Administering immutable privileges
This tutorial describes how to administer immutable privileges, which are useful assets for restricting the actions of users who themselves are able to administer privileges. They offer a way to prevent such users from simply removing any restrictions by using their privilege management privileges.
In other words, having privilege management privileges is not sufficient to add or remove immutable privileges. The only way immutable privileges can be added or removed is when auth is disabled.
This should only be performed when you have other means of preventing access to the Neo4j DBMS. |
When auth is disabled, immutable privileges can be added and removed in the same way as regular privileges. To do so, follow these steps:
-
Change the config setting
dbms.security.auth_enabled
tofalse
. -
Restart the Neo4j DBMS.
-
Create or remove immutable privileges in the same way as regular privileges using the keyword
IMMUTABLE
. For example:
DENY IMMUTABLE DATABASE MANAGEMENT ON DBMS TO PUBLIC
-
Change the config setting
dbms.security.auth_enabled
totrue
. -
Restart the Neo4j DBMS.
-
Observe that the following immutable privileges are now in place:
SHOW PRIVILEGES WHERE IMMUTABLE
access | action | resource | graph | segment | role | immutable |
---|---|---|---|---|---|---|
|
|
|
|
|
|
|
Rows: 1 |
Privileges like this one can now be considered to be an immutable part of the DBMS. The only way to subsequently remove it would be to repeat this process.