Authentication and authorization

This page provides an overview of authentication and authorization in Neo4j.

Authentication

Authentication is the process of verifying the identity of a user. Neo4j has the following authentication (auth) providers that can perform user and role authentication:

Native auth provider

Neo4j provides a native auth provider that stores user and role information in the system database. The following parameters control this provider:

  • dbms.security.auth_enabled (Default: true) — Enable auth requirement to access Neo4j.

    If you need to disable authentication, make sure you block all network connections during the recovery phase so users can connect to Neo4j only via localhost. This is necessary if, for example, you need to recover an admin user password or assign a user to the admin role. For more information, see Password and user recovery.

  • dbms.security.auth_lock_time (Default: 5s) — The amount of time a user account is locked after a configured number of unsuccessful authentication attempts.

  • dbms.security.auth_max_failed_attempts (Default: 3) — The maximum number of unsuccessful authentication attempts before imposing a user lock for a configured amount of time.
    When triggered, Neo4j logs an error containing a timestamp and the message failed to log in: too many failed attempts in the security.log.

For the relevant Cypher commands, see Manage users syntax, Manage roles syntax, and Manage privileges syntax. Various scenarios that illustrate the use of the native auth provider are available in Fine-grained access control (example).

LDAP auth provider

Controls authentication and authorization through external security software such as Active Directory or OpenLDAP, which is accessed via the built-in LDAP connector. A description of the LDAP plugin using Active Directory is available in Integration with LDAP directory services.

Single sign-on provider

Integration with a single sign-on service, such as Okta, Auth0, or Microsoft Entra ID to provide centralized authentication and authorization for all your systems. Neo4j supports the popular OpenID Connect mechanism for integrating with identity providers. The configuration steps are described in Single sign-on integration.

Custom-built plugin auth providers

A plugin option for building custom integrations. It is recommended that this option is used as part of a custom delivery as negotiated with Neo4j Professional Services. For more information, see Java Reference → Authentication and authorization plugins.

Kerberos authentication and single sign-on

In addition to LDAP, native, and custom providers, Neo4j supports Kerberos for authentication and single sign-on. Kerberos support is provided via the Neo4j Kerberos Add-On.

Mixed-mode authentication

Neo4j also supports mixed-mode authentication that allows you to use multiple authentication providers in your database setup. For more information and examples, see Set Neo4j to use LDAP and Configure Neo4j to use OpenID Connect.

Authorization

Authorization is the process of determining whether a user is allowed to perform a specific action. Authorization is managed using role-based access control (RBAC). RBAC is a method of restricting access to authorized users. It is a way of assigning privileges to roles that are then assigned to users. This simplifies user management, as permissions are assigned to roles rather than to individual users. The roles are defined in terms of their underlying privileges, and they can be modified by adding or removing these access rights using the Cypher commands described in this chapter.

Neo4j provides a set of built-in roles and also allows you to create custom roles with specific privileges. You can also use the sub-graph access control, through which read access to the graph can be limited to specific combinations of labels, relationship types, and properties.

The functionality described in these pages applies to Enterprise Edition. A limited set of user management functions are also available in Community Edition. Built-in roles capabilities gives a quick overview of these.

The Neo4j security model is stored in the system graph, which is maintained in the system database. All administrative commands need to be executed against it. When connected to the DBMS over Configure connectors, administrative commands are automatically routed to the system database.

Terminology

The following terms are relevant to role-based access control within Neo4j:

active user

A user who is active within the system and can perform actions prescribed by any assigned roles on the data. This is in contrast to a suspended user.

administrator

This is a user who has been assigned the admin role.

current user

This is the currently logged-in user invoking the commands.

password policy

The password policy is a set of rules about what makes up a valid password. For Neo4j, the following rules apply:

  • The password cannot be an empty string.

  • When changing passwords, the new password cannot be the same as the previous password.

  • The password must be at least 8 characters long.

role

A collection of privileges that enables users to perform specific actions on the data. A user can have multiple roles.

suspended user

A user who has been suspended is not able to access the database in any capacity, regardless of any assigned roles.

user

  • A user is composed of a username and credentials, where the latter is a unit of information, such as a password, verifying the identity of a user.

  • A user may represent a human, an application, etc.