Role-based access controlAuraDB Business CriticalAuraDB Virtual Dedicated CloudEnterprise Edition
Role-based access control (RBAC) is a method of restricting access to authorized users, by assigning users to specific roles with a particular set of privileges granted to them.
Privileges control the access rights to graph elements using a combined allowlist/denylist mechanism.
It is possible to grant or deny access, or use a combination of the two.
You are able to access a resource if you have a GRANT (allowlist) and do not have a DENY (denylist) relevant to that resource.
All other combinations of GRANT and DENY result in the matching path being inaccessible.
What this means in practice depends on whether you have a read privilege or a write privilege:
- 
If an entity is not accessible due to read privileges, the data is invisible. It appears to you as if you had a smaller database (smaller graph). 
- 
If an entity is not accessible due to write privileges, an error occurs on any attempt to write that data. 
| This page often uses the terms 'allows' and 'enables' in seemingly identical ways. However, there is a subtle difference. 'enables' refers to the consequences of read privileges where a restriction will not cause an error, only a reduction in the apparent graph size. 'allows' refers to the consequence of write privileges where a restriction can result in an error. | 
| If a user was not also provided with the database  | 
| For more details about the syntax descriptions, see Database management command syntax. | 
Graph privilege commands
Administrators can use the Cypher commands GRANT, DENY, and REVOKE to manage Neo4j graph administrative rights.
These commands can be used to grant or deny privileges to roles, and to revoke previously granted or denied privileges.
The privileges can be granted or denied on the entire graph or specific elements within the graph.
The privileges can also be made immutable, which means they cannot be granted, denied, or revoked unless auth is disabled.
Components of the graph privilege commands
The components of the graph privilege commands are:
- 
the command: - 
GRANT– gives privileges to roles.
- 
DENY– denies privileges to roles.
- 
REVOKE– removes granted or denied privileges from roles.
 
- 
- 
mutability: - 
IMMUTABLEcan optionally be specified when performing aGRANTorDENYto indicate that the privilege cannot be subsequently removed unless auth is disabled. Auth must also be disabled in order toGRANTorDENYan immutable privilege. Contrastingly, whenIMMUTABLEis specified in conjunction with aREVOKEcommand, it will act as a filter and only remove matching immutable privileges. Immutable privileges can also be used together with immutable roles. See Immutable roles and privileges for more information.
 
- 
- 
graph-privilege: - 
Can be either a read privilege or write privilege. 
 
- 
- 
name: - 
The graph or graphs to associate the privilege with. Because in Neo4j 2025.09 you can have only one graph per database, this command uses the database name or alias to refer to that graph. When using an alias, the command will be executed on the resolved graph. If you delete a database and create a new one with the same name, the new one will NOT have the privileges previously assigned to the deleted graph. 
- 
It can be *, which means all graphs. Graphs created after this command execution will also be associated with these privileges.
- 
HOME GRAPHrefers to the graph associated with the home database for that user. The default database will be used as home database if a user does not have one configured. If the user’s home database changes for any reason after privileges have been created, then these privileges will be associated with the graph attached to the new database. This can be quite powerful as it allows permissions to be switched from one graph to another simply by changing a user’s home database.
 
- 
- 
entity - 
The graph elements this privilege applies to: - 
NODESlabel (nodes with the specified label(s)).
- 
RELATIONSHIPStype (relationships of the specific type(s)).
- 
ELEMENTSlabel (both nodes and relationships).
- 
FORpattern (nodes that match the pattern). See Property-based access control for details
 
- 
- 
The label or type can be referred with *, which means all labels or types.
- 
Multiple labels or types can be specified, comma-separated. 
- 
Defaults to ELEMENTS*if omitted.
- 
Some of the commands for write privileges do not allow an entity part. See Write privileges for details. 
- 
The FORpattern entity is not supported for write privileges.
 
- 
- 
role[, …] - 
The role or roles to associate the privilege with, comma-separated. 
 
- 
General syntax for graph privilege commands
| Command | 
 | 
| Syntax |  | 
| Description | Grants a privilege to one or multiple roles. | 
| Command | 
 | 
| Syntax |  | 
| Description | Denies a privilege to one or multiple roles. | 
| Command | 
 | 
| Syntax |  | 
| Description | Revokes a granted privilege from one or multiple roles. | 
| Command | 
 | 
| Syntax |  | 
| Description | Revokes a denied privilege from one or multiple roles. | 
| Command | 
 | 
| Syntax |  | 
| Description | Revokes a granted or denied privilege from one or multiple roles. | 
| 
 | 
Common errors, such as misspellings or attempts to revoke privileges that have not been granted or denied, will result in notifications.
In Cypher 25, notifications for impossible REVOKE commands, where a user, a role, or a database does not exist, have been replaced with errors.
See Status Codes → Notification codes for details on notifications.
The general GRANT and DENY syntaxes are illustrated in the following image:
A more detailed syntax illustration for graph privileges would be the following:
{ and } are part of the syntax and not used for grouping.The following image shows the hierarchy between different graph privileges:
Listing supported privileges
Supported privileges can be displayed using the SHOW SUPPORTED PRIVILEGES command.
This lists the privileges that are possible to grant or deny on a server, together with the structure of the privilege.
| Command | 
 | 
| Syntax |  | 
| Description | List all privileges supported by the server. | 
When using the RETURN clause, the YIELD clause is mandatory and must not be omitted.
Results will include multiple columns describing the privileges:
| Column | Description | Type | 
|---|---|---|
| 
 | The privilege action. | 
 | 
| 
 | Qualifier to further limit the target of the privilege ( | 
 | 
| 
 | Target of the privilege:  | 
 | 
| 
 | List of possible scopes for the privilege ( | 
 | 
| 
 | A short description of the privilege. | 
 | 
If a privilege lists a qualifier, it has to be used in the command by either an identifier or * if it should affect all identifiers.
The below table demonstrates how qualifiers are used:
| qualifier | example | 
|---|---|
| 
 | 
 | 
| 
 | 
 | 
| 
 | 
 | 
| 
 | 
 | 
| 
 | 
 | 
| 
 | 
 | 
It is optional to specify the scope of a privilege.
If it is not specified, the default scope will be ELEMENT *.
Note that not all privileges have a scope.
Examples for listing supported privileges
SHOW SUPPORTED PRIVILEGES YIELD * ORDER BY action DESC LIMIT 10 RETURN action, qualifier, target, scope, descriptionLists 10 supported privileges:
| action | qualifier | target | scope | description | 
|---|---|---|---|---|
| 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
| Rows: 10 | ||||
Listing assigned privileges
Privileges that have been granted or denied to roles can be displayed using the following SHOW PRIVILEGE[S] commands.
| Command | 
 | 
| Syntax |  | 
| Description | List all granted or denied privileges. | 
| Command | 
 | 
| Syntax |  | 
| Description | List privileges granted or denied to a specific role. | 
| Command | 
 | 
| Syntax |  | 
| Description | List privileges for a specific user, or the current user. [NOTE]
====
Please note that it is only possible for a user to show their own privileges.
Therefore, if a non-native auth provider like LDAP is in use,  Other users' privileges cannot be listed when using a non-native auth provider. ==== | 
When using the RETURN clause, the YIELD clause is mandatory and must not be omitted.
For an easy overview of the existing privileges, it is recommended to use the AS COMMANDS version of the SHOW command, which returns two columns.
| Column | Description | Type | 
|---|---|---|
| command | The privilege as the command that is granted or denied.
Or in the  | 
 | 
| immutable | Whether or not the privilege is immutable. | 
 | 
Alternatively, you can omit the AS COMMANDS clause and get the full details of the privileges returned in multiple columns.
They are all returned by default without requiring a YIELD.
| Column | Description | Type | 
|---|---|---|
| 
 | Whether the privilege is granted or denied. | 
 | 
| 
 | The type of the privilege. E.g., traverse, read, index management, or role management. | 
 | 
| 
 | The scope of the privilege. E.g., the entire DBMS, a specific database, a graph, or sub-graph access. | 
 | 
| 
 | The specific database or graph the privilege applies to. | 
 | 
| 
 | The labels, relationship types, pattern, procedures, functions, transactions or settings the privilege applies to (if applicable). | 
 | 
| 
 | The role the privilege is granted to. | 
 | 
| 
 | Whether or not the privilege is immutable. | 
 | 
| 
 | The user the privilege belongs to. Note that this is only returned for  | 
 | 
Examples for listing all privileges
Assigned privileges can be displayed using the different SHOW PRIVILEGE[S] commands.
SHOW [ALL] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  [WHERE expression]
SHOW [ALL] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]SHOW PRIVILEGESLists all privileges for all roles:
| access | action | resource | graph | segment | role | immutable | 
|---|---|---|---|---|---|---|
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Rows: 39 | ||||||
| The  | 
It is also possible to filter and sort the results by using YIELD, ORDER BY and WHERE:
SHOW PRIVILEGES YIELD role, access, action, segment
ORDER BY action
WHERE role = 'admin'In this example:
- 
The number of columns returned has been reduced with the YIELDclause.
- 
The order of the returned columns has been changed. 
- 
The results have been filtered to only return the adminrole using aWHEREclause.
- 
The results are ordered by the actioncolumn usingORDER BY.
SKIP and LIMIT can also be used to paginate the results.
| role | access | action | segment | 
|---|---|---|---|
| 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
| Rows: 12 | |||
| The  | 
WHERE can also be used without YIELD:
SHOW PRIVILEGES
WHERE graph <> '*'In this example, the WHERE clause is used to filter privileges down to those that target specific graphs only.
| access | action | graph | resource | role | segment | 
|---|---|---|---|---|---|
| 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
| Rows: 3 | |||||
Aggregations in the RETURN clause can be used to group privileges.
In this case, by user and GRANTED or DENIED:
SHOW PRIVILEGES YIELD * RETURN role, access, collect([graph, resource, segment, action]) AS privileges| role | access | privileges | 
|---|---|---|
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
| Rows: 8 | ||
| The  | 
The RETURN clause can also be used to order and paginate the results, which is useful when combined with YIELD and WHERE.
In this example the query returns privileges for display five-per-page, and skips the first five to display the second page.
SHOW PRIVILEGES YIELD * RETURN * ORDER BY role SKIP 5 LIMIT 5| access | action | graph | resource | role | segment | immutable | 
|---|---|---|---|---|---|---|
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Rows: 5 | ||||||
Available privileges can also be displayed as Cypher commands by adding AS COMMAND[S]:
SHOW PRIVILEGES AS COMMANDS| command | 
|---|
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| Rows: 35 | 
Like other SHOW commands, the output can also be processed using YIELD / WHERE / RETURN:
SHOW PRIVILEGES AS COMMANDS
WHERE command CONTAINS 'MANAGEMENT'| command | 
|---|
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| Rows: 8 | 
It is also possible to get the privileges listed as revoking commands instead of granting or denying:
SHOW PRIVILEGES AS REVOKE COMMANDS| command | 
|---|
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| Rows: 35 | 
For more info about revoking privileges, please see The REVOKE command.
Examples for listing privileges for specific roles
Available privileges for specific roles can be displayed using SHOW ROLE name PRIVILEGE[S]:
SHOW ROLE[S] name[, ...] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  [WHERE expression]
SHOW ROLE[S] name[, ...] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]SHOW ROLE regularUsers PRIVILEGESLists all privileges for role regularUsers.
| access | action | graph | resource | role | segment | immutable | 
|---|---|---|---|---|---|---|
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Rows: 1 | ||||||
SHOW ROLES regularUsers, noAccessUsers PRIVILEGESLists all privileges for roles regularUsers and noAccessUsers.
| access | action | graph | resource | role | segment | immutable | 
|---|---|---|---|---|---|---|
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Rows: 2 | ||||||
Similar to the other SHOW PRIVILEGES commands, the available privileges for roles can also be listed as Cypher commands with the optional AS COMMAND[S].
SHOW ROLES regularUsers, noAccessUsers PRIVILEGES AS COMMANDS| command | 
|---|
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| Rows: 11 | 
The output can be processed using YIELD / WHERE / RETURN here as well:
SHOW ROLE architect PRIVILEGES AS COMMANDS WHERE command CONTAINS 'MATCH'| command | 
|---|
| 
 | 
| 
 | 
| 
 | 
Again, it is possible to get the privileges listed as revoking commands instead of granting or denying. For more info about revoking privileges, please see The REVOKE command.
SHOW ROLE reader PRIVILEGES AS REVOKE COMMANDS| command | 
|---|
| 
 | 
| 
 | 
| 
 | 
| Rows: 3 | 
Examples for listing privileges for specific users
Available privileges for specific users can be displayed using SHOW USER name PRIVILEGES.
| Note that if a non-native auth provider like LDAP is in use,  | 
SHOW USER[S] [name[, ...]] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  [WHERE expression]
SHOW USER[S] [name[, ...]] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]SHOW USER jake PRIVILEGESLists all privileges for user jake.
| access | action | resource | graph | resource | role | segment | immutable | 
|---|---|---|---|---|---|---|---|
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Rows: 4 | |||||||
SHOW USERS jake, joe PRIVILEGESLists all privileges for users jake and joe.
| access | action | resource | graph | resource | role | segment | immutable | 
|---|---|---|---|---|---|---|---|
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
| Rows: 8 | |||||||
The same command can be used at all times to review available privileges for the current user.
For this purpose, there is a shorter form of the command: SHOW USER PRIVILEGES:
SHOW USER PRIVILEGESAs for the other privilege commands, available privileges for users can also be listed as Cypher commands with the optional AS COMMAND[S].
| When showing user privileges as commands, the roles in the Cypher commands are replaced with a parameter. This can be used to quickly create new roles based on the privileges of specific users. | 
SHOW USER jake PRIVILEGES AS COMMANDS| command | 
|---|
| 
 | 
| 
 | 
| 
 | 
| 
 | 
| Rows: 4 | 
Like other SHOW commands, the output can also be processed using YIELD / WHERE / RETURN.
Additionally, similar to the other show privilege commands, it is also possible to show the commands for revoking the privileges.
SHOW USER jake PRIVILEGES AS REVOKE COMMANDS
WHERE command CONTAINS 'EXECUTE'| command | 
|---|
| 
 | 
| 
 | 
| Rows: 2 | 
Revoking privileges
Privileges that were granted or denied earlier can be revoked using the REVOKE command:
REVOKE
  [ IMMUTABLE ]
  [ GRANT | DENY ] graph-privilege
  FROM role[, ...]An example usage of the REVOKE command is given here:
REVOKE GRANT TRAVERSE ON HOME GRAPH NODES Post FROM regularUsersWhile it can be explicitly specified that REVOKE should remove a GRANT or DENY, it is also possible to REVOKE both by not specifying them at all, as the next example demonstrates.
Because of this, if there happens to be a GRANT and a DENY for the same privilege, it would remove both.
REVOKE TRAVERSE ON HOME GRAPH NODES Payments FROM regularUsersAdding IMMUTABLE explicitly specifies that only immutable privileges should be removed. Omitting it specifies that both immutable and regular privileges should be removed.