Read privileges
There are three separate read privileges:
For more details about the syntax descriptions, see Cypher syntax for administration commands. |
The TRAVERSE
privilege
Users can be granted the right to find nodes and relationships using the GRANT TRAVERSE
privilege.
GRANT [IMMUTABLE] TRAVERSE
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
For example, we can enable users with the role regularUsers
to find all nodes with the label Post
in the database neo4j
:
GRANT TRAVERSE ON GRAPH neo4j NODES Post TO regularUsers
The TRAVERSE
privilege can also be denied.
DENY [IMMUTABLE] TRAVERSE
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
For example, we can disable users with the role regularUsers
from finding all nodes with the label Payments
:
DENY TRAVERSE ON HOME GRAPH NODES Payments TO regularUsers
The READ
privilege
Users can be granted the right to do property reads on nodes and relationships using the GRANT READ
privilege.
It is very important to note that users can only read properties on entities that they are enabled to find in the first place.
GRANT [IMMUTABLE] READ "{" { * | property[, ...] } "}"
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
For example, we can enable user with the role regularUsers
to read all properties on nodes with the label Post
in the database neo4j
.
The *
implies that the ability to read all properties also extends to properties that might be added in the future.
GRANT READ { * } ON GRAPH neo4j NODES Post TO regularUsers
Granting property |
The READ
privilege can also be denied.
DENY [IMMUTABLE] READ "{" { * | property[, ...] } "}"
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
Although we just granted the role regularUsers
the right to read all properties, we may want to hide the secret
property.
The following example shows how to do that:
DENY READ { secret } ON GRAPH neo4j NODES Post TO regularUsers
The MATCH
privilege
Users can be granted the right to find and do property reads on nodes and relationships using the GRANT MATCH
privilege.
This is semantically the same as having both TRAVERSE
and READ
privileges.
GRANT [IMMUTABLE] MATCH "{" { * | property[, ...] } "}"
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
For example if you want to grant the ability to read the properties language
and length
for nodes with the label Message
, as well as the ability to find these nodes to the role regularUsers
, you can use the following GRANT MATCH
query:
GRANT MATCH { language, length } ON GRAPH neo4j NODES Message TO regularUsers
Like all other privileges, the MATCH
privilege can also be denied.
DENY [IMMUTABLE] MATCH "{" { * | property[, ...] } "}"
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
Please note that the effect of denying a MATCH
privilege depends on whether concrete property keys are specified or are *
.
If you specify concrete property keys, then DENY MATCH
will only deny reading those properties.
Finding the elements to traverse would still be enabled.
If you specify *
instead, then both traversal of the element and all property reads will be disabled.
The following queries will show examples for this.
Denying to read the property content
on nodes with the label Message
for the role regularUsers
would look like the following query.
Although not being able to read this specific property, nodes with that label can still be traversed (and, depending on other grants, other properties on it could still be read).
DENY MATCH { content } ON GRAPH neo4j NODES Message TO regularUsers
The following query exemplifies how it would look if you wanted to deny both reading all properties and traversing nodes labeled with Account
in the database neo4j
:
DENY MATCH { * } ON GRAPH neo4j NODES Account TO regularUsers