Administering immutable privileges

This tutorial describes how to administer immutable privileges, which are useful assets for restricting the actions of users who themselves are able to administer privileges. They offer a way to prevent such users from simply removing any restrictions by using their privilege management privileges.

In other words, having privilege management privileges is not sufficient to add or remove immutable privileges. The only way immutable privileges can be added or removed is when auth is disabled.

This should only be performed when you have other means of preventing access to the Neo4j DBMS.

When auth is disabled, immutable privileges can be added and removed in the same way as regular privileges. To do so, follow these steps:

  1. Change the config setting dbms.security.auth_enabled to false.

  2. Restart the Neo4j DBMS.

  3. Create or remove immutable privileges in the same way as regular privileges using the keyword IMMUTABLE. For example:

DENY IMMUTABLE DATABASE MANAGEMENT ON DBMS TO PUBLIC
  1. Change the config setting dbms.security.auth_enabled to true.

  2. Restart the Neo4j DBMS.

  3. Observe that the following immutable privileges are now in place:

SHOW PRIVILEGES WHERE IMMUTABLE
Table 1. Result
access action resource graph segment role immutable

"DENIED"

"database_management"

"database"

"*"

"database"

"PUBLIC"

true

Rows: 1

Privileges like this one can now be considered to be an immutable part of the DBMS. The only way to subsequently remove it would be to repeat this process.