Write privileges

This section explains how to use Cypher to manage write privileges on graphs.

Write privileges are defined for different parts of the graph:

  • CREATE - allows creating nodes and relationships.

  • DELETE - allows deleting nodes and relationships.

  • SET LABEL labels - allows setting the specified node labels using the SET clause.

  • REMOVE LABEL labels - allows removing the specified node labels using the REMOVE clause.

  • SET PROPERTY {props} - allows setting properties on nodes and relationships.

There are also compound privileges which combine the above specific privileges:

  • MERGE - allows match, create and set property to permit the MERGE command.

  • WRITE - allows all write operations on an entire graph.

  • ALL GRAPH PRIVILEGES - allows all read and write operation on an entire graph.

1. The CREATE privilege

The CREATE privilege allows a user to create new node and relationship elements in a graph. See the Cypher CREATE clause.

Command syntax
GRANT CREATE ON {DEFAULT GRAPH | GRAPH[S] { * | graph-name[,...] }}
    [
        ELEMENT[S] { * | label-or-rel-type-name[,...] }
        | NODE[S] { * | label-name[,...] }
        | RELATIONSHIP[S] { * | rel-type-name[,...] }
    ]
    TO grantee[,...]

For example, granting the ability to create elements on the graph neo4j to the role regularUsers would be achieved using:

Query
GRANT
CREATE
ON GRAPH neo4j ELEMENTS * TO regularUsers

0 rows, System updates: 2

The CREATE privilege can also be denied.

Command syntax
DENY CREATE ON {DEFAULT GRAPH | GRAPH[S] { * | graph-name[,...] }}
    [
        ELEMENT[S] { * | label-or-rel-type-name[,...] }
        | NODE[S] { * | label-name[,...] }
        | RELATIONSHIP[S] { * | rel-type-name[,...] }
    ]
    TO grantee[,...]

For example, denying the ability to create nodes with the label foo on all graphs to the role regularUsers would be achieved using:

Query
DENY
CREATE
ON GRAPH * NODES foo TO regularUsers

0 rows, System updates: 1

If the user attempts to create nodes with a label that does not already exist in the database, then the user must also possess the CREATE NEW LABEL privilege. The same applies to new relationships - the CREATE NEW RELATIONSHIP TYPE privilege is required.

2. The DELETE privilege

The DELETE privilege allows a user to delete node and relationship elements in a graph. See the Cypher DELETE clause.

Command syntax
GRANT DELETE ON {DEFAULT GRAPH | GRAPH[S] { * | graph-name[,...] }}
    [
        ELEMENT[S] { * | label-or-rel-type-name[,...] }
        | NODE[S] { * | label-name[,...] }
        | RELATIONSHIP[S] { * | rel-type-name[,...] }
    ]
    TO grantee[,...]

For example, granting the ability to delete elements on the graph neo4j to the role regularUsers would be achieved using:

Query
GRANT
DELETE
ON GRAPH neo4j ELEMENTS * TO regularUsers

0 rows, System updates: 2

The DELETE privilege can also be denied.

Command syntax
DENY DELETE ON {DEFAULT GRAPH | GRAPH[S] { * | graph-name[,...] }}
    [
        ELEMENT[S] { * | label-or-rel-type-name[,...] }
        | NODE[S] { * | label-name[,...] }
        | RELATIONSHIP[S] { * | rel-type-name[,...] }
    ]
    TO grantee[,...]

For example, denying the ability to delete relationships with the relationship type bar on all graphs to the role regularUsers would be achieved using:

Query
DENY
DELETE
ON GRAPH * RELATIONSHIPS bar TO regularUsers

0 rows, System updates: 1

Users with DELETE privilege, but restricted TRAVERSE privileges, will not be able to do DETACH DELETE in all cases. See Operations Manual → Fine-grained access control for more info.

3. The SET LABEL privilege

The SET LABEL privilege allows you to set labels on a node using the SET clause.

Command syntax
GRANT SET LABEL {label [, ...] | *}
    ON {DEFAULT GRAPH | GRAPH[S] {name [, ...] | *}}
    TO role [, ...]

For example, granting the ability to set any label on nodes of the graph neo4j to the role regularUsers would be achieved using:

Query
GRANT
SET LABEL *
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 1

Unlike many of the other read and write privileges, it is not possible to restrict the SET LABEL privilege to specific ELEMENTS, NODES or RELATIONSHIPS.

The SET LABEL privilege can also be denied.

Command syntax
DENY SET LABEL {label [, ...] | *}
    ON {DEFAULT GRAPH | GRAPH[S] {name [, ...] | *}}
    TO role [, ...]

For example, denying the ability to set the label foo on nodes of all graphs to the role regularUsers would be achieved using:

Query
DENY
SET LABEL foo
ON GRAPH * TO regularUsers

0 rows, System updates: 1

If no instances of this label exist in the database, then the CREATE NEW LABEL privilege is also required.

4. The REMOVE LABEL privilege

The REMOVE LABEL privilege allows you to remove labels from a node using the REMOVE clause.

Command syntax
GRANT REMOVE LABEL {label [, ...] | *}
    ON {DEFAULT GRAPH | GRAPH[S] {name [, ...] | *}}
    TO role [, ...]

For example, granting the ability to remove any label from nodes of the graph neo4j to the role regularUsers would be achieved using:

Query
GRANT
REMOVE LABEL *
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 1

Unlike many of the other read and write privileges, it is not possible to restrict the REMOVE LABEL privilege to specific ELEMENTS, NODES or RELATIONSHIPS.

The REMOVE LABEL privilege can also be denied.

Command syntax
DENY REMOVE LABEL {label [, ...] | *}
    ON {DEFAULT GRAPH | GRAPH[S] {name [, ...] | *}}
    TO role [, ...]

For example, denying the ability to remove the label foo from nodes of all graphs to the role regularUsers would be achieved using:

Query
DENY
REMOVE LABEL foo
ON GRAPH * TO regularUsers

0 rows, System updates: 1

5. The SET PROPERTY privilege

The SET PROPERTY privilege allows a user to set a property on a node or relationship element in a graph using the SET clause.

Command syntax
GRANT SET PROPERTY "{" { * | property-name[,...] } "}"
    ON {DEFAULT GRAPH | GRAPH[S] { * | graph-name[,...] }}
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO grantee[,...]

For example, granting the ability to set any property on all elements of the graph neo4j to the role regularUsers would be achieved using:

Query
GRANT
SET PROPERTY { * }
ON DEFAULT GRAPH ELEMENTS * TO regularUsers

0 rows, System updates: 2

The SET PROPERTY privilege can also be denied.

Command syntax
DENY SET PROPERTY "{" { * | property-name[,...] } "}"
    ON {DEFAULT GRAPH | GRAPH[S] { * | graph-name[,...] }}
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO grantee[,...]

For example, denying the ability to set the property foo on nodes with the label bar on all graphs to the role regularUsers would be achieved using:

Query
DENY
SET PROPERTY { foo }
ON GRAPH * NODES bar TO regularUsers

0 rows, System updates: 1

If the users attempts to set a property with a property name that does not already exist in the database the user must also possess the CREATE NEW PROPERTY NAME privilege.

6. The MERGE privilege

The MERGE privilege is a compound privilege that combines TRAVERSE and READ (i.e. MATCH) with CREATE and SET PROPERTY. This is intended to permit use of the MERGE command but is applicable to all reads and writes that require these privileges.

Command syntax
GRANT MERGE "{" { * | property-name[,...] } "}"
    ON {DEFAULT GRAPH | GRAPH[S] { * | graph-name[,...] }}
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO grantee[,...]

For example, granting MERGE on all elements of the graph neo4j to the role regularUsers would be achieved using:

Query
GRANT
MERGE { * }
ON GRAPH neo4j ELEMENTS * TO regularUsers

0 rows, System updates: 2

It is not possible to deny the MERGE privilege. If it is desirable to prevent a users from creating elements and setting properties, use DENY CREATE or DENY SET PROPERTY.

If the users attempts to create nodes with a label that does not already exist in the database the user must also possess the CREATE NEW LABEL privilege. The same applies to new relationships and properties - the CREATE NEW RELATIONSHIP TYPE or CREATE NEW PROPERTY NAME privileges are required.

7. The WRITE privilege

The WRITE privilege allows the user to execute any write command on a graph.

Command syntax
GRANT WRITE
    ON {DEFAULT GRAPH | GRAPH[S] {name [, ...] | *}}
    TO role [, ...]

For example, granting the ability to write on the graph neo4j to the role regularUsers would be achieved using:

Query
GRANT WRITE
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 2

Unlike the more specific write commands, it is not possible to restrict WRITE privileges to specific ELEMENTS, NODES or RELATIONSHIPS. If it is desirable to prevent a user from writing to a subset of database objects, a GRANT WRITE can be combined with more specific DENY commands to target these elements.

The WRITE privilege can also be denied.

Command syntax
DENY WRITE
    ON {DEFAULT GRAPH | GRAPH[S] {name [, ...] | *}}
    TO role [, ...]

For example, denying the ability to write on the graph neo4j to the role regularUsers would be achieved using:

Query
DENY WRITE
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 2

Users with WRITE privilege but restricted TRAVERSE privileges will not be able to do DETACH DELETE in all cases. See Operations Manual → Fine-grained access control for more info.

8. ALL GRAPH PRIVILEGES

The ALL GRAPH PRIVILEGES privilege allows the user to execute any command on a graph.

Command syntax
GRANT ALL [ [ GRAPH ] PRIVILEGES ]
    ON {DEFAULT GRAPH | GRAPH[S] {name [, ...] | * }}
    TO role [, ...]

For example, granting all graph privileges on the graph neo4j to the role regularUsers would be achieved using:

Query
GRANT ALL GRAPH PRIVILEGES
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 1

Unlike the more specific read and write commands, it is not possible to restrict ALL GRAPH PRIVILEGES privileges to specific ELEMENTS, NODES or RELATIONSHIPS. If it is desirable to prevent a user from reading or writing to a subset of database objects, a GRANT ALL GRAPH PRIVILEGES can be combined with more specific DENY commands to target these elements.

The ALL GRAPH PRIVILEGES privilege can also be denied.

Command syntax
DENY ALL [ [ GRAPH ] PRIVILEGES ]
    ON {DEFAULT GRAPH | GRAPH[S] {name [, ...] | * }}
    TO role [, ...]

For example, denying all graph privileges on the graph neo4j to the role regularUsers would be achieved using:

Query
DENY ALL GRAPH PRIVILEGES
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 1