Administrator role privileges
AuraDB Business CriticalAuraDB Virtual Dedicated CloudEnterprise Edition

You can manage DBMS privileges using either the built-in admin role or by creating a custom role with the specific privileges you need.

Using the built-in admin role to manage DBMS privileges

The admin role role is a built-in superuser role that has all privileges on the DBMS and can perform all administrative tasks.

This includes the following tasks and their relevant privileges:

To enable a user to perform these tasks, you can grant them the admin role, but it is also possible to make a custom role with a subset of these privileges. All privileges are also assignable using Cypher commands.

Using a custom role to manage DBMS privileges

You can create a custom role to manage DBMS privileges by granting the privileges you want to the role. Alternatively, you can copy the admin role and revoke or deny the unwanted privileges. The following examples show how to create a custom role with a subset of the privileges that the admin role using both methods.

Create a custom administrator role from scratch

Create an administrator role that can only manage users and roles by creating a new role and granting the USER MANAGEMENT and ROLE MANAGEMENT privileges.

  1. Create the new role:

    CREATE ROLE userAndRoleAdministrator;

  2. Grant the privilege to manage users:

    GRANT USER MANAGEMENT ON DBMS TO userAndRoleAdministrator;

  3. Grant the privilege to manage roles:

    GRANT ROLE MANAGEMENT ON DBMS TO userAndRoleAdministrator;

    As a result, the userAndRoleAdministrator role has privileges that only allow user and role management.

  4. To list all privileges for the role userAndRoleAdministrator as commands, use the following query:

    SHOW ROLE userAndRoleAdministrator PRIVILEGES AS COMMANDS;
    Table 1. Result
    command

    "GRANT ROLE MANAGEMENT ON DBMS TO `userAndRoleAdministrator`"

    "GRANT USER MANAGEMENT ON DBMS TO `userAndRoleAdministrator`"

    Rows: 2

This role does not allow all DBMS capabilities. For example, the role is missing privileges for managing, creating, and dropping databases, as well as executing admin procedures. To create a more powerful administrator, you can grant a different set of privileges.

Create a more powerful custom administrator role from scratch

You can also create a custom administrator role with limited capabilities. This can be done by creating a new role and granting all DBMS privileges, then denying the ones you do not want the role to have, and then granting additional privileges you want to include. For example, you can create a custom administrator role customAdministrator that has all DBMS privileges except for creating, dropping, and modifying databases, and also has the privilege for managing transactions.

  1. Create a new role:

    CREATE ROLE customAdministrator;

  2. Grant the privilege for all DBMS capabilities:

    GRANT ALL DBMS PRIVILEGES ON DBMS TO customAdministrator;

  3. Explicitly deny the privilege to manage databases:

    DENY DATABASE MANAGEMENT ON DBMS TO customAdministrator;

  4. Grant the transaction management privilege:

    GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO customAdministrator;

    As a result, the customAdministrator role has privileges that include managing transactions and all DBMS privileges except creating, dropping, and modifying databases.

  5. To list all privileges for the role customAdministrator as commands, use the following query:

    SHOW ROLE customAdministrator PRIVILEGES AS COMMANDS;
    Table 2. Result
    command

    "DENY DATABASE MANAGEMENT ON DBMS TO `customAdministrator`"

    "GRANT ALL DBMS PRIVILEGES ON DBMS TO `customAdministrator`"

    "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `customAdministrator`"

    Rows: 3

Create a custom administrator role by copying the admin role

You can also create a custom administrator role by copying the admin role and then revoking or denying the privileges you do not want. For example, you can create a new role called newAdministrator that has all the privileges of the admin role, and then revoke the ability to read/write/load data, manage constraints, indexes, name, and remove ability to access all databases, except the system database.

  1. Create a new role by copying the admin role:

    CREATE ROLE newAdministrator AS COPY OF admin;

  2. Revoke the ability to read/write/load data:

    REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM newAdministrator;
REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM newAdministrator;
REVOKE GRANT WRITE ON GRAPH * FROM newAdministrator;
REVOKE GRANT LOAD ON ALL DATA FROM newAdministrator;

  3. Revoke the ability to manage index/constraint/name:

    REVOKE GRANT CONSTRAINT MANAGEMENT ON DATABASE * FROM newAdministrator;
REVOKE GRANT INDEX MANAGEMENT ON DATABASE * FROM newAdministrator;
REVOKE GRANT NAME MANAGEMENT ON DATABASE * FROM newAdministrator;
REVOKE GRANT SHOW CONSTRAINT ON DATABASE * FROM newAdministrator;
REVOKE GRANT SHOW INDEX ON DATABASE * FROM newAdministrator;

  4. Revoke the ability to access all databases:

    REVOKE GRANT ACCESS ON DATABASE * FROM newAdministrator;

  5. Grant the ability to access the system database:

    GRANT ACCESS ON DATABASE system TO newAdministrator;

  6. To list all privileges for the role newAdministrator as commands, use the following query:

    SHOW ROLE newAdministrator PRIVILEGES AS COMMANDS;
    Table 3. Result
    command

    "GRANT ACCESS ON DATABASE system TO `newAdministrator`"

    "GRANT ALL DBMS PRIVILEGES ON DBMS TO `newAdministrator`"

    "GRANT START ON DATABASE * TO `newAdministrator`"

    "GRANT STOP ON DATABASE * TO `newAdministrator`"

    "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `newAdministrator`"

    Rows: 5