Administering immutable privileges

This tutorial describes methods for administering immutable privileges, which are useful assets for restricting the actions of users who themselves are able to administer privileges. They offer a way to prevent such users from simply removing any restrictions by using their privilege management privileges.

In other words, having privilege management privileges is not sufficient to add or remove immutable privileges. The only way immutable privileges can be added or removed is when auth is disabled.

There are two specific scenarios which equate to auth being disabled. One is when dbms.security.auth_enabled is set to false, and the other is from the context of the Security Init file. Both of these are described in this tutorial.

Administering immutable privileges via the Security Init file

The Security Init file is a file containing a list of Cypher commands which are run when the system database is created for the first time. Putting immutable privilege commands in this file will ensure that they are in place before the DBMS is accessed for the first time.

The following steps must be performed before the first time the Neo4j DBMS is started. If the DBMS has already been initialized, you will need to make changes by disabling auth. The steps to do this are described in sequence.

  1. Create a file named systemdb-init.cypher and edit it to contain the immutable privileges which you require.
    In this instance, you would like to prevent all users (via the PUBLIC role) from being able to perform Database Management actions.
    Make sure that even users with the rights to alter their own privileges cannot remove this DENY.

    DENY IMMUTABLE DATABASE MANAGEMENT ON DBMS TO PUBLIC

  2. Specify the path of the Security Init file by setting the internal.dbms.init_file config settings to the full path of the file created in step 1.

  3. Start the DBMS.

  4. Observe that the immutable privileges are now in place:

SHOW PRIVILEGES WHERE IMMUTABLE
Table 1. Result
access action resource graph segment role immutable

"DENIED"

"database_management"

"database"

"*"

"database"

"PUBLIC"

true

This privilege can now be considered to be an immutable part of the DBMS. The only way to subsequently remove it would be to disable auth.

Administering immutable privileges by disabling auth

This should only be performed when you have other means of preventing access to the Neo4j DBMS.

When auth is disabled, immutable privileges can be added and removed in the same way as regular privileges. To do so, follow these steps:

  1. Change the config setting dbms.security.auth_enabled to false.

  2. Restart the Neo4j DBMS.

  3. Create or remove immutable privileges in the same way as regular privileges, using the keyword IMMUTABLE.

  4. Change the config setting dbms.security.auth_enabled to true.

  5. Restart the Neo4j DBMS.

  6. Observe that the following immutable privileges are now in place:

SHOW PRIVILEGES WHERE IMMUTABLE
Table 2. Result
access action resource graph segment role immutable

"DENIED"

"database_management"

"database"

"*"

"database"

"PUBLIC"

true

Privileges like this one can now be considered to be an immutable part of the DBMS. The only way to subsequently remove it would be to disable auth.