Dynamic configuration settings
This page provides a complete reference to the Neo4j dynamic configuration settings, which can be changed at runtime, without restarting the service. This complete reference is a sub-list of all the Neo4j configuration settings.
Changes to the configuration at runtime are not persisted. To avoid losing changes when restarting Neo4j, make sure you update neo4j.conf as well. In a clustered environment, For more information on how to update dynamic configuration settings, see Update dynamic settings. |
Name | Description |
---|---|
Limit the number of IOs the background checkpoint process will consume per second. |
|
Database format. |
|
The maximum time interval within which lock should be acquired. |
|
Log query text and parameters without obfuscating passwords. |
|
Log executed queries. |
|
Sets a maximum character length use for each parameter in the log. |
|
Obfuscates all literals of the query before writing to the log. |
|
Log parameters for the executed queries being logged. |
|
Log query plan description table, useful for debugging purposes. |
|
If the execution of query takes more time than this threshold, the query is logged once completed - provided query logging is set to INFO. |
|
Log the start and end of a transaction. |
|
If the transaction is open for more time than this threshold, the transaction is logged once completed - provided transaction logging (db.logs.query.transaction.enabled) is set to |
|
Limit the amount of memory that a single transaction can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). |
|
Limit the amount of memory that all transactions in one database can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). |
|
Enables or disables tracking of how much time a query spends actively executing on the CPU. |
|
The maximum amount of time to wait for the database state represented by the bookmark. |
|
The maximum number of concurrently running transactions. |
|
Transaction sampling percentage. |
|
The maximum time interval of a transaction within which it should be completed. |
|
Transaction creation tracing level. |
|
Specify if Neo4j should try to preallocate logical log file in advance. |
|
Tell Neo4j how long logical transaction logs should be kept to backup the database.For example, "10 days" will prune logical logs that only contain transactions older than 10 days.Alternatively, "100k txs" will keep the 100k latest transactions from each database and prune any older transactions. |
|
Specifies at which file size the logical log will auto-rotate. |
|
If set to |
|
Limit the amount of memory that all of the running transactions can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). |
|
Always use client side routing (regardless of the default router) for neo4j:// protocol connections to these domains. |
|
Enterprise onlyConfigure if the |
|
Enterprise onlyName of the 256 length AES encryption key, which is used for the symmetric encryption. |
|
Enterprise onlyPassword for accessing the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption. |
|
Enterprise onlyLocation of the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption of secrets held in system database. |
|
Enterprise onlyThe attribute to use when looking up users.
Using this setting requires |
|
Enterprise onlyLDAP user DN template. |
|
Enterprise onlyThe LDAP group to which a user must belong to get any access to the system.Set this to restrict access to a subset of LDAP users belonging to a particular group. |
|
dbms.security.ldap.authorization.group_membership_attributes |
Enterprise onlyA list of attribute names on a user object that contains groups to be used for mapping to roles when LDAP authorization is enabled. |
Enterprise onlyAn authorization mapping from LDAP group names to Neo4j role names. |
|
Enterprise onlyThis setting determines whether multiple LDAP search results will be processed (as is required for the lookup of nested groups). |
|
dbms.security.ldap.authorization.nested_groups_search_filter |
Enterprise onlyThe search template which will be used to find the nested groups which the user is a member of. |
Enterprise onlyThe name of the base object or named context to search for user objects when LDAP authorization is enabled. |
|
Enterprise onlyThe LDAP search filter to search for a user principal when LDAP authorization is enabled. |
|
Enterprise onlyExpected values of the Audience (aud) claim in the id token. |
|
Enterprise onlyThe OIDC authorization endpoint. |
|
Enterprise onlyThe OIDC flow to use. |
|
Enterprise onlyOptional additional parameters that the auth endpoint requires. |
|
dbms.security.oidc.<provider>.authorization.group_to_role_mapping |
Enterprise onlyAn authorization mapping from IdP group names to Neo4j role names. |
Enterprise onlyThe claim to use as the list of groups in Neo4j. |
|
Enterprise onlyThe claim to use as the username in Neo4j. |
|
Enterprise onlyClient id needed if token contains multiple Audience (aud) claims. |
|
Enterprise onlyThe accepted values (all optional) are: ---- principal: in which JWT claim the user’s email address is specified, email is the default. |
|
Enterprise onlyWhen turned on, Neo4j gets the groups from the provider user info endpoint. |
|
Enterprise onlyWhen turned on, Neo4j gets the username from the provider user info endpoint. |
|
Enterprise onlyThe expected value of the iss claim in the id token. |
|
Enterprise onlyThe location of the JWK public key set for the identity provider. |
|
Enterprise onlyThe map is a semicolon separated list of key-value pairs. |
|
Enterprise onlyThe OIDC token endpoint. |
|
Enterprise onlyOptional query parameters that the token endpoint requires. |
|
Enterprise onlyThe identity providers user info uri. |
|
Enterprise onlyThe 'well known' OpenID Connect Discovery endpoint used to fetch identity provider settings. |
|
Enterprise onlyComma separated list of groups to be used by the connect-randomly-to-server-group selection strategy. |
|
Whether or not any database on this instance are read_only by default. |
|
List of databases for which to prevent write queries. |
|
List of databases for which to allow write queries. |
|
Enterprise onlyA list of tag names for the server used when configuring load balancing and replication policies. |
|
Page cache can be configured to use a temporal buffer for flushing purposes. |
|
Page cache can be configured to use a temporal buffer for flushing purposes. |
Description |
Limit the number of IOs the background checkpoint process will consume per second. This setting is advisory, is ignored in Neo4j Community Edition, and is followed to best effort in Enterprise Edition. An IO is in this case a 8 KiB (mostly sequential) write. Limiting the write IO in this way will leave more bandwidth in the IO subsystem to service random-read IOs, which is important for the response time of queries when the database cannot fit entirely in memory. The only drawback of this setting is that longer checkpoint times may lead to slightly longer recovery times in case of a database or system crash. A lower number means lower IO pressure, and consequently longer checkpoint times. Set this to -1 to disable the IOPS limit and remove the limitation entirely; this will let the checkpointer flush data as fast as the hardware will go. Removing the setting, or commenting it out, will set the default value of 600. |
Valid values |
db.checkpoint.iops.limit, an integer |
Dynamic |
true |
Default value |
|
Description |
Database format. This is the format that will be used for new databases. Valid values are |
Valid values |
db.format, a string |
Dynamic |
true |
Default value |
|
Description |
The maximum time interval within which lock should be acquired. Zero (default) means timeout is disabled. |
Valid values |
db.lock.acquisition.timeout, a duration (Valid units are: |
Dynamic |
true |
Default value |
|
Description |
Log query text and parameters without obfuscating passwords. This allows queries to be logged earlier before parsing starts. |
Valid values |
db.logs.query.early_raw_logging_enabled, a boolean |
Dynamic |
true |
Default value |
|
Description |
Log executed queries. Valid values are
Log entries are written to the query log. This feature is available in the Neo4j Enterprise Edition. |
Valid values |
db.logs.query.enabled, one of [OFF, INFO, VERBOSE] |
Dynamic |
true |
Default value |
|
Description |
Sets a maximum character length use for each parameter in the log. This only takes effect if |
Valid values |
db.logs.query.max_parameter_length, an integer |
Dynamic |
true |
Default value |
|
Description |
Obfuscates all literals of the query before writing to the log. Note that node labels, relationship types and map property keys are still shown. Changing the setting will not affect queries that are cached. So, if you want the switch to have immediate effect, you must also call |
Valid values |
db.logs.query.obfuscate_literals, a boolean |
Dynamic |
true |
Default value |
|
Description |
Log parameters for the executed queries being logged. |
Valid values |
db.logs.query.parameter_logging_enabled, a boolean |
Dynamic |
true |
Default value |
|
Description |
Log query plan description table, useful for debugging purposes. |
Valid values |
db.logs.query.plan_description_enabled, a boolean |
Dynamic |
true |
Default value |
|
Description |
If the execution of query takes more time than this threshold, the query is logged once completed - provided query logging is set to INFO. Defaults to 0 seconds, that is all queries are logged. |
Valid values |
db.logs.query.threshold, a duration (Valid units are: |
Dynamic |
true |
Default value |
|
Description |
Log the start and end of a transaction. Valid values are 'OFF', 'INFO', or 'VERBOSE'. OFF: no logging. INFO: log start and end of transactions that take longer than the configured threshold, db.logs.query.transaction.threshold. VERBOSE: log start and end of all transactions. Log entries are written to the query log. This feature is available in the Neo4j Enterprise Edition. |
Valid values |
db.logs.query.transaction.enabled, one of [OFF, INFO, VERBOSE] |
Dynamic |
true |
Default value |
|
Description |
If the transaction is open for more time than this threshold, the transaction is logged once completed - provided transaction logging (db.logs.query.transaction.enabled) is set to |
Valid values |
db.logs.query.transaction.threshold, a duration (Valid units are: |
Dynamic |
true |
Default value |
|
Description |
Limit the amount of memory that a single transaction can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). Zero means 'largest possible value'. |
Valid values |
db.memory.transaction.max, a byte size (valid multipliers are |
Dynamic |
true |
Default value |
|
Description |
Limit the amount of memory that all transactions in one database can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). Zero means 'unlimited'. |
Valid values |
db.memory.transaction.total.max, a byte size (valid multipliers are |
Dynamic |
true |
Default value |
|
Description |
Enables or disables tracking of how much time a query spends actively executing on the CPU. Calling |
Valid values |
db.track_query_cpu_time, a boolean |
Dynamic |
true |
Default value |
|
Description |
The maximum amount of time to wait for the database state represented by the bookmark. |
Valid values |
db.transaction.bookmark_ready_timeout, a duration (Valid units are: |
Dynamic |
true |
Default value |
|
Description |
The maximum number of concurrently running transactions. If set to 0, limit is disabled. |
Valid values |
db.transaction.concurrent.maximum, an integer |
Dynamic |
true |
Default value |
|
Description |
Transaction sampling percentage. |
Valid values |
db.transaction.sampling.percentage, an integer which is in the range |
Dynamic |
true |
Default value |
|
Description |
The maximum time interval of a transaction within which it should be completed. |
Valid values |
db.transaction.timeout, a duration (Valid units are: |
Dynamic |
true |
Default value |
|
Description |
Transaction creation tracing level. |
Valid values |
db.transaction.tracing.level, one of [DISABLED, SAMPLE, ALL] |
Dynamic |
true |
Default value |
|
Description |
Specify if Neo4j should try to preallocate logical log file in advance. |
Valid values |
db.tx_log.preallocate, a boolean |
Dynamic |
true |
Default value |
|
Description |
Tell Neo4j how long logical transaction logs should be kept to backup the database.For example, "10 days" will prune logical logs that only contain transactions older than 10 days.Alternatively, "100k txs" will keep the 100k latest transactions from each database and prune any older transactions. |
Valid values |
db.tx_log.rotation.retention_policy, a string which matches the pattern |
Dynamic |
true |
Default value |
|
Description |
Specifies at which file size the logical log will auto-rotate. Minimum accepted value is 128 KiB. |
Valid values |
db.tx_log.rotation.size, a byte size (valid multipliers are |
Dynamic |
true |
Default value |
|
Description |
If set to |
Valid values |
dbms.cypher.render_plan_description, a boolean |
Dynamic |
true |
Default value |
|
Description |
Limit the amount of memory that all of the running transactions can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). Zero means 'unlimited'. |
Valid values |
dbms.memory.transaction.total.max, a byte size (valid multipliers are |
Dynamic |
true |
Default value |
|
Description |
Always use client side routing (regardless of the default router) for neo4j:// protocol connections to these domains. A comma separated list of domains. Wildcards (*) are supported. |
Valid values |
dbms.routing.client_side.enforce_for_domains, a ',' separated set with elements of type 'a string'. |
Dynamic |
true |
Default value |
Description |
Enterprise onlyConfigure if the |
Valid values |
dbms.routing.reads_on_writers_enabled, a boolean |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyName of the 256 length AES encryption key, which is used for the symmetric encryption. |
Valid values |
dbms.security.key.name, a string |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyPassword for accessing the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption. |
Valid values |
dbms.security.keystore.password, a secure string |
Dynamic |
true |
Description |
Enterprise onlyLocation of the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption of secrets held in system database. |
Valid values |
dbms.security.keystore.path, a path |
Dynamic |
true |
Description |
Enterprise onlyThe attribute to use when looking up users.
Using this setting requires |
Valid values |
dbms.security.ldap.authentication.attribute, a string which matches the pattern |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyLDAP user DN template. An LDAP object is referenced by its distinguished name (DN), and a user DN is an LDAP fully-qualified unique user identifier. This setting is used to generate an LDAP DN that conforms with the LDAP directory’s schema from the user principal that is submitted with the authentication token when logging in. The special token {0} is a placeholder where the user principal will be substituted into the DN string. |
Valid values |
dbms.security.ldap.authentication.user_dn_template, a string which Must be a string containing '{0}' to understand where to insert the runtime authentication principal. |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyThe LDAP group to which a user must belong to get any access to the system.Set this to restrict access to a subset of LDAP users belonging to a particular group. If this is not set, any user to successfully authenticate via LDAP will have access to the PUBLIC role and any other roles assigned to them via dbms.security.ldap.authorization.group_to_role_mapping. |
Valid values |
dbms.security.ldap.authorization.access_permitted_group, a string |
Dynamic |
true |
Default value |
Description |
Enterprise onlyA list of attribute names on a user object that contains groups to be used for mapping to roles when LDAP authorization is enabled. This setting is ignored when |
Valid values |
dbms.security.ldap.authorization.group_membership_attributes, a ',' separated list with elements of type 'a string'. which Can not be empty |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyAn authorization mapping from LDAP group names to Neo4j role names. The map should be formatted as a semicolon separated list of key-value pairs, where the key is the LDAP group name and the value is a comma separated list of corresponding role names. For example: group1=role1;group2=role2;group3=role3,role4,role5 You could also use whitespaces and quotes around group names to make this mapping more readable, for example: `dbms.security.ldap.authorization.group_to_role_mapping`=\ "cn=Neo4j Read Only,cn=users,dc=example,dc=com" = reader; \ "cn=Neo4j Read-Write,cn=users,dc=example,dc=com" = publisher; \ "cn=Neo4j Schema Manager,cn=users,dc=example,dc=com" = architect; \ "cn=Neo4j Administrator,cn=users,dc=example,dc=com" = admin |
Valid values |
dbms.security.ldap.authorization.group_to_role_mapping, a string which must be semicolon separated list of key-value pairs or empty |
Dynamic |
true |
Default value |
Description |
Enterprise onlyThis setting determines whether multiple LDAP search results will be processed (as is required for the lookup of nested groups). If set to |
Valid values |
dbms.security.ldap.authorization.nested_groups_enabled, a boolean |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyThe search template which will be used to find the nested groups which the user is a member of. The filter should contain the placeholder token |
Valid values |
dbms.security.ldap.authorization.nested_groups_search_filter, a string |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyThe name of the base object or named context to search for user objects when LDAP authorization is enabled. A common case is that this matches the last part of |
Valid values |
dbms.security.ldap.authorization.user_search_base, a string which Can not be empty |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyThe LDAP search filter to search for a user principal when LDAP authorization is enabled. The filter should contain the placeholder token {0} which will be substituted for the user principal. |
Valid values |
dbms.security.ldap.authorization.user_search_filter, a string |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyExpected values of the Audience (aud) claim in the id token. |
Valid values |
dbms.security.oidc.<provider>.audience, a ',' separated list with elements of type 'a string'. which Can not be empty |
Dynamic |
true |
Description |
Enterprise onlyThe OIDC authorization endpoint. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri. |
Valid values |
dbms.security.oidc.<provider>.auth_endpoint, a URI |
Dynamic |
true |
Description |
Enterprise onlyThe OIDC flow to use. This is exposed to clients via the discovery endpoint. Supported values are |
Valid values |
dbms.security.oidc.<provider>.auth_flow, one of [PKCE, IMPLICIT] |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyOptional additional parameters that the auth endpoint requires. Please use params instead. The map is a semicolon separated list of key-value pairs. For example: |
Valid values |
dbms.security.oidc.<provider>.auth_params, A simple key value map pattern |
Dynamic |
true |
Default value |
|
Deprecated |
The |
Description |
Enterprise onlyAn authorization mapping from IdP group names to Neo4j role names. The map should be formatted as a semicolon separated list of key-value pairs, where the key is the IdP group name and the value is a comma separated list of corresponding role names. For example: group1=role1;group2=role2;group3=role3,role4,role5 You could also use whitespaces and quotes around group names to make this mapping more readable, for example: dbms.security.oidc.<provider>.authorization.group_to_role_mapping=\ "Neo4j Read Only" = reader; \ "Neo4j Read-Write" = publisher; \ "Neo4j Schema Manager" = architect; \ "Neo4j Administrator" = admin |
Valid values |
dbms.security.oidc.<provider>.authorization.group_to_role_mapping, a string which must be semicolon separated list of key-value pairs or empty |
Dynamic |
true |
Description |
Enterprise onlyThe claim to use as the list of groups in Neo4j. These could be Neo4J roles directly, or can be mapped using dbms.security.oidc.<provider>.authorization.group_to_role_mapping. |
Valid values |
dbms.security.oidc.<provider>.claims.groups, a string |
Dynamic |
true |
Description |
Enterprise onlyThe claim to use as the username in Neo4j. This would typically be sub, but in some situations it may be be desirable to use something else such as email. |
Valid values |
dbms.security.oidc.<provider>.claims.username, a string |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyClient id needed if token contains multiple Audience (aud) claims. |
Valid values |
dbms.security.oidc.<provider>.client_id, a string |
Dynamic |
true |
Description |
Enterprise onlyThe accepted values (all optional) are: principal: in which JWT claim the user's email address is specified, email is the default. This is the value that will be shown in browser. code_challenge_method: default is `S256` and it's the only supported method at this moment. This setting applies only for pkce auth flow token_type_principal: the options are almost always either access_token, which is the default, or id_token. token_type_authentication: the options are almost always either access_token, which is the default, or id_token. implicit_flow_requires_nonce: true or false. Defaults to false. |
Valid values |
dbms.security.oidc.<provider>.config, A simple key value map pattern |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyWhen turned on, Neo4j gets the groups from the provider user info endpoint. |
Valid values |
dbms.security.oidc.<provider>.get_groups_from_user_info, a boolean |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyWhen turned on, Neo4j gets the username from the provider user info endpoint. |
Valid values |
dbms.security.oidc.<provider>.get_username_from_user_info, a boolean |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyThe expected value of the iss claim in the id token. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri. |
Valid values |
dbms.security.oidc.<provider>.issuer, a string |
Dynamic |
true |
Description |
Enterprise onlyThe location of the JWK public key set for the identity provider. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri. |
Valid values |
dbms.security.oidc.<provider>.jwks_uri, a URI |
Dynamic |
true |
Description |
Enterprise onlyThe map is a semicolon separated list of key-value pairs. For example: client_id: the SSO Idp client idenfifier. response_type: code if auth_flow is pkce or token for implicit auth_flow. scope: often containing a subset of 'email profile openid groups'. For example: |
Valid values |
dbms.security.oidc.<provider>.params, A simple key value map pattern |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyThe OIDC token endpoint. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri. |
Valid values |
dbms.security.oidc.<provider>.token_endpoint, a URI |
Dynamic |
true |
Description |
Enterprise onlyOptional query parameters that the token endpoint requires. The map is a semicolon separated list of key-value pairs. For example: |
Valid values |
dbms.security.oidc.<provider>.token_params, A simple key value map pattern |
Dynamic |
true |
Default value |
|
Description |
Enterprise onlyThe identity providers user info uri. |
Valid values |
dbms.security.oidc.<provider>.user_info_uri, a URI |
Dynamic |
true |
Description |
Enterprise onlyThe 'well known' OpenID Connect Discovery endpoint used to fetch identity provider settings. If not provided, |
Valid values |
dbms.security.oidc.<provider>.well_known_discovery_uri, a URI |
Dynamic |
true |
Description |
Enterprise onlyComma separated list of groups to be used by the connect-randomly-to-server-group selection strategy. The connect-randomly-to-server-group strategy is used if the list of strategies ( |
Valid values |
server.cluster.catchup.connect_randomly_to_server_group, a ',' separated list with elements of type 'a string identifying a Server Tag'. |
Dynamic |
true |
Default value |
Description |
Whether or not any database on this instance are read_only by default. If false, individual databases may be marked as read_only using server.database.read_only. If true, individual databases may be marked as writable using server.databases.writable. |
Valid values |
server.databases.default_to_read_only, a boolean |
Dynamic |
true |
Default value |
|
Description |
List of databases for which to prevent write queries. Databases not included in this list maybe read_only anyway depending upon the value of server.databases.default_to_read_only. |
Valid values |
server.databases.read_only, a ',' separated set with elements of type 'A valid database name containing only alphabetic characters, numbers, dots and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name 'system''. which Value 'system' can’t be included in read only databases collection! |
Dynamic |
true |
Default value |
Description |
List of databases for which to allow write queries. Databases not included in this list will allow write queries anyway, unless server.databases.default_to_read_only is set to true. |
Valid values |
server.databases.writable, a ',' separated set with elements of type 'A valid database name containing only alphabetic characters, numbers, dots and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name 'system''. |
Dynamic |
true |
Default value |
Description |
Enterprise onlyA list of tag names for the server used when configuring load balancing and replication policies. |
Valid values |
server.groups, a ',' separated list with elements of type 'a string identifying a Server Tag'. |
Dynamic |
true |
Default value |
Description |
Page cache can be configured to use a temporal buffer for flushing purposes. It is used to combine, if possible, sequence of several cache pages into one bigger buffer to minimize the number of individual IOPS performed and better utilization of available I/O resources, especially when those are restricted. |
Valid values |
server.memory.pagecache.flush.buffer.enabled, a boolean |
Dynamic |
true |
Default value |
|
Description |
Page cache can be configured to use a temporal buffer for flushing purposes. It is used to combine, if possible, sequence of several cache pages into one bigger buffer to minimize the number of individual IOPS performed and better utilization of available I/O resources, especially when those are restricted. Use this setting to configure individual file flush buffer size in pages (8KiB). To be able to utilize this buffer during page cache flushing, buffered flush should be enabled. |
Valid values |
server.memory.pagecache.flush.buffer.size_in_pages, an integer which is in the range |
Dynamic |
true |
Default value |
|
Was this page helpful?