Neo4j Security

GRANT ALL ON DBMS TO my_role

Grant privilege to perform all role management, user management, database management and privilege management to a role.

GRANT SHOW PRIVILEGE ON DBMS TO my_role

Grant the privilege to show privileges to a role.

DENY ASSIGN PRIVILEGE ON DBMS TO my_role

Deny the privilege to assign privileges to roles to a role.

REVOKE GRANT REMOVE PRIVILEGE ON DBMS FROM my_role

Revoke the granted privilege to remove privileges from roles from a role.

REVOKE PRIVILEGE MANAGEMENT ON DBMS FROM my_role

Revoke all granted and denied privileges for manage privileges from a role.

GRANT CREATE DATABASE ON DBMS TO my_role

Grant the privilege to create databases to a role.

REVOKE DENY DROP DATABASE ON DBMS FROM my_role

Revoke the denied privilege to delete databases from a role.

DENY DATABASE MANAGEMENT ON DBMS TO my_role

Deny all privileges to manage database to a role.

GRANT CREATE USER ON DBMS TO my_role

Grant the privilege to create users to a role.

GRANT RENAME USER ON DBMS TO my_role

Grant the privilege to rename users to a role.

DENY ALTER USER ON DBMS TO my_role

Deny the privilege to alter users to a role.

REVOKE SET PASSWORDS ON DBMS FROM my_role

Revoke the granted and denied privileges to alter users' passwords from a role.

REVOKE GRANT SET USER STATUS ON DBMS FROM my_role

Revoke the granted privilege to alter the account status of users from a role.

GRANT SET USER HOME DATABASE ON DBMS TO my_role

Grant the privilege alter the home database of users to a role.

GRANT DROP USER ON DBMS TO my_role

Grant the privilege to delete users to a role.

REVOKE DENY SHOW USER ON DBMS FROM my_role

Revoke the denied privilege to show users from a role.

GRANT USER MANAGEMENT ON DBMS TO my_role

Grant all privileges to manage users to a role.

GRANT CREATE ROLE ON DBMS TO my_role

Grant the privilege to create roles to a role.

GRANT RENAME ROLE ON DBMS TO my_role

Grant the privilege to rename roles to a role.

GRANT DROP ROLE ON DBMS TO my_role

Grant the privilege to delete roles to a role.

DENY ASSIGN ROLE ON DBMS TO my_role

Deny the privilege to assign roles to users to a role.

DENY REMOVE ROLE ON DBMS TO my_role

Deny the privilege to remove roles from users to a role.

REVOKE DENY SHOW ROLE ON DBMS FROM my_role

Revoke the denied privilege to show roles from a role.

GRANT ROLE MANAGEMENT ON DBMS TO my_role

Grant all privileges to manage roles to a role.

GRANT ACCESS ON DATABASE * TO my_role

Grant privilege to access and run queries against all databases to a role.

GRANT START ON DATABASE * TO my_role

Grant privilege to start all databases to a role.

GRANT STOP ON DATABASE * TO my_role

Grant privilege to stop all databases to a role.

GRANT CREATE INDEX ON DATABASE foo TO my_role

Grant privilege to create indexes on a specified database to a role.

GRANT DROP INDEX ON DATABASE foo TO my_role

Grant privilege to drop indexes on a specified database to a role.

GRANT SHOW INDEX ON DATABASE * TO my_role

Grant privilege to show indexes on all databases to a role.

DENY INDEX MANAGEMENT ON DATABASE bar TO my_role

Deny privilege to create and drop indexes on a specified database to a role.

GRANT CREATE CONSTRAINT ON DATABASE * TO my_role

Grant privilege to create constraints on all databases to a role.

DENY DROP CONSTRAINT ON DATABASE * TO my_role

Deny privilege to drop constraints on all databases to a role.

DENY SHOW CONSTRAINT ON DATABASE foo TO my_role

Deny privilege to show constraints on a specified database to a role.

REVOKE CONSTRAINT ON DATABASE * FROM my_role

Revoke granted and denied privileges to create and drop constraints on all databases from a role.

GRANT CREATE NEW LABELS ON DATABASE * TO my_role

Grant privilege to create new labels on all databases to a role.

DENY CREATE NEW TYPES ON DATABASE foo TO my_role

Deny privilege to create new relationship types on a specified database to a role.

REVOKE GRANT CREATE NEW PROPERTY NAMES ON DATABASE bar FROM my_role

Revoke the grant privilege to create new property names on a specified database from a role.

GRANT NAME MANAGEMENT ON HOME DATABASE TO my_role

Grant privilege to create labels, relationship types, and property names on the home database to a role.

GRANT ALL ON DATABASE baz TO my_role

Grant privilege to access, create and drop indexes and constraints, create new labels, types and property names on a specified database to a role.

GRANT SHOW TRANSACTION (*) ON DATABASE foo TO my_role

Grant privilege to list transactions and queries from all users on a specified database to a role.

DENY TERMINATE TRANSACTION (user1, user2) ON DATABASES * TO my_role

Deny privilege to kill transactions and queries from user1 and user2 on all databases to a role.

REVOKE GRANT TRANSACTION MANAGEMENT ON HOME DATABASE FROM my_role

Revoke the granted privilege to list and kill transactions and queries from all users on the home database from a role.

SHOW PRIVILEGES AS COMMANDS

List all privileges in the system as Cypher commands.

SHOW PRIVILEGES

List all privileges in the system, and the roles that they are assigned to.

SHOW PRIVILEGES
YIELD role, action, access
WHERE role = 'my\_role'

List information about privileges, filtered by role, action and access and further refined by the name of the role.

SHOW ROLE my_role PRIVILEGES AS COMMANDS

List all privileges assigned to a role as Cypher commands.

SHOW ROLE my_role, my_second_role PRIVILEGES AS COMMANDS

List all privileges assigned to each of the multiple roles as Cypher commands.

SHOW USER alice PRIVILEGES AS COMMANDS

List all privileges of a user, and the role that they are assigned to as Cypher commands.

SHOW USER PRIVILEGES AS COMMANDS

List all privileges of the currently logged in user, and the role that they are assigned to as Cypher commands.

GRANT CREATE ON GRAPH * NODES Label TO my_role

Grant create privilege on all nodes with a specified label in all graphs to a role.

DENY DELETE ON GRAPH neo4j TO my_role

Deny delete privilege on all nodes and relationships in a specified graph to a role.

REVOKE SET LABEL Label ON GRAPH * FROM my_role

Revoke set label privilege for the specified label on all graphs to a role.

GRANT REMOVE LABEL * ON GRAPH foo TO my_role

Grant remove label privilege for all labels on a specified graph to a role.

DENY SET PROPERTY {prop} ON GRAPH foo RELATIONSHIPS Type TO my_role

Deny set property privilege on a specified property, on all relationships with a specified type in a specified graph, to a role.

GRANT MERGE {*} ON GRAPH * NODES Label TO my_role

Grant merge privilege on all properties, on all nodes with a specified label in all graphs, to a role.

REVOKE WRITE ON GRAPH * FROM my_role

Revoke write privilege on all graphs from a role.

DENY ALL GRAPH PRIVILEGES ON GRAPH foo TO my_role

Deny all graph privileges privilege on a specified graph to a role.

GRANT TRAVERSE ON GRAPH * NODES * TO my_role

Grant traverse privilege on all nodes and all graphs to a role.

DENY READ {prop} ON GRAPH foo RELATIONSHIP Type TO my_role

Deny read privilege on a specified property, on all relationships with a specified type in a specified graph, to a role.

GRANT MATCH {\*} ON HOME GRAPH ELEMENTS Label TO my_role

Grant read privilege on all properties and traverse privilege in the home graph, to a role. Here, both privileges apply to all nodes and relationships with a specified label/type in the graph.

CREATE ROLE my\_role

Create a role.

CREATE ROLE my_second_role IF NOT EXISTS AS COPY OF my_role

Create a role named my_second_role, unless it already exists, as a copy of the existing my_role.

RENAME ROLE my\_second\_role TO my_other_role

Rename a role named my_second_role to my_other_role.

GRANT ROLE my\_role, my_other_role TO alice

Assign roles to a user.

REVOKE ROLE my\_other\_role FROM alice

Remove a specified role from a user.

SHOW ROLES

List all roles in the system.

SHOW ROLES
YIELD role
WHERE role CONTAINS 'my'

List roles, filtered by the name of the role and further refined by whether the name contains 'my'.

SHOW POPULATED ROLES WITH USERS

List all roles that are assigned to at least one user in the system, and the users assigned to those roles.

DROP ROLE my\_role

Delete a role.

CREATE USER alice SET PASSWORD $password

Create a new user and a password. This password must be changed on the first login.

ALTER USER alice SET PASSWORD $password CHANGE NOT REQUIRED

Set a new password for a user. This user will not be required to change this password on the next login.

ALTER USER alice IF EXISTS SET PASSWORD CHANGE REQUIRED

If the specified user exists, force this user to change their password on the next login.

ALTER USER alice SET STATUS SUSPENDED

(★) Change the user status to suspended. Use SET STATUS ACTIVE to reactivate the user.

ALTER USER alice SET HOME DATABASE otherDb

(★) Change the home database of user to otherDb. Use REMOVE HOME DATABASE to unset the home database for the user and fallback to the default database.

ALTER CURRENT USER SET PASSWORD FROM $old TO $new

Change the password of the logged-in user. The user will not be required to change this password on the next login.

SHOW CURRENT USER

List the currently logged-in user, their status, roles and whether they need to change their password. (★) Status and roles are Enterprise Edition only.

SHOW USERS

List all users in the system, their status, roles and if they need to change their password. (★) Status and roles are Enterprise Edition only.

SHOW USERS
YIELD user, suspended
WHERE suspended = true

List users in the system, filtered by their name and status and further refined by whether they are suspended. (★) Status is Enterprise Edition only.

RENAME USER alice TO alice_delete

Rename the user alice to alice_delete.

DROP USER alice\_delete

Delete the user.