CREATE USER syntax

CREATE USER name [IF NOT EXISTS] (1)
  [SET [PLAINTEXT \| ENCRYPTED] PASSWORD 'password'] (2)
  [[SET PASSWORD] CHANGE [NOT] REQUIRED] (3)
  [SET STATUS {ACTIVE \| SUSPENDED}] (4)
  [SET HOME DATABASE name] (5)
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]... (6)

CREATE OR REPLACE USER syntax

CREATE OR REPLACE USER name (1)
  [SET [PLAINTEXT \| ENCRYPTED] PASSWORD 'password'] (2)
  [[SET PASSWORD] CHANGE [NOT] REQUIRED] (3)
  [SET STATUS {ACTIVE \| SUSPENDED}] (4)
  [SET HOME DATABASE name] (5)
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]... (6)

Where:

1	Specifies the command to create a user.
2	Specifies the password for the user. The `'password'` can either be a string value or a string parameter with default value length of at least 8 characters. The `PLAINTEXT` and `ENCRYPTED` keywords are optional and can be used to specify the format of the password, i.e. whether Neo4j needs to hash it or it has already been hashed. By default, all passwords are encrypted (hashed) when stored in the Neo4j `system` database. The optional `PLAINTEXT` in `SET PLAINTEXT PASSWORD` has the same behavior as `SET PASSWORD`. The optional `ENCRYPTED` is used to recreate an existing user when the plaintext password is unknown, but the encrypted password is available in the data/scripts/databasename/restore_metadata.cypher file of a database backup. See Restore users and roles metadata. With `ENCRYPTED`, the password string is expected to be in the format of `<encryption-version>,<hash>,<salt>`, where, for example: `0` is the first version and refers to the `SHA-256` cryptographic hash function with iterations `1`. `1` is the second version and refers to the `SHA-256` cryptographic hash function with iterations `1024`.
3	Specifies whether the user must change their password at the next login. If the optional `SET PASSWORD CHANGE [NOT] REQUIRED` is omitted but a password is given, the default is `CHANGE REQUIRED`. The `SET PASSWORD` prefix of the `CHANGE [NOT] REQUIRED` clause is only optional if it directly follows the `SET PASSWORD 'password'` clause and is not part of a `SET AUTH` clause.
4	Specifies the user’s status. If not set, the default is `ACTIVE`.
5	Specifies a home database for a user. A home database is resolved if it is pointing to a database or a database alias. If no home database is set, the DBMS default database is used as the home database for that user.
6	Introduced in 5.24 One or more `SET AUTH` clause can be used to configure external auth providers, such as LDAP or OIDC, which define authentication/authorization providers for that user. `SET AUTH` can also be used as an alternative way to set the native (password-based) auth settings like `SET PASSWORD` and `SET PASSWORD CHANGE REQUIRED`. For further informations, see the examples in this section, as well as Configure SSO at the user level using auth providers for OIDC, and Configure authentication/authorization at the user level using auth providers for LDAP. `SET AUTH [PROVIDER] 'provider' "{" { SET ID 'id' # a unique identifier of the user in an external system. \\| SET [PLAINTEXT \\| ENCRYPTED] PASSWORD 'password' # only applicable to the 'native' provider. \\| SET PASSWORD CHANGE [NOT] REQUIRED # only applicable to the 'native' provider. } "}"`

Usernames are case sensitive. The created user will appear on the list provided by SHOW USERS.

In Neo4j Community Edition there are no roles, but all users have implied administrator privileges.
In Neo4j Enterprise Edition all users are automatically assigned the PUBLIC role, giving them a base set of privileges.

Example 6. Create user

For example, you can create the user jake in a suspended state, with the home database anotherDb, and the requirement to change the password by using the command:

CREATE USER jake
SET PASSWORD 'abcd1234' CHANGE REQUIRED
SET STATUS SUSPENDED
SET HOME DATABASE anotherDb

The equivalent command using the auth providers syntax would be:

CREATE USER jake
SET STATUS SUSPENDED
SET HOME DATABASE anotherDb
SET AUTH 'native' {SET PASSWORD 'abcd1234' SET PASSWORD CHANGE REQUIRED}

Example 7. Create user with an encrypted password

Or you can create the user Jake in an active state, with an encrypted password (taken from the data/scripts/databasename/restore_metadata.cypher of a database backup), and the requirement to not change the password by running:

CREATE USER Jake
SET ENCRYPTED PASSWORD '1,6d57a5e0b3317055454e455f96c98c750c77fb371f3f0634a1b8ff2a55c5b825,190ae47c661e0668a0c8be8a21ff78a4a34cdf918cae3c407e907b73932bd16c' CHANGE NOT REQUIRED
SET STATUS ACTIVE

The equivalent command using the auth providers syntax would be: .

CREATE USER jake
SET STATUS ACTIVE
SET AUTH 'native' {
  SET ENCRYPTED PASSWORD '1,6d57a5e0b3317055454e455f96c98c750c77fb371f3f0634a1b8ff2a55c5b825,190ae47c661e0668a0c8be8a21ff78a4a34cdf918cae3c407e907b73932bd16c'
  SET PASSWORD CHANGE NOT REQUIRED
}

The SET STATUS {ACTIVE | SUSPENDED}, SET HOME DATABASE parts of the commands are only available in Neo4j Enterprise Edition. The SET AUTH clause for external providers is only available in Neo4j Enterprise Edition. However, SET AUTH 'native' can be used in Neo4j Community Edition.

The CREATE USER command is optionally idempotent, with the default behavior to throw an exception if the user already exists. Appending IF NOT EXISTS to the CREATE USER command will ensure that no exception is thrown and nothing happens should the user already exist.

Example 8. Create user if not exists

CREATE USER jake IF NOT EXISTS
SET PLAINTEXT PASSWORD 'abcd1234'

The equivalent command using the auth providers syntax would be:

CREATE USER jake IF NOT EXISTS
SET AUTH 'native' {SET PLAINTEXT PASSWORD 'abcd1234'}

The CREATE OR REPLACE USER command will result in any existing user being deleted and a new one created.

Example 9. Create or replace user

CREATE OR REPLACE USER jake
SET PLAINTEXT PASSWORD 'abcd1234'

This is equivalent to running DROP USER jake IF EXISTS followed by CREATE USER jake SET PASSWORD 'abcd1234'.

The equivalent command using the auth providers syntax would be:

CREATE OR REPLACE USER jake
SET AUTH 'native' {SET PLAINTEXT PASSWORD 'abcd1234'}

The CREATE OR REPLACE USER command does not allow the use of IF NOT EXISTS.

Renaming users

Users can be renamed with the RENAME USER command.

RENAME USER jake TO bob

To verify the change, you can use the SHOW USERS command:

SHOW USERS

Table 7. Result
user	roles	passwordChangeRequired	suspended	home
`"bob"`	`["PUBLIC"]`	`true`	`false`	`<null>`
`"neo4j"`	`["admin","PUBLIC"]`	`true`	`false`	`<null>`
Rows: 2

The RENAME USER command is only available when using native authentication and authorization.

Modifying users

You can modify users with the ALTER USER command. The command allows you to change the user’s password, status, home database, and auth provider settings. The SET and REMOVE clauses can be applied in any order. However, all REMOVE clauses must come before the first SET clause and at least one SET or REMOVE clause is required for the command. If any of the SET or REMOVE clauses are omitted, the corresponding settings will not be changed.

ALTER USER name [IF EXISTS] (1)
  [REMOVE HOME DATABASE] (2)
  [REMOVE { AUTH [PROVIDER[S]] provider[, ...] \| ALL AUTH [PROVIDER[S]] }]... (3)
  [SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password'] (4)
  [[SET PASSWORD] CHANGE [NOT] REQUIRED] (5)
  [SET STATUS {ACTIVE | SUSPENDED}] (6)
  [SET HOME DATABASE name] (7)
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]... (8)

Where:

1	Specifies the command to alter a user.
2	Removes the home database for the user. As a result, the DBMS default database will be used as the home database for that user.
3	Introduced in 5.24 Removes one, several, or all existing auth provider(s) from a user. However, a user must always have at least one auth provider. Therefore, `REMOVE ALL AUTH` must be used in conjunction with at least one `SET AUTH` clause in order to meet this requirement.
4	Specifies the password for the user. The `'password'` can either be a string value or a string parameter with default value length of at least 8 characters. The `PLAINTEXT` and `ENCRYPTED` keywords are optional and can be used to specify the format of the password, i.e. whether Neo4j needs to hash it or it has already been hashed. By default, all passwords are encrypted (hashed) when stored in the Neo4j `system` database. The optional `PLAINTEXT` in `SET PLAINTEXT PASSWORD` has the same behavior as `SET PASSWORD`. The optional `ENCRYPTED` is used to recreate an existing user when the plaintext password is unknown, but the encrypted password is available in the data/scripts/databasename/restore_metadata.cypher file of a database backup. See Restore users and roles metadata. With `ENCRYPTED`, the password string is expected to be in the format of `<encryption-version>,<hash>,<salt>`, where, for example: `0` is the first version and refers to the `SHA-256` cryptographic hash function with iterations `1`. `1` is the second version and refers to the `SHA-256` cryptographic hash function with iterations `1024`.
5	Specifies whether the user must change their password at the next login. If the optional `SET PASSWORD CHANGE [NOT] REQUIRED` is omitted when adding native auth to a user (either by first removing pre-existing native auth or if the user does not have native auth to start with), the default is `CHANGE REQUIRED`. The `SET PASSWORD` prefix of the `CHANGE [NOT] REQUIRED` clause is only optional if it directly follows the `SET PASSWORD 'password'` clause and is not part of a `SET AUTH` clause.
6	Specifies the user’s status.
7	Specifies a home database for a user. A home database is resolved if it is pointing to a database or a database alias. If no home database is set, the DBMS default database is used as the home database for that user.
8	Introduced in 5.24 One or more `SET AUTH` clauses can be used to set auth providers, which define authentication / authorization providers for that user. This might be used to configure external auth providers like LDAP or OIDC, but can also be used as an alternative way to set the native (password-based) auth settings like `SET PASSWORD` and `SET PASSWORD CHANGE REQUIRED`. For further informations, see the examples in this section, as well as Configure SSO at the user level using auth providers, and Configure authentication/authorization at the user level using auth providers. `SET AUTH [PROVIDER] 'provider' "{" { SET ID 'id' # a unique identifier of the user in an external system \\| SET [PLAINTEXT \\| ENCRYPTED] PASSWORD 'password' # only applicable to the 'native' provider \\| SET PASSWORD CHANGE [NOT] REQUIRED # only applicable to the 'native' provider } "}"`

Example 10. Modify a user’s password and status

For example, you can modify the user bob by setting a new password and active status, and removing the requirement to change his password by running:

ALTER USER bob
SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED
SET STATUS ACTIVE

The equivalent command using the auth providers syntax would be:

ALTER USER bob
SET AUTH 'native' {SET PASSWORD 'abcd5678' SET PASSWORD CHANGE NOT REQUIRED}
SET STATUS ACTIVE

Example 11. Modify a user to expire their current password

For example, you can modify the user bob to expire his current password so that he must change it the next time he logs in:

ALTER USER bob
SET PASSWORD CHANGE REQUIRED

The equivalent command using the auth providers syntax would be:

ALTER USER bob
SET AUTH 'native' {SET PASSWORD CHANGE REQUIRED}

Example 12. Modify a user to use an external OIDC auth provider

For example, you can modify the user bob by removing his native auth provider and adding an external OIDC auth provider:

ALTER USER bob
REMOVE AUTH 'native'
SET AUTH 'oidc-mysso1' {SET ID 'bobsUniqueMySso1Id'}

Example 13. Modify a user to use multiple external OIDC auth providers

For example, you can modify the user bob by removing all of his existing auth providers and adding two external OIDC auth providers:

ALTER USER bob
REMOVE ALL AUTH
SET AUTH 'oidc-mysso1' {SET ID 'bobsUniqueMySso1Id'}
SET AUTH 'oidc-mysso2' {SET ID 'bobsUniqueMySso2Id'}

Example 14. Assign a user a different home database

For example, you can modify the user bob by assigning him a different home database:

ALTER USER bob
SET HOME DATABASE anotherDbOrAlias

Example 15. Remove the home database from a user and set their status to suspended

For example, you can modify the user bob by removing his home database and setting his status to suspended:

ALTER USER bob
REMOVE HOME DATABASE
SET STATUS SUSPENDED

When altering a user, it is only necessary to specify the changes required. For example, leaving out the CHANGE [NOT] REQUIRED part of the query leaves that unchanged.

The SET STATUS {ACTIVE | SUSPENDED}, SET HOME DATABASE, REMOVE HOME DATABASE, and REMOVE AUTH parts of the command are only available in Neo4j Enterprise Edition. The SET AUTH clause for external providers is only available in Neo4j Enterprise Edition. However, SET AUTH 'native' can be used in Neo4j Community Edition.

The changes to the user will appear on the list provided by SHOW USERS:

SHOW USERS

Table 8. Result
user	roles	passwordChangeRequired	suspended	home
`"bob"`	`["PUBLIC"]`	`false`	`false`	`<null>`
`"neo4j"`	`["admin","PUBLIC"]`	`true`	`false`	`<null>`
Rows: 2

The default behavior of this command is to throw an exception if the user does not exist. Adding an optional parameter IF EXISTS to the command makes it idempotent and ensures that no exception is thrown. Nothing happens should the user not exist.

ALTER USER nonExistingUser IF EXISTS SET PASSWORD 'abcd1234'

Changing the current user’s password

Users can change their password using ALTER CURRENT USER SET PASSWORD. The old password is required in addition to the new one, and either or both can be a string value or a string parameter. When a user executes this command it will change their password as well as set the CHANGE NOT REQUIRED flag.

ALTER CURRENT USER
SET PASSWORD FROM 'password1' TO 'password2'

This command works only for a logged-in user and cannot be run with auth disabled.

Delete users

Users can be deleted with DROP USER.

DROP USER bob

Deleting a user does not automatically terminate associated connections, sessions, transactions, or queries.

However, when a user is deleted, it no longer appears on the list provided by SHOW USERS:

SHOW USERS

Table 9. Result
user	roles	passwordChangeRequired	suspended	home
`"neo4j"`	`["admin","PUBLIC"]`	`true`	`false`	`<null>`
Rows: 1