The DBMS EXECUTE privileges
AuraDB Business CriticalAuraDB Virtual Dedicated CloudEnterprise Edition

The DBMS privileges for procedure and user-defined function execution can be granted, denied, or revoked like other privileges.

For more details about the syntax descriptions, see Reading the administration commands syntax.
Table 1. Execute privileges command syntax
Command Description 
GRANT [IMMUTABLE] EXECUTE PROCEDURE[S] name-globbing[, ...]
  ON DBMS
  TO role[, ...]

Enables the specified roles to execute the given procedures.

 
GRANT [IMMUTABLE] EXECUTE BOOSTED PROCEDURE[S] name-globbing[, ...]
  ON DBMS
  TO role[, ...]

Enables the specified roles to use elevated privileges when executing the given procedures.

 
GRANT [IMMUTABLE] EXECUTE ADMIN[ISTRATOR] PROCEDURES
  ON DBMS
  TO role[, ...]

Enables the specified roles to execute procedures annotated with @Admin. The procedures are executed with elevated privileges.

 
GRANT [IMMUTABLE] EXECUTE [USER [DEFINED]] FUNCTION[S] name-globbing[, ...]
  ON DBMS
  TO role[, ...]

Enables the specified roles to execute the given user-defined functions.

 
GRANT [IMMUTABLE] EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] name-globbing[, ...]
  ON DBMS
  TO role[, ...]

Enables the specified roles to use elevated privileges when executing the given user-defined functions.

Grant privilege to execute procedures

You can grant the privilege to execute procedures using the EXECUTE PROCEDURE privilege.
A role with this privilege is allowed to execute the procedures matched by the name-globbing.

Grant privilege to execute some procedures

The following query allow the execution of procedures starting with db.schema:

GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO procedureExecutor;

Users with the role procedureExecutor can run any procedure in the db.schema namespace. The procedures are executed using the user’s own privileges.

To list all privileges for the role procedureExecutor as commands, use the following query:

SHOW ROLE procedureExecutor PRIVILEGES AS COMMANDS;
Table 2. Result
command

"GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO `procedureExecutor`"

Rows: 1

Grant privilege to execute all but some procedures

You can grant the privilege to execute all except a few procedures using EXECUTE PROCEDURES * and deny the unwanted procedures. For example, the following queries allow the execution of all procedures, except those starting with dbms.cluster:

GRANT EXECUTE PROCEDURE * ON DBMS TO deniedProcedureExecutor;
DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO deniedProcedureExecutor;

Users with the role deniedProcedureExecutor can run any procedure except those starting with dbms.cluster. The procedures are executed using the user’s own privileges.

To list all privileges for the role deniedProcedureExecutor as commands, use the following query:

SHOW ROLE deniedProcedureExecutor PRIVILEGES AS COMMANDS;
Table 3. Result
command

"DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO `deniedProcedureExecutor`"

"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedProcedureExecutor`"

Rows: 2

The dbms.cluster.checkConnectivity, dbms.cluster.cordonServer, dbms.cluster.protocols, dbms.cluster.readReplicaToggle, dbms.cluster.routing.getRoutingTable, dbms.cluster.secondaryReplicationDisable, dbms.cluster.setAutomaticallyEnableFreeServers, and dbms.cluster.uncordonServer procedures are blocked, as well as any others starting with dbms.cluster.

Grant privilege to execute procedures with elevated privileges

You can grant the privilege to execute procedures with elevated privileges using the EXECUTE BOOSTED PROCEDURE privilege.
A user with this privilege will not be restricted to their other privileges when executing the procedures matched by the name-globbing. The EXECUTE BOOSTED PROCEDURE privilege only affects the elevation, and not the execution of the procedure. Therefore, it is needed to grant EXECUTE PROCEDURE privilege for the procedures as well. Both EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE are needed to execute a procedure with elevated privileges.

Grant privilege to execute some procedures with elevated privileges

You can grant the privilege to execute some procedures with elevated privileges using EXECUTE BOOSTED PROCEDURE *.

For example, the following query allow the execution of the procedures db.labels and db.relationshipTypes with elevated privileges, and all other procedures with the user’s own privileges:

GRANT EXECUTE PROCEDURE * ON DBMS TO boostedProcedureExecutor;
GRANT EXECUTE BOOSTED PROCEDURE db.labels, db.relationshipTypes ON DBMS TO boostedProcedureExecutor

Users with the role boostedProcedureExecutor can thus run the db.labels and the db.relationshipTypes procedures with full privileges, seeing everything in the graph and not just the labels and types that the user has TRAVERSE privilege on. Without the EXECUTE PROCEDURE, no procedures could be executed at all.

To list all privileges for the role boostedProcedureExecutor as commands, use the following query:

SHOW ROLE boostedProcedureExecutor PRIVILEGES AS COMMANDS;
Table 4. Result
command

"GRANT EXECUTE PROCEDURE * ON DBMS TO `boostedProcedureExecutor`"

"GRANT EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `boostedProcedureExecutor`"

"GRANT EXECUTE BOOSTED PROCEDURE db.relationshipTypes ON DBMS TO `boostedProcedureExecutor`"

Rows: 3

Combination of granting execution and denying privilege elevation

As with grant, denying EXECUTE BOOSTED PROCEDURE on its own only affects the elevation and not the execution of the procedure.

For example:

GRANT EXECUTE PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor1;
DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor1;

As a result, the deniedBoostedProcedureExecutor1 role has privileges that allow the execution of all procedures using the user’s own privileges. They also prevent the db.labels procedure from being elevated. Still, the denied EXECUTE BOOSTED PROCEDURE does not block execution of db.labels.

To list all privileges for role deniedBoostedProcedureExecutor1 as commands, use the following query:

SHOW ROLE deniedBoostedProcedureExecutor1 PRIVILEGES AS COMMANDS;
Table 5. Result
command

"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor1`"

"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor1`"

Rows: 2

Combination of granting privilege elevation and denying execution

You can also grant the privilege to execute procedures with elevated privileges and deny the execution of specific procedures.

For example:

GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor2;
DENY EXECUTE PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor2;

As a result, the deniedBoostedProcedureExecutor2 role has privileges that allow elevating the privileges for all procedures, but cannot execute any due to missing or denied EXECUTE PROCEDURE privileges.

To list all privileges for the role deniedBoostedProcedureExecutor2 as commands, use the following query:

SHOW ROLE deniedBoostedProcedureExecutor2 PRIVILEGES AS COMMANDS;
Table 6. Result
command

"DENY EXECUTE PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor2`"

"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor2`"

Rows: 2

Combination of granting and denying privilege elevation

You can also grant the privilege to execute procedures with elevated privileges and deny the elevation for specific procedures.

For example, the following queries allow has privileges that allow elevating the privileges for all procedures except db.labels. However, no procedures can be executed due to a missing EXECUTE PROCEDURE privilege.

GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor3;
DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor3;

As a result, the deniedBoostedProcedureExecutor3 role has privileges that allow elevating the privileges for all procedures except db.labels. However, no procedures can be executed due to missing EXECUTE PROCEDURE privilege.

To list all privileges for the role deniedBoostedProcedureExecutor3 as commands, use the following query:

SHOW ROLE deniedBoostedProcedureExecutor3 PRIVILEGES AS COMMANDS;
Table 7. Result
command

"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor3`"

"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor3`"

Rows: 2

Control procedure output with privileges

You can control the output of procedures based on the privileges granted or denied to a role using the EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE privileges. For example, assume there is a procedure called myProc.

This procedure gives the result A and B for a user with only the EXECUTE PROCEDURE privilege and A, B and C for a user with both the EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE privileges.

Now, adapt the privileges from sections Combination of granting execution and denying privilege elevation (example 1), Combination of granting privilege elevation and denying execution (example 2), and Combination of granting and denying privilege elevations (example 3) to be applied to this procedure and show what is returned.

With the privileges from example 1, granted EXECUTE PROCEDURE * and denied EXECUTE BOOSTED PROCEDURE myProc, the myProc procedure returns the result A and B.

With the privileges from example 2, granted EXECUTE BOOSTED PROCEDURE * and denied EXECUTE PROCEDURE myProc, execution of the myProc procedure is not allowed.

With the privileges from example 3, granted EXECUTE BOOSTED PROCEDURE * and denied EXECUTE BOOSTED PROCEDURE myProc, execution of the myProc procedure is not allowed.

For comparison, when granted:

  • EXECUTE PROCEDURE myProc: the myProc procedure returns the result A and B.

  • EXECUTE BOOSTED PROCEDURE myProc: execution of the myProc procedure is not allowed.

  • EXECUTE PROCEDURE myProc and EXECUTE BOOSTED PROCEDURE myProc: the myProc procedure returns the result A, B, and C.

Grant privilege to execute admin procedures

Admin procedures (annotated with @Admin) are special in that they require elevated privileges to be executed at all. This means that to execute an admin procedure you need both the EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE privileges for that procedure.

For a user to be allowed to execute all admin procedures, they can either be granted the two privileges for each of the admin procedures (which would need to be updated each time a new admin procedure is added), all procedures (which would then affect all non-admin procedures as well) or the EXECUTE ADMIN PROCEDURES privilege.

The EXECUTE ADMIN PROCEDURES privilege is equivalent to granting the EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE privileges on each of the admin procedures. This also have the additional advantage that any newly added admin procedure is automatically included in this privilege.
For example:

GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO adminProcedureExecutor;

Users with the role adminProcedureExecutor can run any admin procedure with elevated privileges. As a result, the adminProcedureExecutor role has privileges that allow the execution of all admin procedures. To list all privileges for the role adminProcedureExecutor as commands, use the following query:

SHOW ROLE adminProcedureExecutor PRIVILEGES AS COMMANDS;
Table 8. Result
command

"GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO `adminProcedureExecutor`"

Rows: 1

In order to compare this with the EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE privileges, revisit the myProc procedure, but this time as an admin procedure, which will give the result A, B and C when allowed to execute.

By starting with a user only granted the EXECUTE PROCEDURE myProc or the EXECUTE BOOSTED PROCEDURE myProc privilege, execution of the myProc procedure is not allowed.

However, for a user granted the EXECUTE ADMIN PROCEDURES or both EXECUTE PROCEDURE myProc and EXECUTE BOOSTED PROCEDURE myProc, the myProc procedure returns the result A, B and C.

Any denied EXECUTE privilege results in the procedure not being allowed to be executed. In this case, it does not matter whether EXECUTE PROCEDURE, EXECUTE BOOSTED PROCEDURE or EXECUTE ADMIN PROCEDURES is being denied.

Grant privilege to execute user-defined functions

You can grant the privilege to execute user-defined functions (UDFs) using the EXECUTE USER DEFINED FUNCTION privilege. A role with this privilege is allowed to execute the UDFs matched by the name-globbing.

The EXECUTE USER DEFINED FUNCTION privilege does not apply to built-in functions, which are always executable.

Grant privilege to execute some user-defined functions

The following query shows an example of how to grant the EXECUTE USER DEFINED FUNCTION privilege:

GRANT EXECUTE USER DEFINED FUNCTION apoc.coll.* ON DBMS TO functionExecutor;

Or in short form:

GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO functionExecutor;

Users with the role functionExecutor can thus run any UDF in the apoc.coll namespace. The functions are executed using the user’s own privileges.

As a result, the functionExecutor role has privileges that only allow executing UDFs in the apoc.coll namespace. To list all privileges for the role functionExecutor as commands, use the following query:

SHOW ROLE functionExecutor PRIVILEGES AS COMMANDS;
Table 9. Result
command

"GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO `functionExecutor`"

Rows: 1

Grant privilege to execute all but some user-defined functions

To allow the execution of all but a few UDFs, you can grant EXECUTE USER DEFINED FUNCTIONS * and deny the unwanted UDFs. For example, the following queries allow the execution of all UDFs except those starting with apoc.any.prop:

GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO deniedFunctionExecutor;
DENY EXECUTE USER DEFINED FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor;

Or in short form:

GRANT EXECUTE FUNCTIONS * ON DBMS TO deniedFunctionExecutor;
DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor;

As a result, the deniedFunctionExecutor role has privileges that only allow the execution of all UDFs except those starting with apoc.any.prop. The functions are executed using the user’s own privileges. To list all privileges for the role deniedFunctionExecutor as commands, use the following query:

SHOW ROLE deniedFunctionExecutor PRIVILEGES AS COMMANDS;
Table 10. Result
command

"DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO `deniedFunctionExecutor`"

"GRANT EXECUTE FUNCTION * ON DBMS TO `deniedFunctionExecutor`"

Rows: 2

The apoc.any.property and apoc.any.properties are blocked, as well as any other UDFs starting with apoc.any.prop.

Grant privilege to execute user-defined functions with elevated privileges

You can grant the privilege to execute user-defined functions (UDFs) with elevated privileges using the EXECUTE BOOSTED USER DEFINED FUNCTION privilege.
A user with this privilege will not be restricted to their other privileges when executing the UDFs matched by the name-globbing. The EXECUTE BOOSTED USER DEFINED FUNCTION privilege only affects the elevation and not the execution of the function. Therefore, it is needed to grant EXECUTE USER DEFINED FUNCTION privilege for the UDFs as well. Both EXECUTE USER DEFINED FUNCTION and EXECUTE BOOSTED USER DEFINED FUNCTION are needed to execute a function with elevated privileges.

The EXECUTE BOOSTED USER DEFINED FUNCTION privilege does not apply to built-in functions, as they have no concept of elevated privileges.

Grant privilege to execute some user-defined functions with elevated privileges

The following query shows an example of how to grant the EXECUTE BOOSTED USER DEFINED FUNCTION privilege:

GRANT EXECUTE USER DEFINED FUNCTION * ON DBMS TO boostedFunctionExecutor;
GRANT EXECUTE BOOSTED USER DEFINED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor;

Or in short form:

GRANT EXECUTE FUNCTION * ON DBMS TO boostedFunctionExecutor;
GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor;

Users with the role boostedFunctionExecutor can thus run apoc.any.properties with full privileges and see every property on the node/relationship, not just the properties that the user has READ privilege on. Without the EXECUTE USER DEFINED FUNCTION, you cannot execute any UDFs at all.

As a result, the boostedFunctionExecutor role has privileges that allow executing the UDF apoc.any.properties with elevated privileges, and all other UDFs with the users' own privileges. To list all privileges for the role boostedFunctionExecutor as commands, use the following query:

SHOW ROLE boostedFunctionExecutor PRIVILEGES AS COMMANDS;
Table 11. Result
command

"GRANT EXECUTE FUNCTION * ON DBMS TO `boostedFunctionExecutor`"

"GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO `boostedFunctionExecutor`"

Rows: 2