7.1.4.1. Native roles

This section describes native roles in Neo4j.

Neo4j provides the following native roles:

reader
  • Read-only access to the data graph (all nodes, relationships, properties).
editor
  • Read/write access to the data graph.
  • Write access limited to creating and changing existing properties key, node labels, and relationship types of the graph.
publisher
  • Read/write access to the data graph.
architect
  • Read/write access to the data graph.
  • Set/delete access to indexes along with any other future schema constructs.
admin
  • Read/write access to the data graph.
  • Set/delete access to indexes along with any other future schema constructs.
  • View/terminate queries.

We detail below the set of actions on the data and database prescribed by each role. The subset of the functionality which is available with Community Edition is also included:

Table 7.1. Native roles overview
Action reader editor publisher architect admin (no role) Available in Community Edition

Change own password

X

X

X

X

X

X

X

View own details

X

X

X

X

X

X

X

Read data

X

X

X

X

X

 

X

View own queries

X

X

X

X

X

   

Terminate own queries

X

X

X

X

X

   

Write/update/delete data

 

X

X

X

X

 

X

Create new types of properties key

   

X

X

X

 

X

Create new types of nodes labels

   

X

X

X

 

X

Create new types of relationship types

   

X

X

X

 

X

Create/drop index/constraint

     

X

X

 

X

Create/delete user

       

X

 

X

Change another user’s password

       

X

   

Assign/remove role to/from user

       

X

   

Suspend/activate user

       

X

   

View all users

       

X

 

X

View all roles

       

X

   

View all roles for a user

       

X

   

View all users for a role

       

X

   

View all queries

       

X

   

Terminate all queries

       

X

   

Dynamically change configuration (see Section 3.7, “Dynamic settings”)

       

X

   

A user who has no assigned roles will not have any rights or capabilities regarding the data, not even read privileges. A user may have more than one assigned role, and the union of these determine what action(s) on the data may be undertaken by the user.

When an administrator suspends or deletes another user, the following rules apply: