Administration

User management

Users in Neo4j Enterprise Studio are managed through the connected Neo4j deployments. To add a new user to a deployment, see Operations Manual → Creating users and add that user to all relevant deployments.

When you add a user to a Neo4j deployment, they receive an Enterprise Studio role based on the role mapping configuration. For information on how to manage users in a Neo4j deployment, see Operations Manual → Manage roles.

Role mapping

Administrators map Neo4j deployment-specific roles to Enterprise Studio roles in config.yaml using authorization.roleMapping. This determines what each user can do within Enterprise Studio based on their Neo4j role or username. For the configuration syntax, see Configuration → Authorization.

Table 1. Predefined Enterprise Studio roles
Enterprise Studio role Permissions

studioCreator

Create and manage own assets

studioAdmin

Administrative privileges over all assets

Every request to the server includes the authenticated user’s credentials. The server verifies the user’s identity and roles against the Neo4j deployment and grants access based on the configured role mapping.

See Configuration reference → Authorization role mapping for details on how to configure role mappings.

Assigning roles by Neo4j database role

To grant a user an Enterprise Studio role, assign them a Neo4j database role and map that role in authorization.roleMapping.

For example, to make all users with the admin database role an Enterprise Studio admin, and all users with the editor role a creator:

neo4jDeployments:
  mydeployment:
    name: "Production"
    uri: neo4j://prod-host:7687
    authorization:
      roleMapping:
        - role: studioAdmin
          members:
            - kind: databaseRole
              name: admin
        - role: studioCreator
          members:
            - kind: databaseRole
              name: editor

To assign a Neo4j database role to a user:

GRANT ROLE editor TO myuser

Assigning roles by username

You can also map individual users directly by their Neo4j username:

neo4jDeployments:
  mydeployment:
    name: "Production"
    uri: neo4j://prod-host:7687
    authorization:
      roleMapping:
        - role: studioAdmin
          members:
            - kind: databaseUser
              name: neo4j
            - kind: databaseUser
              name: alice
        - role: studioCreator
          members:
            - kind: databaseUser
              name: bob

Assigning roles with SSO

When using SSO, users authenticate via an external identity provider (IdP) and are mapped to Neo4j database roles through the Neo4j OIDC configuration. Enterprise Studio then maps those database roles to Enterprise Studio roles via the same authorization.roleMapping mechanism.

The flow is:

  1. The IdP authenticates the user and issues a token containing group or role claims.

  2. Neo4j maps those claims to database roles (configured in neo4j.conf via dbms.security.oidc.<provider>.claims.groups).

  3. Enterprise Studio reads the user’s database roles and applies the role mapping.

For example, if your IdP assigns users to a group called graph-admins and Neo4j maps that to the database role studio-admins:

neo4jDeployments:
  mydeployment:
    name: "Production"
    uri: neo4j://prod-host:7687
    authorization:
      roleMapping:
        - role: studioAdmin
          members:
            - kind: databaseRole
              name: studio-admins
        - role: studioCreator
          members:
            - kind: databaseRole
              name: studio-users

For details on configuring Neo4j SSO and role mapping, see Operations Manual → Configuring Neo4j Single-Sign-On (SSO).

Asset backup

Tool assets (saved queries, dashboards, Perspectives, and sharing metadata) are persisted in the asset storage database. Back up this database regularly using Neo4j backup and restore.

To restore, configure a new Enterprise Studio instance to connect to a restored copy of the asset storage database. Enterprise Studio validates and migrates the database schema automatically on startup.

Do not modify the asset storage database directly (for example via Cypher® queries or external tools). The database schema is managed internally by Enterprise Studio. Direct modifications may corrupt data, break sharing, or cause unexpected behavior.

Migration to Enterprise Studio

You can migrate tool assets from Neo4j Desktop, standalone Neo4j Browser, standalone Bloom, and NeoDash into Enterprise Studio using the built-in import functions in each tool’s user interface. Do not modify the database directly: legacy tools store assets in a different format, so assets must be exported from the source tool and imported into Enterprise Studio.