5.5.5. Write privileges

This section explains how to use Cypher to manage write privileges on graphs.

Write privileges are defined for different parts of the graph:

There are also compound privileges which combine the above specific privileges:

5.5.5.1. The CREATE privilege

The CREATE privilege allows a user to create new node and relationship elements in a graph. See the Cypher CREATE clause.

Command syntax. 

GRANT CREATE ON GRAPH[S] { * | graph-name[,...] }
    [
        ELEMENT[S] { * | label-or-rel-type-name[,...] }
        | NODE[S] { * | label-name[,...] }
        | RELATIONSHIP[S] { * | rel-type-name[,...] }
    ]
    TO grantee[,...]

For example, granting the ability to create elements on the graph neo4j to the role regularUsers would be achieved using:

Query. 

GRANT
CREATE
ON GRAPH neo4j ELEMENTS * TO regularUsers

0 rows, System updates: 2

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers GRANT CREATE ON GRAPH neo4j ELEMENTS * TO regularUsers

The CREATE privilege can also be denied.

Command syntax. 

DENY CREATE ON GRAPH[S] { * | graph-name[,...] }
    [
        ELEMENT[S] { * | label-or-rel-type-name[,...] }
        | NODE[S] { * | label-name[,...] }
        | RELATIONSHIP[S] { * | rel-type-name[,...] }
    ]
    TO grantee[,...]

For example, denying the ability to create nodes with the label foo on all graphs to the role regularUsers would be achieved using:

Query. 

DENY
CREATE
ON GRAPH * NODES foo TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers DENY CREATE ON GRAPH * NODES foo TO regularUsers

If the user attempts to create nodes with a label that does not already exist in the database, then the user must also possess the CREATE NEW LABEL privilege. The same applies to new relationships - the CREATE NEW RELATIONSHIP TYPE privilege is required.

5.5.5.2. The DELETE privilege

The DELETE privilege allows a user to delete node and relationship elements in a graph. See the Cypher DELETE clause.

Command syntax. 

GRANT DELETE ON GRAPH[S] { * | graph-name[,...] }
    [
        ELEMENT[S] { * | label-or-rel-type-name[,...] }
        | NODE[S] { * | label-name[,...] }
        | RELATIONSHIP[S] { * | rel-type-name[,...] }
    ]
    TO grantee[,...]

For example, granting the ability to delete elements on the graph neo4j to the role regularUsers would be achieved using:

Query. 

GRANT
DELETE
ON GRAPH neo4j ELEMENTS * TO regularUsers

0 rows, System updates: 2

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers GRANT DELETE ON GRAPH neo4j ELEMENTS * TO regularUsers

The DELETE privilege can also be denied.

Command syntax. 

DENY DELETE ON GRAPH[S] { * | graph-name[,...] }
    [
        ELEMENT[S] { * | label-or-rel-type-name[,...] }
        | NODE[S] { * | label-name[,...] }
        | RELATIONSHIP[S] { * | rel-type-name[,...] }
    ]
    TO grantee[,...]

For example, denying the ability to delete relationships with the relationship type bar on all graphs to the role regularUsers would be achieved using:

Query. 

DENY
DELETE
ON GRAPH * RELATIONSHIPS bar TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers DENY DELETE ON GRAPH * RELATIONSHIPS bar TO regularUsers

Users with DELETE privilege, but restricted TRAVERSE privileges, will not be able to do DETACH DELETE in all cases. See Operations Manual → Fine-grained access control for more info.

5.5.5.3. The SET LABEL privilege

The SET LABEL privilege allows you to set labels on a node using the SET clause.

Command syntax. 

GRANT SET LABEL {label [, ...] | *}
    ON GRAPH[S] {name [, ...] | *}
    TO role [, ...]

For example, granting the ability to set any label on nodes of the graph neo4j to the role regularUsers would be achieved using:

Query. 

GRANT
SET LABEL *
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers GRANT SET LABEL * ON GRAPH neo4j TO regularUsers

Unlike many of the other read and write privileges, it is not possible to restrict the SET LABEL privilege to specific ELEMENTS, NODES or RELATIONSHIPS.

The SET LABEL privilege can also be denied.

Command syntax. 

DENY SET LABEL {label [, ...] | *}
    ON GRAPH[S] {name [, ...] | *}
    TO role [, ...]

For example, denying the ability to set the label foo on nodes of all graphs to the role regularUsers would be achieved using:

Query. 

DENY
SET LABEL foo
ON GRAPH * TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers DENY SET LABEL foo ON GRAPH * TO regularUsers

If no instances of this label exist in the database, then the CREATE NEW LABEL privilege is also required.

5.5.5.4. The REMOVE LABEL privilege

The REMOVE LABEL privilege allows you to remove labels from a node using the REMOVE clause.

Command syntax. 

GRANT REMOVE LABEL {label [, ...] | *}
    ON GRAPH[S] {name [, ...] | *}
    TO role [, ...]

For example, granting the ability to remove any label from nodes of the graph neo4j to the role regularUsers would be achieved using:

Query. 

GRANT
REMOVE LABEL *
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers GRANT REMOVE LABEL * ON GRAPH neo4j TO regularUsers

Unlike many of the other read and write privileges, it is not possible to restrict the REMOVE LABEL privilege to specific ELEMENTS, NODES or RELATIONSHIPS.

The REMOVE LABEL privilege can also be denied.

Command syntax. 

DENY REMOVE LABEL {label [, ...] | *}
    ON GRAPH[S] {name [, ...] | *}
    TO role [, ...]

For example, denying the ability to remove the label foo from nodes of all graphs to the role regularUsers would be achieved using:

Query. 

DENY
REMOVE LABEL foo
ON GRAPH * TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers DENY REMOVE LABEL foo ON GRAPH * TO regularUsers

5.5.5.5. The SET PROPERTY privilege

The SET PROPERTY privilege allows a user to set a property on a node or relationship element in a graph using the SET clause.

Command syntax. 

GRANT SET PROPERTY "{" { * | property-name[,...] } "}"
    ON GRAPH[S] { * | graph-name[,...] }
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO grantee[,...]

For example, granting the ability to set any property on all elements of the graph neo4j to the role regularUsers would be achieved using:

Query. 

GRANT
SET PROPERTY { * }
ON GRAPH neo4j ELEMENTS * TO regularUsers

0 rows, System updates: 2

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers GRANT SET PROPERTY {*} ON GRAPH neo4j ELEMENTS * TO regularUsers

The SET PROPERTY privilege can also be denied.

Command syntax. 

DENY SET PROPERTY "{" { * | property-name[,...] } "}"
    ON GRAPH[S] { * | graph-name[,...] }
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO grantee[,...]

For example, denying the ability to set the property foo on nodes with the label bar on all graphs to the role regularUsers would be achieved using:

Query. 

DENY
SET PROPERTY { foo }
ON GRAPH * NODES bar TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers DENY SET PROPERTY { foo } ON GRAPH * NODES bar TO regularUsers

If the users attempts to set a property with a property name that does not already exist in the database the user must also possess the CREATE NEW PROPERTY NAME privilege.

5.5.5.6. The MERGE privilege

The MERGE privilege is a compound privilege that combines TRAVERSE and READ (i.e. MATCH) with CREATE and SET PROPERTY. This is intended to permit use of the MERGE command but is applicable to all reads and writes that require these privileges.

Command syntax. 

GRANT MERGE "{" { * | property-name[,...] } "}"
    ON GRAPH[S] { * | graph-name[,...] }
        [
            ELEMENT[S] { * | label-or-rel-type-name[,...] }
            | NODE[S] { * | label-name[,...] }
            | RELATIONSHIP[S] { * | rel-type-name[,...] }
        ]
    TO grantee[,...]

For example, granting MERGE on all elements of the graph neo4j to the role regularUsers would be achieved using:

Query. 

GRANT
MERGE { * }
ON GRAPH neo4j ELEMENTS * TO regularUsers

0 rows, System updates: 2

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers GRANT MERGE {*} ON GRAPH neo4j ELEMENTS * TO regularUsers

It is not possible to deny the MERGE privilege. If it is desirable to prevent a users from creating elements and setting properties, use DENY CREATE or DENY SET PROPERTY.

If the users attempts to create nodes with a label that does not already exist in the database the user must also possess the CREATE NEW LABEL privilege. The same applies to new relationships and properties - the CREATE NEW RELATIONSHIP TYPE or CREATE NEW PROPERTY NAME privileges are required.

5.5.5.7. The WRITE privilege

The WRITE privilege allows the user to execute any write command on a graph.

Command syntax. 

GRANT WRITE
    ON GRAPH[S] {name [, ...] | *}
    TO role [, ...]

For example, granting the ability to write on the graph neo4j to the role regularUsers would be achieved using:

Query. 

GRANT WRITE
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 2

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers GRANT WRITE ON GRAPH neo4j TO regularUsers

Unlike the more specific write commands, it is not possible to restrict WRITE privileges to specific ELEMENTS, NODES or RELATIONSHIPS. If it is desirable to prevent a user from writing to a subset of database objects, a GRANT WRITE can be combined with more specific DENY commands to target these elements.

The WRITE privilege can also be denied.

Command syntax. 

DENY WRITE
    ON GRAPH[S] {name [, ...] | *}
    TO role [, ...]

For example, denying the ability to write on the graph neo4j to the role regularUsers would be achieved using:

Query. 

DENY WRITE
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 2

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers DENY WRITE ON GRAPH neo4j TO regularUsers

Users with WRITE privilege but restricted TRAVERSE privileges will not be able to do DETACH DELETE in all cases. See Operations Manual → Fine-grained access control for more info.

5.5.5.8. ALL GRAPH PRIVILEGES

The ALL GRAPH PRIVILEGES privilege allows the user to execute any command on a graph.

Command syntax. 

GRANT ALL [ [ GRAPH ] PRIVILEGES ]
    ON GRAPH[S] {name [, ...] | * }
    TO role [, ...]

For example, granting all graph privileges on the graph neo4j to the role regularUsers would be achieved using:

Query. 

GRANT ALL GRAPH PRIVILEGES
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers GRANT ALL GRAPH PRIVILEGES ON GRAPH neo4j TO regularUsers

Unlike the more specific read and write commands, it is not possible to restrict ALL GRAPH PRIVILEGES privileges to specific ELEMENTS, NODES or RELATIONSHIPS. If it is desirable to prevent a user from reading or writing to a subset of database objects, a GRANT ALL GRAPH PRIVILEGES can be combined with more specific DENY commands to target these elements.

The ALL GRAPH PRIVILEGES privilege can also be denied.

Command syntax. 

DENY ALL [ [ GRAPH ] PRIVILEGES ]
    ON GRAPH[S] {name [, ...] | * }
    TO role [, ...]

For example, denying all graph privileges on the graph neo4j to the role regularUsers would be achieved using:

Query. 

DENY ALL GRAPH PRIVILEGES
ON GRAPH neo4j TO regularUsers

0 rows, System updates: 1

Try this query live.  CREATE USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED SET STATUS ACTIVE CREATE ROLE regularUsers GRANT ROLE regularUsers TO jake GRANT ACCESS ON DATABASE neo4j TO regularUsers DENY ALL GRAPH PRIVILEGES ON GRAPH neo4j TO regularUsers