Write privileges

Write privileges are defined for different parts of the graph:

  • CREATE - allows creating nodes and relationships.

  • DELETE - allows deleting nodes and relationships.

  • SET LABEL - allows setting the specified node labels using the SET clause.

  • REMOVE LABEL - allows removing the specified node labels using the REMOVE clause.

  • SET PROPERTY - allows setting properties on nodes and relationships.

There are also compound privileges that combine the above specific privileges:

  • MERGE - allows MATCH, CREATE, and SET PROPERTY to apply the MERGE command.

  • WRITE - allows all WRITE operations on an entire graph.

  • ALL GRAPH PRIVILEGES - allows all READ and WRITE operations on an entire graph.

For more details about how to read the administration commands syntax, see Reading the administration commands syntax and Components of the graph privilege commands.

The CREATE privilege

The CREATE privilege allows a user to create new node and relationship elements on a graph. For more details, see the Cypher Manual → CREATE clause.

GRANT [IMMUTABLE] CREATE
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
    ]
  TO role[, ...]

For example, to grant the role regularUsers the ability to CREATE elements on the graph neo4j, use:

GRANT CREATE ON GRAPH neo4j ELEMENTS * TO regularUsers

The CREATE privilege can also be denied:

DENY [IMMUTABLE] CREATE
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
    ]
  TO role[, ...]

For example, to deny the role regularUsers the ability to CREATE nodes with the label foo on all graphs, use:

DENY CREATE ON GRAPH * NODES foo TO regularUsers

If the user attempts to create nodes with a label that does not already exist on the database, then the user must also possess the CREATE NEW LABEL privilege. The same applies to new relationships: the CREATE NEW RELATIONSHIP TYPE privilege is required.

If a label or a relationship type does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information.

The DELETE privilege

The DELETE privilege allows a user to delete node and relationship elements on a graph. For more details, see the Cypher Manual → DELETE clause.

GRANT [IMMUTABLE] DELETE
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
    ]
  TO role[, ...]

For example, to grant the role regularUsers the ability to DELETE elements on the graph neo4j, use:

GRANT DELETE ON GRAPH neo4j ELEMENTS * TO regularUsers

The DELETE privilege can also be denied:

DENY [IMMUTABLE] DELETE
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
    ]
  TO role[, ...]

For example, to deny the role regularUsers the ability to DELETE relationships with the relationship type bar on all graphs, use:

DENY DELETE ON GRAPH * RELATIONSHIPS bar TO regularUsers

Users with DELETE privilege, but restricted TRAVERSE privileges, will not be able to do DETACH DELETE in all cases. See href:tutorial/access-control.adoc#detach-delete-restricted-user[delete restricted user] for more info.

If a label or a relationship type does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information.

The SET LABEL privilege

The SET LABEL privilege allows you to set labels on a node using the Cypher SET clause:

GRANT [IMMUTABLE] SET LABEL { * | label[, ...] }
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
  TO role[, ...]

For example, to grant the role regularUsers the ability to SET any label on nodes of the graph neo4j, use:

GRANT SET LABEL * ON GRAPH neo4j TO regularUsers

Unlike many of the other READ and WRITE privileges, it is not possible to restrict the SET LABEL privilege to specific ELEMENTS, NODES or RELATIONSHIPS.

The SET LABEL privilege can also be denied:

DENY [IMMUTABLE] SET LABEL { * | label[, ...] }
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
  TO role[, ...]

For example, to deny the role regularUsers the ability to SET the label foo on nodes of all graphs, use:

DENY SET LABEL foo ON GRAPH * TO regularUsers

If no instances of this label exist on the database, then the CREATE NEW LABEL privilege is also required.

If a label does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information.

The REMOVE LABEL privilege

The REMOVE LABEL privilege allows you to remove labels from a node by using the Cypher REMOVE clause:

GRANT [IMMUTABLE] REMOVE LABEL { * | label[, ...] }
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
  TO role[, ...]

For example, to grant the role regularUsers the ability to REMOVE any label from nodes of the graph neo4j, use:

GRANT REMOVE LABEL * ON GRAPH neo4j TO regularUsers

Unlike many of the other READ and WRITE privileges, it is not possible to restrict the REMOVE LABEL privilege to specific ELEMENTS, NODES or RELATIONSHIPS.

The REMOVE LABEL privilege can also be denied:

DENY [IMMUTABLE] REMOVE LABEL { * | label[, ...] }
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
  TO role[, ...]

For example, denying the role regularUsers the ability to remove the label foo from nodes of all graphs, use:

DENY REMOVE LABEL foo ON GRAPH * TO regularUsers

If a label does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information.

The SET PROPERTY privilege

The SET PROPERTY privilege allows a user to set a property on a node or relationship element in a graph by using the Cypher SET clause:

GRANT [IMMUTABLE] SET PROPERTY "{" { * | property[, ...] } "}"
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
    ]
  TO role[, ...]

For example, to grant the role regularUsers the ability to SET any property on all elements of the graph neo4j, use:

GRANT SET PROPERTY {*} ON HOME GRAPH ELEMENTS * TO regularUsers

The SET PROPERTY privilege can also be denied:

DENY [IMMUTABLE] SET PROPERTY "{" { * | property[, ...] } "}"
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
    ]
  TO role[, ...]

For example, to deny the role regularUsers the ability to SET the property foo on nodes with the label bar on all graphs, use:

DENY SET PROPERTY { foo } ON GRAPH * NODES bar TO regularUsers

If the user attempts to set a property with a property name that does not already exist on the database, the user must also possess the CREATE NEW PROPERTY NAME privilege.

If a label, a relationship type, or a property name does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information.

The MERGE privilege

The MERGE privilege is a compound privilege that combines TRAVERSE and READ (i.e. MATCH) with CREATE and SET PROPERTY. This is intended to enable the use of the Cypher MERGE command, but it is also applicable to all reads and writes that require these privileges.

GRANT [IMMUTABLE] MERGE "{" { * | property[, ...] } "}"
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
    [
      ELEMENT[S] { * | label-or-rel-type[, ...] }
      | NODE[S] { * | label[, ...] }
      | RELATIONSHIP[S] { * | rel-type[, ...] }
    ]
  TO role[, ...]

For example, to grant the role regularUsers the ability to MERGE on all elements of the graph neo4j, use:

GRANT MERGE {*} ON GRAPH neo4j ELEMENTS * TO regularUsers

It is not possible to deny the MERGE privilege. If you wish to prevent a user from creating elements and setting properties: use DENY CREATE or DENY SET PROPERTY.

If the user attempts to create nodes with a label that does not already exist on the database, the user must also possess the CREATE NEW LABEL privilege. The same applies to new relationships and properties - the CREATE NEW RELATIONSHIP TYPE or CREATE NEW PROPERTY NAME privileges are required.

If a label, a relationship type, or a property name does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information.

The WRITE privilege

The WRITE privilege allows the user to execute any WRITE command on a graph.

GRANT [IMMUTABLE] WRITE
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
  TO role[, ...]

For example, to grant the role regularUsers the ability to WRITE on the graph neo4j, use:

GRANT WRITE ON GRAPH neo4j TO regularUsers

Unlike the more specific WRITE commands, it is not possible to restrict WRITE privileges to specific ELEMENTS, NODES or RELATIONSHIPS. If you wish to prevent a user from writing to a subset of database objects, a GRANT WRITE can be combined with more specific DENY commands to target these elements.

The WRITE privilege can also be denied:

DENY [IMMUTABLE] WRITE
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
  TO role[, ...]

For example, to deny the role regularUsers the ability to WRITE on the graph neo4j, use:

DENY WRITE ON GRAPH neo4j TO regularUsers

Users with WRITE privilege but restricted TRAVERSE privileges will not be able to do DETACH DELETE in all cases. See delete restricted user for more info.

The ALL GRAPH PRIVILEGES privilege

The ALL GRAPH PRIVILEGES privilege allows the user to execute any command on a graph:

GRANT [IMMUTABLE] ALL [ [ GRAPH ] PRIVILEGES ]
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
  TO role[, ...]

For example, to grant the role regularUsers ALL GRAPH PRIVILEGES on the graph neo4j, use:

GRANT ALL GRAPH PRIVILEGES ON GRAPH neo4j TO regularUsers

Unlike the more specific READ and WRITE commands, it is not possible to restrict ALL GRAPH PRIVILEGES to specific ELEMENTS, +NODES or RELATIONSHIPS. If you wish to prevent a user from reading or writing to a subset of database objects, a GRANT ALL GRAPH PRIVILEGES can be combined with more specific DENY commands to target these elements.

The ALL GRAPH PRIVILEGES privilege does not allow creating new labels, relationship types, or property names. These are instead managed by the NAME MANAGEMENT privileges.

The ALL GRAPH PRIVILEGES privilege can also be denied:

DENY [IMMUTABLE] ALL [ [ GRAPH ] PRIVILEGES ]
  ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
  TO role[, ...]

For example, to deny the role regularUsers all graph privileges on the graph neo4j, use:

DENY ALL GRAPH PRIVILEGES ON GRAPH neo4j TO regularUsers