Built-in roles
Neo4j provides built-in roles with default privileges. The built-in roles and the default privileges are:
PUBLIC
-
-
Access to the home database.
-
Allows executing procedures with the users own privileges.
-
Allows executing user-defined functions with the users own privileges.
-
reader
-
-
Access to all databases.
-
Traverse and read on the data graph (all nodes, relationships, properties).
-
Show indexes and constraints along with any other future schema constructs.
-
editor
-
-
Access to all databases.
-
Traverse, read, and write on the data graph.
-
Write access limited to creating and changing existing property keys, node labels, and relationship types of the graph. In other words, the
editor
role cannot add to the schema but can only make changes to already existing objects. -
Show indexes and constraints along with any other future schema constructs.
-
publisher
-
-
Access to all databases.
-
Traverse, read, and write on the data graph.
-
Show indexes and constraints along with any other future schema constructs.
-
architect
-
-
Access to all databases.
-
Traverse, read, and write on the data graph.
-
Create/drop/show indexes and constraints along with any other future schema constructs.
-
admin
-
-
Access to all databases.
-
Traverse, read, and write on the data graph.
-
Create/drop/show indexes and constraints along with any other future schema constructs.
-
Allows executing procedures with the users own privileges or boosted privileges.
-
Allows executing admin procedures.
-
Allows executing user-defined functions with the users own privileges or boosted privileges.
-
View/terminate queries.
-
Manage databases, users, roles, and privileges.
-
All users will be assigned the PUBLIC
role, which by default does not give any rights or capabilities regarding the data, not even read privileges.
A user may have more than one assigned role, and the union of these determine what action(s) on the data may be undertaken by the user.
For instance, a user assigned to the reader
role will be able to execute procedures because all users are also
assigned to the PUBLIC
role, which enables that capability.
When an administrator suspends or deletes another user, the following rules apply:
-
Administrators can suspend or delete any other user (including other administrators), but not themselves.
-
The user will no longer be able to log back in (until re-activated by an administrator if suspended).
-
There is no need to remove assigned roles from a user prior to deleting the user.
Deleting a user will not automatically terminate associated connections, sessions, transactions, or queries. |
The set of actions on the data and database prescribed by each role are described below. The subset of the functionality which is available with Community Edition is also included:
Action | reader |
editor |
publisher |
architect |
admin |
PUBLIC |
Available in Community Edition |
---|---|---|---|---|---|---|---|
Change own password |
|
|
|
|
|
|
|
View own details |
|
|
|
|
|
|
|
View own transactions |
|
|
|
|
|
|
|
Terminate own transactions |
|
|
|
|
|
|
|
View own privileges |
|
|
|
|
|
|
|
View all databases |
|
|
|
|
|
|
|
Access home database |
|
|
|
|
|
|
|
Access all databases |
|
|
|
|
|
|
|
Read data |
|
|
|
|
|
|
|
View index/constraint |
|
|
|
|
|
|
|
Write/update/delete existing data |
|
|
|
|
|
||
Create new types of properties key |
|
|
|
|
|||
Create new types of nodes labels |
|
|
|
|
|||
Create new types of relationship types |
|
|
|
|
|||
Create/drop index/constraint |
|
|
|
||||
Create/delete user |
|
|
|||||
Change another user’s name |
|
|
|||||
Change another user’s password |
|
|
|||||
Change another user’s home database |
|
||||||
Suspend/activate user |
|
||||||
Create/drop roles |
|
||||||
Change role names |
|
||||||
Assign/remove role to/from user |
|
||||||
Create/drop/alter databases |
|
||||||
Start/stop databases |
|
||||||
Manage database access |
|
||||||
Grant/deny/revoke privileges |
|
||||||
View all users |
|
|
|||||
View all roles |
|
||||||
View all roles for a user |
|
||||||
View all users for a role |
|
||||||
View another user’s privileges |
|
||||||
View all transactions |
|
|
|||||
Terminate all transactions |
|
|
|||||
Execute procedures |
|
|
|
||||
Execute functions |
|
|
|
||||
Execute admin procedures |
|
|
|||||
Dynamically change configuration [1] |
|
||||||
1. For more information, see Update dynamic settings |
More information about the built-in roles and their privileges can be found in Neo4j Cypher Manual.
Was this page helpful?