Built-in roles and privileges
Introduction
Neo4j provides a set of built-in roles that can be used to control access to the database.
The PUBLIC
role is the default role for all users.
It does not give any rights or capabilities regarding the data, not even read privileges.
The rest of the built-in roles are hierarchical, with the reader
role at the bottom and the admin
role at the top with all privileges.
A user may have more than one assigned role, and the union of these determines what action(s) on the data may be undertaken by the user.
For instance, a user assigned to the reader
role can execute procedures, because all users are also assigned to the PUBLIC
role, which enables that capability.
The built-in roles have the following default privileges:
PUBLIC
-
-
Access to the home database.
-
Execute procedures with the users' own privileges.
-
Execute user-defined functions with the users' own privileges.
-
Load data.
-
reader
-
-
Access to all databases.
-
Traverse and read on the data graph (all nodes, relationships, properties).
-
Show indexes and constraints along with any other future schema constructs.
-
editor
-
-
Access to all databases.
-
Traverse, read, and write on the data graph.
-
Write access, limited to creating and changing existing property keys, node labels, and relationship types of the graph. In other words, the
editor
role cannot add to the schema but can only make changes to already existing objects. -
Show indexes and constraints along with any other future schema constructs.
-
publisher
-
-
Access to all databases.
-
Traverse, read, and write on the data graph.
-
Show indexes and constraints along with any other future schema constructs.
-
architect
-
-
Access to all databases.
-
Traverse, read, and write on the data graph.
-
Create/drop/show indexes and constraints along with any other future schema constructs.
-
admin
-
-
Access to all databases.
-
Traverse, read, and write on the data graph.
-
Load data.
-
Create/drop/show indexes and constraints along with any other future schema constructs.
-
Execute procedures using boosted privileges.
-
Execute admin procedures.
-
Execute user-defined functions using boosted privileges.
-
View/terminate queries.
-
Manage databases, users, roles, and privileges.
-
When an administrator suspends or deletes another user, the following rules apply:
-
Administrators can suspend or delete any other user (including other administrators), but not themselves.
-
When suspended, the user is no longer able to log back in until re-activated by an administrator.
-
There is no need to remove assigned roles from a user before deleting the user.
Deleting a user does not automatically terminate associated connections, sessions, transactions, or queries. |
Neo4j provides the following built-in roles with default privileges and capabilities. The subset of the functionality that is available with Community Edition is also included. All of the commands require that the user executing the commands has the rights to do so.
Action | reader |
editor |
publisher |
architect |
admin |
PUBLIC |
Available in Community Edition |
---|---|---|---|---|---|---|---|
Change own password |
|
|
|
|
|
|
|
View own details |
|
|
|
|
|
|
|
View own transactions |
|
|
|
|
|
|
|
Terminate own transactions |
|
|
|
|
|
|
|
View own privileges |
|
|
|
|
|
|
|
View all databases |
|
|
|
|
|
|
|
Access home database |
|
|
|
|
|
|
|
Access all databases |
|
|
|
|
|
|
|
Read data |
|
|
|
|
|
|
|
View index/constraint |
|
|
|
|
|
|
|
Write/update/delete existing data |
|
|
|
|
|
||
Create new types of properties key |
|
|
|
|
|||
Create new types of nodes labels |
|
|
|
|
|||
Create new types of relationship types |
|
|
|
|
|||
Create/drop index/constraint |
|
|
|
||||
Create/delete user |
|
|
|||||
Change another user’s name |
|
|
|||||
Change another user’s password |
|
|
|||||
Change another user’s home database |
|
||||||
Suspend/activate user |
|
||||||
Create/drop roles |
|
||||||
Change role names |
|
||||||
Assign/remove role to/from user |
|
||||||
Create/drop/alter databases |
|
||||||
Start/stop databases |
|
||||||
Manage database access |
|
||||||
Grant/deny/revoke privileges |
|
||||||
View all users |
|
|
|||||
View all roles |
|
||||||
View all roles for a user |
|
||||||
View all users for a role |
|
||||||
View another user’s privileges |
|
||||||
View all transactions |
|
|
|||||
Terminate all transactions |
|
|
|||||
Load data |
|
|
|
||||
Execute procedures |
|
|
|
||||
Execute functions |
|
|
|
||||
Execute admin procedures |
|
|
|||||
Dynamically change configuration [1] |
|
||||||
1. For more information, see Update dynamic settings |
The PUBLIC
role
All users are granted the PUBLIC
role, and it can not be revoked or dropped.
By default, it gives access to the default database and allows loading data, executing all procedures and user-defined functions.
The |
Listing PUBLIC
role privileges
SHOW ROLE PUBLIC PRIVILEGES AS COMMANDS
command |
---|
|
|
|
|
Rows: 4 |
Recreating the PUBLIC
role
The PUBLIC
role can not be dropped and thus there is no need to recreate the role itself.
To restore the role to its original capabilities, two steps are needed.
First, all GRANT
or DENY
privileges on this role should be revoked (see output of SHOW ROLE PUBLIC PRIVILEGES AS REVOKE COMMANDS
on what to revoke).
Secondly, run these queries:
GRANT ACCESS ON HOME DATABASE TO PUBLIC
GRANT EXECUTE PROCEDURES * ON DBMS TO PUBLIC
GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO PUBLIC
GRANT LOAD ON ALL DATA TO PUBLIC
The resulting PUBLIC
role now has the same privileges as the original built-in PUBLIC
role.
The reader
role
The reader
role can perform read-only queries on all graphs except for the system
database.
Listing reader
role privileges
SHOW ROLE reader PRIVILEGES AS COMMANDS
command |
---|
|
|
|
|
|
Rows: 5 |
Recreating the reader
role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE reader
.
Secondly, run these queries:
CREATE ROLE reader
GRANT ACCESS ON DATABASE * TO reader
GRANT MATCH {*} ON GRAPH * TO reader
GRANT SHOW CONSTRAINT ON DATABASE * TO reader
GRANT SHOW INDEX ON DATABASE * TO reader
The resulting reader
role now has the same privileges as the original built-in reader
role.
The editor
role
The editor
role can perform read and write operations on all graphs except for the system
database, but it cannot create new labels, property keys or relationship types.
Listing editor
role privileges
SHOW ROLE editor PRIVILEGES AS COMMANDS
command |
---|
|
|
|
|
|
|
Rows: 6 |
Recreating the editor
role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE editor
.
Secondly, run these queries:
CREATE ROLE editor
GRANT ACCESS ON DATABASE * TO editor
GRANT MATCH {*} ON GRAPH * TO editor
GRANT WRITE ON GRAPH * TO editor
GRANT SHOW CONSTRAINT ON DATABASE * TO editor
GRANT SHOW INDEX ON DATABASE * TO editor
The resulting editor
role now has the same privileges as the original built-in editor
role.
The publisher
role
The publisher
role can do the same as editor
, as well as create new labels, property keys and relationship types.
Listing publisher
role privileges
SHOW ROLE publisher PRIVILEGES AS COMMANDS
command |
---|
|
|
|
|
|
|
|
Rows: 7 |
Recreating the publisher
role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE publisher
.
Secondly, run these queries:
CREATE ROLE publisher
GRANT ACCESS ON DATABASE * TO publisher
GRANT MATCH {*} ON GRAPH * TO publisher
GRANT WRITE ON GRAPH * TO publisher
GRANT NAME MANAGEMENT ON DATABASE * TO publisher
GRANT SHOW CONSTRAINT ON DATABASE * TO publisher
GRANT SHOW INDEX ON DATABASE * TO publisher
The resulting publisher
role now has the same privileges as the original built-in publisher
role.
The architect
role
The architect
role can do the same as the publisher
, as well as create and manage indexes and constraints.
Listing architect
role privileges
SHOW ROLE architect PRIVILEGES AS COMMANDS
command |
---|
|
|
|
|
|
|
|
|
|
Rows: 9 |
Recreating the architect
role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE architect
.
Secondly, run these queries:
CREATE ROLE architect
GRANT ACCESS ON DATABASE * TO architect
GRANT MATCH {*} ON GRAPH * TO architect
GRANT WRITE ON GRAPH * TO architect
GRANT NAME MANAGEMENT ON DATABASE * TO architect
GRANT SHOW CONSTRAINT ON DATABASE * TO architect
GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO architect
GRANT SHOW INDEX ON DATABASE * TO architect
GRANT INDEX MANAGEMENT ON DATABASE * TO architect
The resulting architect
role now has the same privileges as the original built-in architect
role.
The admin
role
The admin
role can do the same as the architect
, as well as manage databases, aliases, users, roles and privileges.
The admin
role can perform administrative tasks.
These include the rights to perform the following classes of tasks:
-
Manage database privileges to control the rights to perform actions on specific databases:
-
Manage access to a database and the right to start and stop a database.
-
Manage indexes and constraints.
-
Allow the creation of labels, relationship types, or property names.
-
Manage transactions.
-
-
Manage DBMS privileges to control the rights to perform actions on the entire system:
-
Manage multiple databases.
-
Change configuration parameters.
-
Manage sub-graph privileges.
-
Manage procedure security.
-
Manage load privileges to control the rights to load data from external sources.
-
These rights are conferred using privileges that can be managed through the GRANT
, DENY
and REVOKE
commands.
Listing admin
role privileges
SHOW ROLE admin PRIVILEGES AS COMMANDS
command |
---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rows: 14 |
If the built-in admin
role has been altered or dropped and needs to be restored to its original state, see Password and user recovery.
Recreating the admin
role
To restore the role to its original capabilities two steps are needed.
First, execute DROP ROLE admin
.
Secondly, run these queries:
CREATE ROLE admin
GRANT ALL DBMS PRIVILEGES ON DBMS TO admin
GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin
GRANT START ON DATABASE * TO admin
GRANT STOP ON DATABASE * TO admin
GRANT MATCH {*} ON GRAPH * TO admin
GRANT WRITE ON GRAPH * TO admin
GRANT LOAD ON ALL DATA TO admin
GRANT ALL ON DATABASE * TO admin
The resulting admin
role now has the same effective privileges as the original built-in admin
role.
Additional information about restoring the admin
role can be found in the Recover the admin role.