Load privileges

This feature was released in Neo4j 5.13.

This section explains how to use Cypher to manage load privileges. All load privileges apply to the whole system. Like DBMS privileges, they do not belong to one specific database or graph. For more details on the differences between graphs, databases, and the DBMS, refer to Cypher Manual → Cypher and Neo4j.

privileges grant and deny syntax load privileges
Figure 1. Syntax of GRANT and DENY load Privileges

The load privileges apply to the Cypher LOAD CSV clause, deciding whether or not the data can be loaded from the given source.

The load privileges are assigned using Cypher administrative commands. They can be granted, denied, and revoked in the same way as other privileges. For more details, see RBAC and fine-grained privileges.

Table 1. Load privileges command syntax
Command Description 
GRANT [IMMUTABLE] LOAD
  ON ALL DATA
  TO role[, ...]

Enables the specified roles to load external data in queries.

More details about the syntax descriptions can be found Cypher syntax for administration commands.

Unlike other privileges, the LOAD privilege is not granted, denied, or revoked on DBMS, Database, or Graph, but instead on the data source to load from. Adding ON ALL DATA means a role has the privilege to load data from all sources.

The ALL DATA privilege

The load privilege on ALL DATA enables or disables loading data. If granted, the user can load data from any source. If missing or denied, no data can be loaded at all.

For example, the below query grants users with the role roleLoadAllData the ability to load data with LOAD CSV:

GRANT LOAD ON ALL DATA TO roleLoadAllData

The below query lists all privileges for the role roleLoadAllData as commands:

SHOW ROLE roleLoadAllData PRIVILEGES AS COMMANDS
Table 2. Result
command

"GRANT LOAD ON ALL DATA TO `roleLoadAllData`"

Rows: 1

The LOAD ON ALL DATA privilege is granted to the PUBLIC role by default.