Read privileges

There are three separate read privileges:

  • TRAVERSE - enables the specified entities to be found.

  • READ - enables the specified properties of the found entities to be read.

  • MATCH - combines both TRAVERSE and READ, enabling an entity to be found and its properties read.

For more details about the syntax descriptions, see Cypher syntax for administration commands.

The TRAVERSE privilege

Users can be granted the right to find nodes and relationships using the GRANT TRAVERSE privilege.

GRANT [IMMUTABLE] TRAVERSE
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
      | FOR pattern
    ]
  TO role[, ...]

For more details about the pattern syntax used to express attributes based access control rules, see Property-based access control.

For example, you can enable users with the role regularUsers to find all nodes with the label Post in the database neo4j:

GRANT TRAVERSE ON GRAPH neo4j NODES Post TO regularUsers

The TRAVERSE privilege can also be denied.

DENY [IMMUTABLE] TRAVERSE
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
      | FOR pattern
    ]
  TO role[, ...]

For example, we can disable users with the role regularUsers from finding all nodes with the label Payments:

DENY TRAVERSE ON HOME GRAPH NODES Payments TO regularUsers

Although you just granted the role regularUsers the right to read all properties on nodes with label Post, you may want to make this more fine-grained using Property-based access control to hide the posts with secret property set to true. For example:

DENY TRAVERSE ON HOME GRAPH FOR (:Post {secret: true}) TO regularUsers

If a label or a relationship type does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information.

The READ privilege

Users can be granted the right to do property reads on nodes and relationships using the GRANT READ privilege. It is very important to note that users can only read properties on entities that they are enabled to find in the first place.

GRANT [IMMUTABLE] READ "{" { * | property[, ...] } "}"
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
      | FOR pattern
    ]
  TO role[, ...]

For more details about the pattern syntax used to express attributes based access control rules, see Property-based access control.

For example, you can enable users with the role regularUsers to read all properties on nodes with the label Post in the database neo4j. The * implies that the ability to read all properties also extends to properties that might be added in the future.

GRANT READ { * } ON GRAPH neo4j NODES Post TO regularUsers

To further fine-grained the read access, you can enable users with the role regularUsers to read all properties on nodes with the label Post that have property secret not set to true in the database neo4j. For example:

GRANT READ { * } ON GRAPH neo4j FOR (n:Post) WHERE n.secret <> true TO regularUsers

Granting property READ access does not imply that the entities with that property can be found. For example, if there is also a DENY TRAVERSE present on the same entity as a GRANT READ, the entity will not be found by a Cypher MATCH statement.

The READ privilege can also be denied.

DENY [IMMUTABLE] READ "{" { * | property[, ...] } "}"
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
      | FOR pattern
    ]
  TO role[, ...]

Although we just granted the role regularUsers the right to read all properties, we may want to hide the secret property. The following example shows how to do that:

DENY READ { secret } ON GRAPH neo4j NODES Post TO regularUsers

If a label, a relationship type, or a property name does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information.

The MATCH privilege

Users can be granted the right to find and do property reads on nodes and relationships using the GRANT MATCH privilege. This is semantically the same as having both TRAVERSE and READ privileges.

GRANT [IMMUTABLE] MATCH "{" { * | property[, ...] } "}"
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
      | FOR pattern
    ]
  TO role[, ...]

For more details about the pattern syntax used to express attributes based access control rules, see Property-based access control.

For example if you want to grant the ability to read the properties language and length for nodes with the label Message, as well as the ability to find these nodes to the role regularUsers, you can use the following GRANT MATCH query:

GRANT MATCH { language, length } ON GRAPH neo4j NODES Message TO regularUsers

The following query grants the regularUsers role the ability to find Post and Likes nodes where the secret property is set to false, as well as reading all their properties.

GRANT MATCH { * } ON GRAPH neo4j FOR (n:Post|Likes) WHERE n.secret = false TO regularUsers

Like all other privileges, the MATCH privilege can also be denied.

DENY [IMMUTABLE] MATCH "{" { * | property[, ...] } "}"
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
      | FOR pattern
    ]
  TO role[, ...]

Please note that the effect of denying a MATCH privilege depends on whether concrete property keys are specified or are *. If you specify concrete property keys, then DENY MATCH will only deny reading those properties. Finding the elements to traverse would still be enabled. If you specify * instead, then both traversal of the element and all property reads will be disabled. The following queries will show examples for this.

Denying to read the property content on nodes with the label Message for the role regularUsers would look like the following query. Although not being able to read this specific property, nodes with that label can still be traversed (and, depending on other grants, other properties on it could still be read).

DENY MATCH { content } ON GRAPH neo4j NODES Message TO regularUsers

The following query exemplifies how it would look if you wanted to deny both reading all properties and traversing nodes labeled with Account in the database neo4j:

DENY MATCH { * } ON GRAPH neo4j NODES Account TO regularUsers

If a label, a relationship type, or a property name does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information.