diff --git a/modules/ROOT/content-nav.adoc b/modules/ROOT/content-nav.adoc index c7a14d7b4..e59741670 100644 --- a/modules/ROOT/content-nav.adoc +++ b/modules/ROOT/content-nav.adoc @@ -217,7 +217,18 @@ *** xref:authentication-authorization/property-based-access-control.adoc[] *** xref:authentication-authorization/privileges-writes.adoc[] *** xref:authentication-authorization/database-administration.adoc[] -*** xref:authentication-authorization/dbms-administration.adoc[] +*** xref:authentication-authorization/dbms-administration/index.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-admin-role.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-setting-privileges.adoc[] + *** xref:authentication-authorization/load-privileges.adoc[] *** xref:authentication-authorization/limitations.adoc[] *** xref:authentication-authorization/manage-execute-permissions.adoc[] diff --git a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc index 4c758a42d..52c66a3a4 100644 --- a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc @@ -830,7 +830,7 @@ These include the rights to perform the following classes of tasks: ** Manage link:{neo4j-docs-base-uri}/cypher-manual/current/indexes/[indexes] and link:{neo4j-docs-base-uri}/cypher-manual/current/constraints/[constraints]. ** Allow the creation of labels, relationship types, or property names. ** Manage transactions. -* Manage xref:authentication-authorization/dbms-administration.adoc[DBMS privileges] to control the rights to perform actions on the entire system: +* Manage xref:authentication-authorization/dbms-administration/index.adoc[DBMS privileges] to control the rights to perform actions on the entire system: ** Manage xref:database-administration/index.adoc[multiple databases]. ** Manage xref:authentication-authorization/manage-users.adoc[users] and xref:authentication-authorization/manage-roles.adoc[roles]. ** Change configuration parameters. diff --git a/modules/ROOT/pages/authentication-authorization/database-administration.adoc b/modules/ROOT/pages/authentication-authorization/database-administration.adoc index 9dc0b58c6..26502ff3b 100644 --- a/modules/ROOT/pages/authentication-authorization/database-administration.adoc +++ b/modules/ROOT/pages/authentication-authorization/database-administration.adoc @@ -182,7 +182,7 @@ Use `REVOKE` if you want to remove a privilege. Common errors, such as misspellings or attempts to revoke privileges that have not been granted or denied, will lead to notifications. In Cypher 25, notifications for impossible `REVOKE` commands, where a user, a role, or a database does not exist, have been replaced with errors. -See link:{neo4j-docs-base-uri}/status-codes/{page-version}/notifications/all-notifications[Status Codes for Errors & Notifications -> Server notifications] for details on notifications. +See link:https://neo4j.com/docs/status-codes/current/notifications/all-notifications/[Status Codes for Errors & Notifications -> List of notification codes] for details on notifications. The hierarchy between the different database privileges is shown in the image below. @@ -679,7 +679,7 @@ Note that `START` and `STOP` privileges are not included in the xref:authenticat The `ALTER DATABASE`, `SET DATABASE ACCESS`, `SET DATABASE DEFAULT LANGUAGE`, and `ALTER COMPOSITE DATABASE` privileges can be granted both as database privileges and as DBMS privileges. The DBMS privilege is equivalent to granting the database privilege for all databases, `DATABASE *`. -For more information on the DBMS privilege versions, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-database-management[The `DBMS DATABASE MANAGEMENT` privileges]. +For more information on the DBMS privilege versions, see xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[The `DBMS DATABASE MANAGEMENT` privileges]. The `ALTER DATABASE` privilege is used to enable the ability to modify a standard database: diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration.adoc deleted file mode 100644 index 41aef9b88..000000000 --- a/modules/ROOT/pages/authentication-authorization/dbms-administration.adoc +++ /dev/null @@ -1,2480 +0,0 @@ -:description: How to use Cypher to manage Neo4j DBMS administrative privileges. -:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated -//// -[source, cypher, role=test-setup] ----- -CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; -CREATE ROLE roleAdder IF NOT EXISTS; -CREATE ROLE roleNameModifier IF NOT EXISTS; -CREATE ROLE roleDropper IF NOT EXISTS; -CREATE ROLE roleAssigner IF NOT EXISTS; -CREATE ROLE roleRemover IF NOT EXISTS; -CREATE ROLE roleViewer IF NOT EXISTS; -CREATE ROLE roleManager IF NOT EXISTS; -CREATE ROLE userAdder IF NOT EXISTS; -CREATE ROLE userNameModifier IF NOT EXISTS; -CREATE ROLE userModifier IF NOT EXISTS; -CREATE ROLE userDropper IF NOT EXISTS; -CREATE ROLE userViewer IF NOT EXISTS; -CREATE ROLE userManager IF NOT EXISTS; -CREATE ROLE userImpersonator IF NOT EXISTS; -CREATE ROLE allUserImpersonator IF NOT EXISTS; -CREATE ROLE authModifier IF NOT EXISTS; -CREATE ROLE passwordModifier IF NOT EXISTS; -CREATE ROLE statusModifier IF NOT EXISTS; -CREATE ROLE homeDbModifier IF NOT EXISTS; -CREATE ROLE databaseAdder IF NOT EXISTS; -CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; -CREATE ROLE databaseDropper IF NOT EXISTS; -CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; -CREATE ROLE databaseModifier IF NOT EXISTS; -CREATE ROLE accessModifier IF NOT EXISTS; -CREATE ROLE languageModifier IF NOT EXISTS; -CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; -CREATE ROLE compositeDatabaseManager IF NOT EXISTS; -CREATE ROLE databaseManager IF NOT EXISTS; -CREATE ROLE aliasAdder IF NOT EXISTS; -CREATE ROLE aliasDropper IF NOT EXISTS; -CREATE ROLE aliasModifier IF NOT EXISTS; -CREATE ROLE aliasViewer IF NOT EXISTS; -CREATE ROLE aliasManager IF NOT EXISTS; -CREATE ROLE privilegeViewer IF NOT EXISTS; -CREATE ROLE privilegeAssigner IF NOT EXISTS; -CREATE ROLE privilegeRemover IF NOT EXISTS; -CREATE ROLE privilegeManager IF NOT EXISTS; -CREATE ROLE procedureExecutor IF NOT EXISTS; -CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; -CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; -CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; -CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; -CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; -CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; -CREATE ROLE adminProcedureExecutor IF NOT EXISTS; -CREATE ROLE functionExecutor IF NOT EXISTS; -CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; -CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; -CREATE ROLE globbing1 IF NOT EXISTS; -CREATE ROLE globbing2 IF NOT EXISTS; -CREATE ROLE globbing3 IF NOT EXISTS; -CREATE ROLE globbing4 IF NOT EXISTS; -CREATE ROLE globbing5 IF NOT EXISTS; -CREATE ROLE globbing6 IF NOT EXISTS; -CREATE ROLE dbmsManager IF NOT EXISTS; -CREATE ROLE configurationViewer IF NOT EXISTS; -CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; -CREATE ROLE serverManager IF NOT EXISTS; -CREATE ROLE serverViewer IF NOT EXISTS; ----- -//// - -[[access-control-dbms-administration]] -= DBMS privileges - -All DBMS privileges are relevant system-wide. -Like user management, they do not belong to one specific database or graph. -For more details on the differences between graphs, databases, and the DBMS, refer to link:{neo4j-docs-base-uri}/cypher-manual/current/introduction/cypher-neo4j/[Cypher Manual -> Cypher and Neo4j]. - -image::privileges-grant-and-deny-syntax-dbms-privileges.svg[width="800", title="Syntax of `GRANT` and `DENY` DBMS privileges"] - -image::privileges-hierarchy-dbms.svg[width="800", title="DBMS privileges hierarchy", role=popup] - -[NOTE] -==== -You can only grant, deny, or revoke privileges to or from existing roles. -==== - -== The `admin` role privileges - -The xref:authentication-authorization/built-in-roles.adoc#access-control-built-in-roles-admin[`admin` role] role is a built-in superuser role that has all privileges on the DBMS and can perform all administrative tasks. - -This includes the following tasks and their relevant privileges: - -* Create, delete, and modify <> and <>. -* Change configuration parameters. -* xref:authentication-authorization/database-administration.adoc#access-control-database-administration-transaction[Manage transactions]. -* Manage <> and <>. -* Manage <>. -* Manage xref:authentication-authorization/privileges-reads.adoc[read] and xref:authentication-authorization/privileges-writes.adoc[write] sub-graph privileges. -* Manage <>. -* Manage <>. -* Manage xref:authentication-authorization/load-privileges.adoc[load data security]. - -To enable a user to perform these tasks, you can grant them the `admin` role, but it is also possible to make a custom role with a subset of these privileges. -All privileges are also assignable using Cypher commands. - -The following sections describe the privileges that are available for DBMS administration and show some examples of how to use Cypher commands to manage them. - -[[access-control-dbms-administration-custom]] -== Using a custom role to manage DBMS privileges - -You can create a custom role to manage DBMS privileges by granting the privileges you want to the role. -Alternatively, you can copy the `admin` role and revoke or deny the unwanted privileges. -The following examples show how to create a custom role with a subset of the privileges that the `admin` role using both methods. - -=== Create a custom administrator role from scratch - -Create an administrator role that can only manage users and roles by creating a new role and granting the `USER MANAGEMENT` and `ROLE MANAGEMENT` privileges. - -. Create the new role: -+ -[source, cypher, role=noplay] ----- -CREATE ROLE userAndRoleAdministrator; ----- -. Grant the privilege to manage users: -+ -[source, cypher, role=noplay] ----- -GRANT USER MANAGEMENT ON DBMS TO userAndRoleAdministrator; ----- -. Grant the privilege to manage roles: -+ -[source, cypher, role=noplay] ----- -GRANT ROLE MANAGEMENT ON DBMS TO userAndRoleAdministrator; ----- -+ -As a result, the `userAndRoleAdministrator` role has privileges that only allow user and role management. -. To list all privileges for the role `userAndRoleAdministrator` as commands, use the following query: -+ -[source, cypher, role=noplay] ----- -SHOW ROLE userAndRoleAdministrator PRIVILEGES AS COMMANDS; ----- -+ -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ROLE MANAGEMENT ON DBMS TO `userAndRoleAdministrator`" -|"GRANT USER MANAGEMENT ON DBMS TO `userAndRoleAdministrator`" -a|Rows: 2 -|=== - -[NOTE] -==== -This role does not allow all DBMS capabilities. -For example, the role is missing privileges for managing, creating, and dropping databases, as well as executing `admin` procedures. -To create a more powerful administrator, you can grant a different set of privileges. -==== - -=== Create a more powerful custom administrator role from scratch - -You can also create a custom administrator role with limited capabilities. -This can be done by creating a new role and granting all `DBMS` privileges, then denying the ones you do not want the role to have, and then granting additional privileges you want to include. -For example, you can create a custom administrator role `customAdministrator` that has all DBMS privileges except for creating, dropping, and modifying databases, and also has the privilege for managing transactions. - -. Create a new role: -+ -[source, cypher, role=noplay] ----- -CREATE ROLE customAdministrator; ----- -. Grant the privilege for all DBMS capabilities: -+ -[source, cypher, role=noplay] ----- -GRANT ALL DBMS PRIVILEGES ON DBMS TO customAdministrator; ----- -. Explicitly deny the privilege to manage databases: -+ -[source, cypher, role=noplay] ----- -DENY DATABASE MANAGEMENT ON DBMS TO customAdministrator; ----- -. Grant the transaction management privilege: -+ -[source, cypher, role=noplay] ----- -GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO customAdministrator; ----- -+ -As a result, the `customAdministrator` role has privileges that include managing transactions and all DBMS privileges except creating, dropping, and modifying databases. -. To list all privileges for the role `customAdministrator` as commands, use the following query: -+ -[source, cypher, role=noplay] ----- -SHOW ROLE customAdministrator PRIVILEGES AS COMMANDS; ----- -+ -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY DATABASE MANAGEMENT ON DBMS TO `customAdministrator`" -|"GRANT ALL DBMS PRIVILEGES ON DBMS TO `customAdministrator`" -|"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `customAdministrator`" -a|Rows: 3 -|=== - -=== Create a custom administrator role by copying the `admin` role - -You can also create a custom administrator role by copying the `admin` role and then revoking or denying the privileges you do not want. -For example, you can create a new role called `newAdministrator` that has all the privileges of the `admin` role, and then revoke the ability to read/write/load data, manage constraints, indexes, name, and remove ability to access all databases, except the `system` database. - -. Create a new role by copying the `admin` role: -+ -[source, cypher, role=noplay] ----- -CREATE ROLE newAdministrator AS COPY OF admin; ----- - -. Revoke the ability to read/write/load data: -+ -[source, cypher, role=noplay] ----- -REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM newAdministrator; -REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM newAdministrator; -REVOKE GRANT WRITE ON GRAPH * FROM newAdministrator; -REVOKE GRANT LOAD ON ALL DATA FROM newAdministrator; ----- - -. Revoke the ability to manage index/constraint/name: -+ -[source, cypher, role=noplay] ----- -REVOKE GRANT CONSTRAINT MANAGEMENT ON DATABASE * FROM newAdministrator; -REVOKE GRANT INDEX MANAGEMENT ON DATABASE * FROM newAdministrator; -REVOKE GRANT NAME MANAGEMENT ON DATABASE * FROM newAdministrator; -REVOKE GRANT SHOW CONSTRAINT ON DATABASE * FROM newAdministrator; -REVOKE GRANT SHOW INDEX ON DATABASE * FROM newAdministrator; ----- - -. Revoke the ability to access all databases: -+ -[source, cypher, role=noplay] ----- -REVOKE GRANT ACCESS ON DATABASE * FROM newAdministrator; ----- -. Grant the ability to access the `system` database: -+ -[source, cypher, role=noplay] ----- -GRANT ACCESS ON DATABASE system TO newAdministrator; ----- - -. To list all privileges for the role `newAdministrator` as commands, use the following query: -+ -[source, cypher, role=noplay] ----- -SHOW ROLE newAdministrator PRIVILEGES AS COMMANDS; ----- -+ -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -| "GRANT ACCESS ON DATABASE `system` TO `newAdministrator`" -| "GRANT ALL DBMS PRIVILEGES ON DBMS TO `newAdministrator`" -| "GRANT START ON DATABASE * TO `newAdministrator`" -| "GRANT STOP ON DATABASE * TO `newAdministrator`" -| "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `newAdministrator`" -a|Rows: 5 -|=== - -[[access-control-dbms-administration-role-management]] -== The DBMS `ROLE MANAGEMENT` privileges - -The DBMS privileges for role management can be granted, denied, or revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. -==== - -.Role management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] CREATE ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to create new roles. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] RENAME ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to change the name of roles. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] DROP ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to delete roles. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ASSIGN ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to assign roles to users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] REMOVE ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to remove roles from users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to list roles. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ROLE MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to create, delete, assign, remove, and list roles. - -|=== - -=== Grant privilege to create roles - -You can grant the privilege to add roles using the `CREATE ROLE` command. + -For example: - -[source, cypher, role=noplay] ----- -GRANT CREATE ROLE ON DBMS TO roleAdder; ----- - -As a result, the `roleAdder` role has privileges that only allow adding roles. -To list all privileges for the role `roleAdder` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleAdder PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT CREATE ROLE ON DBMS TO `roleAdder`" -a|Rows: 1 -|=== - -=== Grant privilege to rename roles - -You can grant the privilege to rename roles using the `RENAME ROLE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT RENAME ROLE ON DBMS TO roleNameModifier; ----- - -As a result, the `roleNameModifier` role has privileges that only allow renaming roles. -To list all privileges for the role `roleNameModifier`, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleNameModifier PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT RENAME ROLE ON DBMS TO `roleNameModifier`" -a|Rows: 1 -|=== - -=== Grant privilege to delete roles - -You can grant the privilege to delete roles using the `DROP ROLE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT DROP ROLE ON DBMS TO roleDropper; ----- - -As a result, the `roleDropper` role has privileges that only allow deleting roles. -To list all privileges for the role `roleDropper`, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleDropper PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DROP ROLE ON DBMS TO `roleDropper`" -a|Rows: 1 -|=== - -=== Grant privilege to assign roles - -You can grant the privilege to assign roles to users using the `ASSIGN ROLE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT ASSIGN ROLE ON DBMS TO roleAssigner; ----- - -As a result, the `roleAssigner` role has privileges that only allow assigning/granting roles. -To list all privileges for the role `roleAssigner` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleAssigner PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ASSIGN ROLE ON DBMS TO `roleAssigner`" -a|Rows: 1 -|=== - -=== Grant privilege to remove roles - -You can grant the privilege to remove roles from users using the `REMOVE ROLE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT REMOVE ROLE ON DBMS TO roleRemover; ----- - -As a result, the `roleRemover` role has privileges that only allow removing/revoking roles. -To list all privileges for the role `roleRemover` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleRemover PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT REMOVE ROLE ON DBMS TO `roleRemover`" -a|Rows: 1 -|=== - -=== Grant privilege to show roles - -You can grant the privilege to show roles using the `SHOW ROLE` privilege. -A role with this privilege is allowed to execute the `SHOW ROLES` and `SHOW POPULATED ROLES` administration commands. - -[NOTE] -==== -In order to use `SHOW ROLES WITH USERS` and `SHOW POPULATED ROLES WITH USERS` administration commands, both the `SHOW ROLE` and the `SHOW USER` privileges are required. -==== - -The following query shows an example of how to grant the `SHOW ROLE` privilege: - -[source, cypher, role=noplay] ----- -GRANT SHOW ROLE ON DBMS TO roleViewer; ----- - -As a result, the `roleViewer` role has privileges that only allow showing roles. -To list all privileges for the role `roleViewer` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleViewer PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW ROLE ON DBMS TO `roleViewer`" -a|Rows: 1 -|=== - -=== Grant privilege to manage roles - -You can grant the privilege to create, rename, delete, assign, remove, and list roles using the `ROLE MANAGEMENT` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT ROLE MANAGEMENT ON DBMS TO roleManager; ----- - -As a result, the `roleManager` role has all privileges to manage roles. -To list all privileges for the role `roleManager` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleManager PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ROLE MANAGEMENT ON DBMS TO `roleManager`" -a|Rows: 1 -|=== - - -[[access-control-dbms-administration-user-management]] -== The DBMS `USER MANAGEMENT` privileges - -The DBMS privileges for user management can be granted, denied, or revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. -==== - -.User management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] CREATE USER - ON DBMS - TO role[, ...] -| Enables the specified roles to create new users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] RENAME USER - ON DBMS - TO role[, ...] -| Enables the specified roles to change the name of users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ALTER USER - ON DBMS - TO role[, ...] -| Enables the specified roles to modify users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SET PASSWORD[S] - ON DBMS - TO role[, ...] -| Enables the specified roles to modify users' passwords and whether those passwords must be changed upon first login. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SET AUTH - ON DBMS - TO role[, ...] -| Enables the specified roles to `SET` or `REMOVE` users' xref:authentication-authorization/auth-providers.adoc[auth providers]. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SET USER HOME DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to modify users' home database. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SET USER STATUS - ON DBMS - TO role[, ...] -| Enables the specified roles to modify the account status of users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] DROP USER - ON DBMS - TO role[, ...] -| Enables the specified roles to delete users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW USER - ON DBMS - TO role[, ...] -| Enables the specified roles to list users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] USER MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to create, delete, modify, and list users. - -|=== - -=== Grant privilege to create users - -You can grant the privilege to add users using the `CREATE USER` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT CREATE USER ON DBMS TO userAdder ----- - -As a result, the `userAdder` role has privileges that only allow adding users. -To list all privileges for the role `userAdder` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE userAdder PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT CREATE USER ON DBMS TO `userAdder`" -a|Rows: 1 -|=== - -=== Grant privilege to rename users - -You can grant the privilege to rename users using the `RENAME USER` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT RENAME USER ON DBMS TO userNameModifier ----- - -As a result, the `userNameModifier` role has privileges that only allow renaming users. -To list all privileges for the role `userNameModifier` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE userNameModifier PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT RENAME USER ON DBMS TO `userNameModifier`" -a|Rows: 1 -|=== - -=== Grant privilege to modify users - -You can grant the privilege to modify users using the `ALTER USER` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT ALTER USER ON DBMS TO userModifier ----- - -As a result, the `userModifier` role has privileges that only allow modifying users. -To list all privileges for the role `userModifier` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE userModifier PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALTER USER ON DBMS TO `userModifier`" -a|Rows: 1 -|=== - - -The `ALTER USER` privilege allows the user to run the `ALTER USER` administration command with one or several of the `SET PASSWORD`, `SET PASSWORD CHANGE [NOT] REQUIRED`, `SET AUTH`, `REMOVE AUTH`, `SET STATUS`, `SET HOME DATABASE`, and `REMOVE HOME DATABASE` parts. + -For example: - -[source, cypher, role=noplay] ----- -ALTER USER jake SET PASSWORD 'verysecret' SET STATUS SUSPENDED ----- - -[NOTE] -==== -Note that the combination of the `SET PASSWORDS`, `SET AUTH`, `SET USER STATUS`, and `SET USER HOME DATABASE` privileges is equivalent to the `ALTER USER` privilege. -==== - -=== Grant privilege to modify users' passwords - -You can grant the privilege to modify users' passwords and whether those passwords must be changed upon first login using the `SET PASSWORDS` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT SET PASSWORDS ON DBMS TO passwordModifier ----- - -As a result, the `passwordModifier` role has privileges that only allow modifying users' passwords and whether those passwords must be changed upon first login. -To list all privileges for the role `passwordModifier` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE passwordModifier PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SET PASSWORD ON DBMS TO `passwordModifier`" -a|Rows: 1 -|=== - -The `SET PASSWORDS` privilege allows the user to run the `ALTER USER` administration command with one or both of the `SET PASSWORD` and `SET PASSWORD CHANGE [NOT] REQUIRED` parts. - -[source, cypher, role=noplay] ----- -ALTER USER jake SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED ----- - -=== Grant privilege to modify users' auth information - -You can grant the privilege to modify users' auth information using the `SET AUTH` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT SET AUTH ON DBMS TO authModifier ----- -As a result, the `authModifier` role has privileges that only allow modifying users' auth information. - -The `SET AUTH` privilege allows the user to run the `ALTER USER` administration command with one or both of the `SET -AUTH` and `REMOVE AUTH` parts. + -For example: - -[source, cypher, role=noplay] ----- -ALTER USER jake REMOVE AUTH 'native' SET AUTH 'oidc-okta' { SET id 'jakesUniqueOktaUserId' } ----- - -=== Grant privilege to modify the account status of users - -You can grant the privilege to modify the account status of users using the `SET USER STATUS` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT SET USER STATUS ON DBMS TO statusModifier ----- - -As a result, the `statusModifier` role has privileges that only allow modifying the account status of users. -To list all privileges for the role `statusModifier` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE statusModifier PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SET USER STATUS ON DBMS TO `statusModifier`" -a|Rows: 1 -|=== - -The `SET USER STATUS` privilege allows the user to run the `ALTER USER` administration command with only the `SET STATUS` part: - -[source, cypher, role=noplay] ----- -ALTER USER jake SET STATUS ACTIVE ----- - -=== Grant privilege to modify the home database of users - -You can grant the privilege to modify the home database of users using the `SET USER HOME DATABASE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT SET USER HOME DATABASE ON DBMS TO homeDbModifier ----- - -As a result, the `homeDbModifier` role has privileges that only allow modifying the home database of users. -To list all privileges for the role `homeDbModifier` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE homeDbModifier PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SET USER HOME DATABASE ON DBMS TO `homeDbModifier`" -|"GRANT SET USER STATUS ON DBMS TO `homeDbModifier`" -a|Rows: 2 -|=== - -The `SET USER HOME DATABASE` privilege allows the user to run the `ALTER USER` administration command with only the `SET HOME DATABASE` or `REMOVE HOME DATABASE` part: - -[source, cypher, role=noplay] ----- -ALTER USER jake SET HOME DATABASE otherDb ----- - -[source, cypher, role=noplay] ----- -ALTER USER jake REMOVE HOME DATABASE ----- - -=== Grant privilege to delete users - -You can grant the privilege to delete users using the `DROP USER` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT DROP USER ON DBMS TO userDropper ----- - -As a result, the `userDropper` role has privileges that only allow deleting users. -To list all privileges for the role `userDropper` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE userDropper PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DROP USER ON DBMS TO `userDropper`" -a|Rows: 1 -|=== - - -=== Grant privilege to show users - -You can grant the privilege to show users using the `SHOW USER` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT SHOW USER ON DBMS TO userViewer ----- - -As a result, the `userViewer` role has privileges that only allow showing users. -To list all privileges for the role `userViewer` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE userViewer PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW USER ON DBMS TO `userViewer`" -a|Rows: 1 -|=== - -=== Grant privilege to manage users - -You can grant the privilege to create, rename, modify, delete, and list users using the `USER MANAGEMENT` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT USER MANAGEMENT ON DBMS TO userManager ----- - -As a result, the `userManager` role has all privileges to manage users. -To list all privileges for the role `userManager` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE userManager PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW USER ON DBMS TO `userManager`" -a|Rows: 1 -|=== - -[[access-control-dbms-administration-impersonation]] -== The DBMS `IMPERSONATE` privileges - -The DBMS privileges for impersonation can be granted, denied, or revoked like other privileges. - -Impersonation is the ability of a user to assume another user's roles (and therefore privileges), with the restriction of not being able to execute updating `admin` commands as the impersonated user (i.e. they would still be able to use `SHOW` commands). - -You can use the `IMPERSONATE` privilege to allow a user to impersonate another user. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. -==== - -.Impersonation privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] IMPERSONATE [(*)] - ON DBMS - TO role[, ...] -| Enables the specified roles to impersonate any user. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] IMPERSONATE (user[, ...]) - ON DBMS - TO role[, ...] -| Enables the specified roles to impersonate the specified users. - -|=== - -=== Grant privilege to impersonate all users - -You can grant the privilege to impersonate all users using the `IMPERSONATE (*)` privilege. + -For example: - -.Query -[source, cypher, role=noplay] ----- -GRANT IMPERSONATE (*) ON DBMS TO allUserImpersonator ----- - -As a result, the `allUserImpersonator` role has privileges that allow impersonating all users. -To list all privileges for the role `allUserImpersonator` as commands, use the following query: - -.Query -[source, cypher, role=noplay] ----- -SHOW ROLE allUserImpersonator PRIVILEGES AS COMMANDS; ----- -.Result -[options="header,footer", width="100%", cols="m"] -|=== -| command -| "GRANT IMPERSONATE (*) ON DBMS TO `allUserImpersonator`" -a|Rows: 1 -|=== - -=== Grant privilege to impersonate specific users - -You can also grant the privilege to impersonate specific users or a subset of users. + -For example: - -.Query -[source, cypher, role=noplay] ----- -GRANT IMPERSONATE (alice, bob) ON DBMS TO userImpersonator; ----- - -As a result, the `userImpersonator` role has privileges that allow impersonating only `alice` and `bob`. -Then, you deny the privilege to impersonate `alice`: - -.Query -[source, cypher, role=noplay] ----- -DENY IMPERSONATE (alice) ON DBMS TO userImpersonator; ----- - -As a result, the `userImpersonator` user would be able to impersonate only `bob`. - -To list all privileges for the role `userImpersonator` as commands, use the following query: - -.Query -[source, cypher, role=noplay] ----- -SHOW ROLE userImpersonator PRIVILEGES AS COMMANDS; ----- -.Result -[options="header,footer", width="100%", cols="m"] -|=== -| command -| "DENY IMPERSONATE (alice) ON DBMS TO `userImpersonator`" -| "GRANT IMPERSONATE (alice) ON DBMS TO `userImpersonator`" -| "GRANT IMPERSONATE (bob) ON DBMS TO `userImpersonator`" -a|Rows: 3 -|=== - -[[access-control-dbms-administration-database-management]] -== The DBMS `DATABASE MANAGEMENT` privileges - -The DBMS privileges for database management can be granted, denied, or revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. -==== - -.Database management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] CREATE DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to create new standard databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] DROP DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to delete standard databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ALTER DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to modify standard databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SET DATABASE ACCESS - ON DBMS - TO role[, ...] -| Enables the specified roles to modify access to standard databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SET DATABASE DEFAULT LANGUAGE - ON DBMS - TO role[, ...] -| Enables the specified roles to set the default query language on a standard database. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] CREATE COMPOSITE DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to create new composite databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] DROP COMPOSITE DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to delete composite databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ALTER COMPOSITE DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to modify composite databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] COMPOSITE DATABASE MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to create, delete or modify composite databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] DATABASE MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to create, delete, and modify databases. - -|=== - -[NOTE] -==== -From Cypher 25 (Neo4j server 2025.08), the `ALTER DATABASE`, `SET DATABASE ACCESS`, `SET DATABASE DEFAULT LANGUAGE`, and `ALTER COMPOSITE DATABASE` privileges can be granted both as database privileges and as DBMS privileges. -The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. -For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. -==== - -=== Grant privilege to create standard databases - -You can grant the privilege to create standard databases using the `CREATE DATABASE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT CREATE DATABASE ON DBMS TO databaseAdder ----- - -As a result, the `databaseAdder` role has privileges that only allow creating standard databases. -To list all privileges for the role `databaseAdder` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE databaseAdder PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT CREATE DATABASE ON DBMS TO `databaseAdder`" -a|Rows: 1 -|=== - -=== Grant privilege to create composite databases - -You can grant the privilege to create composite databases using the `CREATE COMPOSITE DATABASE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT CREATE COMPOSITE DATABASE ON DBMS TO compositeDatabaseAdder ----- - -As a result, the `compositeDatabaseAdder` role has privileges that only allow creating composite databases. -To list all privileges for the role `compositeDatabaseAdder` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE compositeDatabaseAdder PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT CREATE COMPOSITE DATABASE ON DBMS TO `compositeDatabaseAdder`" -a|Rows: 1 -|=== - -=== Grant privilege to delete standard databases - -You can grant the privilege to delete standard databases using the `DROP DATABASE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT DROP DATABASE ON DBMS TO databaseDropper ----- - -As a result, the `databaseDropper` role has privileges that only allow deleting standard databases. -To list all privileges for the role `databaseDropper` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE databaseDropper PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DROP DATABASE ON DBMS TO `databaseDropper`" -a|Rows: 1 -|=== - -=== Grant privilege to delete composite databases - -You can grant the privilege to delete composite databases using the `DROP COMPOSITE DATABASE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT DROP COMPOSITE DATABASE ON DBMS TO compositeDatabaseDropper ----- - -As a result, the `compositeDatabaseDropper` role has privileges that only allow deleting composite databases. -To list all privileges for the role `compositeDatabaseDropper` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE compositeDatabaseDropper PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DROP COMPOSITE DATABASE ON DBMS TO `compositeDatabaseDropper`" -a|Rows: 1 -|=== - -=== Grant privilege to modify standard databases - -You can grant the privilege to modify standard databases using the `ALTER DATABASE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT ALTER DATABASE ON DBMS TO databaseModifier; ----- - -As a result, the `databaseModifier` role has privileges that only allow modifying standard databases. -To list all privileges for the role `databaseModifier` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE databaseModifier PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALTER DATABASE ON DBMS TO `databaseModifier`" -a|Rows: 1 -|=== - -[NOTE] -==== -From Cypher 25 (Neo4j server 2025.08), the `ALTER DATABASE` privileges can be granted both as database privileges and as DBMS privileges. -The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. -For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. -==== - -=== Grant privilege to modify access to standard databases - -You can grant the privilege to modify access to standard databases using the `SET DATABASE ACCESS` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT SET DATABASE ACCESS ON DBMS TO accessModifier ----- - -As a result, the `accessModifier` role has privileges that only allow modifying access to standard databases. -To list all privileges for the role `accessModifier` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE accessModifier PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SET DATABASE ACCESS ON DBMS TO `accessModifier`" -a|Rows: 1 -|=== - -[NOTE] -==== -From Cypher 25 (Neo4j server 2025.08), the `SET DATABASE ACCESS` privileges can be granted both as database privileges and as DBMS privileges. -The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. -For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. -==== - -[role=label--new-2025.06] -=== Grant privilege to modify the default language of standard databases - -You can grant the privilege to modify the default language of standard databases using the `SET DATABASE DEFAULT LANGUAGE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT SET DATABASE DEFAULT LANGUAGE ON DBMS TO languageModifier ----- - -As a result, the `languageModifier` role has privileges that only allow modifying default language to standard databases. -To list all privileges for the role `languageModifier` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE languageModifier PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SET DATABASE DEFAULT LANGUAGE ON DBMS TO `languageModifier`" -a|Rows: 1 -|=== - -[NOTE] -==== -From Cypher 25 (Neo4j server 2025.08), the `SET DATABASE DEFAULT LANGUAGE` privileges can be granted both as database privileges and as DBMS privileges. -The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. -For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. -==== - -[role=label--new-2025.06] -[[grant-privilege-alter-composite-database]] -=== Grant privilege to modify composite databases - -You can grant the privilege to modify composite databases using the `ALTER COMPOSITE DATABASE` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT ALTER COMPOSITE DATABASE ON DBMS TO compositeDatabaseModifier; ----- - -As a result, the `compositeDatabaseModifier` role has privileges that only allow modifying composite databases. -To list all privileges for the role `compositeDatabaseModifier` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE compositeDatabaseModifier PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALTER COMPOSITE DATABASE ON DBMS TO `compositeDatabaseModifier`" -a|Rows: 1 -|=== - -[NOTE] -==== -From Cypher 25 (Neo4j server 2025.08), the `ALTER COMPOSITE DATABASE` privileges can be granted both as database privileges and as DBMS privileges. -The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. -For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. -==== - -=== Grant privilege to manage composite databases - -You can grant the privilege to create, delete, and modify composite databases using the `COMPOSITE DATABASE MANAGEMENT` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO compositeDatabaseManager; ----- - -As a result, the `compositeDatabaseManager` role has all privileges to manage composite databases. -To list all privileges for the role `compositeDatabaseManager` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE compositeDatabaseManager PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO `compositeDatabaseManager`" -a|Rows: 1 -|=== - -=== Grant privilege to manage standard and composite databases - -You can grant the privilege to create, delete, and modify standard and composite databases using the `DATABASE MANAGEMENT` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT DATABASE MANAGEMENT ON DBMS TO databaseManager; ----- - -As a result, the `databaseManager` role has all privileges to manage standard and composite databases. -To list all privileges for the role `databaseManager` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE databaseManager PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DATABASE MANAGEMENT ON DBMS TO `databaseManager`" -a|Rows: 1 -|=== - -[[access-control-dbms-administration-alias-management]] -== The DBMS `ALIAS MANAGEMENT` privileges - -The DBMS privileges for alias management can be granted, denied, or revoked like other privileges. -This applies to both local and remote aliases. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. -==== - -.Alias management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] CREATE ALIAS -ON DBMS -TO role[, ...] -| Enables the specified roles to create new aliases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] DROP ALIAS -ON DBMS -TO role[, ...] -| Enables the specified roles to delete aliases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ALTER ALIAS -ON DBMS -TO role[, ...] -| Enables the specified roles to modify aliases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW ALIAS -ON DBMS -TO role[, ...] -| Enables the specified roles to list aliases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ALIAS MANAGEMENT -ON DBMS -TO role[, ...] -| Enables the specified roles to list, create, delete, and modify aliases. - -|=== - -=== Grant privilege to create aliases - -You can grant the privilege to create aliases using the `CREATE ALIAS` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT CREATE ALIAS ON DBMS TO aliasAdder; ----- - -As a result, the `aliasAdder` role has privileges that only allow creating aliases. -To list all privileges for the role `aliasAdder` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE aliasAdder PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT CREATE ALIAS ON DBMS TO `aliasAdder`" -a|Rows: 1 -|=== - -=== Grant privilege to delete aliases - -You can grant the privilege to delete aliases using the `DROP ALIAS` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT DROP ALIAS ON DBMS TO aliasDropper; ----- - -As a result, the `aliasDropper` role has privileges that only allow deleting aliases. -See all privileges for the role `aliasDropper` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE aliasDropper PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DROP ALIAS ON DBMS TO `aliasDropper`" -a|Rows: 1 -|=== - -=== Grant privilege to modify aliases - -You can grant the privilege to modify aliases using the `ALTER ALIAS` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT ALTER ALIAS ON DBMS TO aliasModifier; ----- - -As a result, the `aliasModifier` role has privileges that only allow modifying aliases. -To list all privileges for the role `aliasModifier` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE aliasModifier PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALTER ALIAS ON DBMS TO `aliasModifier`" -a|Rows: 1 -|=== - - -=== Grant privilege to list aliases - -You can grant the privilege to list aliases using the `SHOW ALIAS` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT SHOW ALIAS ON DBMS TO aliasViewer; ----- - -As a result, the `aliasViewer` role has privileges that only allow modifying aliases. -To list all privileges for the role `aliasViewer` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE aliasViewer PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW ALIAS ON DBMS TO `aliasViewer`" -a|Rows: 1 -|=== - -=== Grant privilege to manage aliases - -You can grant the privilege to create, delete, modify, and list aliases using the `ALIAS MANAGEMENT` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT ALIAS MANAGEMENT ON DBMS TO aliasManager; ----- - -As a result, the `aliasManager` role has all privileges to manage aliases. -To list all privileges for the role `aliasManager` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE aliasManager PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALIAS MANAGEMENT ON DBMS TO `aliasManager`" -a|Rows: 1 -|=== - -[[access-control-dbms-administration-server-management]] -== The DBMS `SERVER MANAGEMENT` privileges - -The DBMS privileges for server management can be granted, denied, or revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. -==== - -.Server management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SERVER MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to show, enable, rename, alter, reallocate, deallocate, and drop servers. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW SERVERS - ON DBMS - TO role[, ...] -| Enables the specified roles to show servers. -|=== - -=== Grant privilege to manage servers - -You can grant the privilege to show, enable, rename, alter, reallocate, deallocate, and drop servers using the `SERVER MANAGEMENT` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT SERVER MANAGEMENT ON DBMS TO serverManager; ----- - -As a result, the `serverManager` role has all privileges to manage servers. -To list all privileges for the role `serverManager` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE serverManager PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SERVER MANAGEMENT ON DBMS TO `serverManager`" -a|Rows: 1 -|=== - - -=== Grant privilege to show servers - -You can grant the privilege to show servers using the `SHOW SERVERS` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT SHOW SERVERS ON DBMS TO serverViewer; ----- - -As a result, the `serverViewer` role has privileges that only allow showing servers. -To list all privileges for the role `serverViewer` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE serverViewer PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW SERVERS ON DBMS TO `serverViewer`" -a|Rows: 1 -|=== - -[[access-control-dbms-administration-privilege-management]] -== The DBMS `PRIVILEGE MANAGEMENT` privileges - -The DBMS privileges for privilege management can be granted, denied, or revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. -==== - -.Privilege management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW PRIVILEGE - ON DBMS - TO role[, ...] -| Enables the specified roles to list privileges. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ASSIGN PRIVILEGE - ON DBMS - TO role[, ...] -| Enables the specified roles to assign privileges using the `GRANT` and `DENY` commands. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] REMOVE PRIVILEGE - ON DBMS - TO role[, ...] -| Enables the specified roles to remove privileges using the `REVOKE` command. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] PRIVILEGE MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to list, assign, and remove privileges. -|=== - -=== Grant privilege to list privileges - -You can grant the `SHOW PRIVILEGE` privilege to allow a user to list privileges using the `SHOW PRIVILEGE`, `SHOW ROLE roleName PRIVILEGES`, and `SHOW USER username PRIVILEGES` administration commands. -The `SHOW USER username PRIVILEGES` command also requires the `SHOW USER` privilege. - -For example: - -[source, cypher, role=noplay] ----- -GRANT SHOW PRIVILEGE ON DBMS TO privilegeViewer; ----- - -As a result, the `privilegeViewer` role has privileges that only allow showing privileges. -To list all privileges for the role `privilegeViewer` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE privilegeViewer PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW PRIVILEGE ON DBMS TO `privilegeViewer`" -a|Rows: 1 -|=== - -[NOTE] -==== -No specific privileges are required for showing the current user's privileges through the `SHOW USER _username_ PRIVILEGES` or `SHOW USER PRIVILEGES` commands. - -If a non-native auth provider like LDAP is in use, `SHOW USER PRIVILEGES` will only work with a limited capacity by making it only possible for a user to show their own privileges. -Other users' privileges cannot be listed when using a non-native auth provider. -==== - -=== Grant privilege to assign privileges - -You can grant the privilege to assign privileges using the `ASSIGN PRIVILEGE` privilege. + -A user with this privilege is allowed to execute `GRANT` and `DENY` administration commands. + -For example: - -[source, cypher, role=noplay] ----- -GRANT ASSIGN PRIVILEGE ON DBMS TO privilegeAssigner; ----- - -As a result, the `privilegeAssigner` role has privileges that only allow assigning privileges. -To list all privileges for the role `privilegeAssigner` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE privilegeAssigner PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ASSIGN PRIVILEGE ON DBMS TO `privilegeAssigner`" -a|Rows: 1 -|=== - -=== Grant privilege to remove privileges - -You can grant the privilege to remove privileges from roles using the `REMOVE PRIVILEGE` privilege. + -A user with this privilege is allowed to execute `REVOKE` administration commands. + -For example: - -[source, cypher, role=noplay] ----- -GRANT REMOVE PRIVILEGE ON DBMS TO privilegeRemover; ----- - -As a result, the `privilegeRemover` role has privileges that only allow removing privileges. -To list all privileges for the role `privilegeRemover` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE privilegeRemover PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT REMOVE PRIVILEGE ON DBMS TO `privilegeRemover`" -a|Rows: 1 -|=== - -=== Grant privilege to manage privileges - -You can grant the privilege to list, assign, and remove privileges using the `PRIVILEGE MANAGEMENT` privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT PRIVILEGE MANAGEMENT ON DBMS TO privilegeManager; ----- - -As a result, the `privilegeManager` role has all privileges to manage privileges. -To list all privileges for the role `privilegeManager` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE privilegeManager PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT PRIVILEGE MANAGEMENT ON DBMS TO `privilegeManager`" -a|Rows: 1 -|=== - - -[[access-control-dbms-administration-execute]] -== The DBMS `EXECUTE` privileges - -The DBMS privileges for procedure and user-defined function execution can be granted, denied, or revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. -==== - -.Execute privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command -| Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] EXECUTE PROCEDURE[S] name-globbing[, ...] - ON DBMS - TO role[, ...] -| Enables the specified roles to execute the given procedures. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] EXECUTE BOOSTED PROCEDURE[S] name-globbing[, ...] - ON DBMS - TO role[, ...] -| Enables the specified roles to use elevated privileges when executing the given procedures. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] EXECUTE ADMIN[ISTRATOR] PROCEDURES - ON DBMS - TO role[, ...] -| Enables the specified roles to execute procedures annotated with `@Admin`. The procedures are executed with elevated privileges. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] EXECUTE [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] - ON DBMS - TO role[, ...] -| Enables the specified roles to execute the given user-defined functions. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] - ON DBMS - TO role[, ...] -| Enables the specified roles to use elevated privileges when executing the given user-defined functions. -|=== - -[[access-control-execute-procedure]] -=== Grant privilege to execute procedures - -You can grant the privilege to execute procedures using the `EXECUTE PROCEDURE` privilege. + -A role with this privilege is allowed to execute the procedures matched by the <>. - -==== Grant privilege to execute some procedures - -The following query allow the execution of procedures starting with `db.schema`: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO procedureExecutor; ----- - -Users with the role `procedureExecutor` can run any procedure in the `db.schema` namespace. -The procedures are executed using the user's own privileges. - -To list all privileges for the role `procedureExecutor` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE procedureExecutor PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO `procedureExecutor`" -a|Rows: 1 -|=== - -==== Grant privilege to execute all but some procedures - -You can grant the privilege to execute all except a few procedures using `EXECUTE PROCEDURES *` and deny the unwanted procedures. -For example, the following queries allow the execution of all procedures, except those starting with `dbms.cluster`: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE * ON DBMS TO deniedProcedureExecutor; ----- - -[source, cypher, role=noplay] ----- -DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO deniedProcedureExecutor; ----- - -Users with the role `deniedProcedureExecutor` can run any procedure except those starting with `dbms.cluster`. -The procedures are executed using the user's own privileges. - -To list all privileges for the role `deniedProcedureExecutor` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedProcedureExecutor PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO `deniedProcedureExecutor`" -|"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedProcedureExecutor`" -a|Rows: 2 -|=== - - -The `dbms.cluster.checkConnectivity`, `dbms.cluster.cordonServer`, `dbms.cluster.protocols`, `dbms.cluster.readReplicaToggle`, `dbms.cluster.routing.getRoutingTable`, `dbms.cluster.secondaryReplicationDisable`, `dbms.cluster.setAutomaticallyEnableFreeServers`, and `dbms.cluster.uncordonServer` procedures are blocked, as well as any others starting with `dbms.cluster`. - - -[[access-control-execute-boosted-procedure]] -=== Grant privilege to execute procedures with elevated privileges - -You can grant the privilege to execute procedures with elevated privileges using the `EXECUTE BOOSTED PROCEDURE` privilege. + -A user with this privilege will not be restricted to their other privileges when executing the procedures matched by the <>. -The `EXECUTE BOOSTED PROCEDURE` privilege only affects the elevation, and not the execution of the procedure. -Therefore, it is needed to grant `EXECUTE PROCEDURE` privilege for the procedures as well. -Both `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` are needed to execute a procedure with elevated privileges. - -==== Grant privilege to execute some procedures with elevated privileges - -You can grant the privilege to execute some procedures with elevated privileges using `EXECUTE BOOSTED PROCEDURE *`. - -For example, the following query allow the execution of the procedures `db.labels` and `db.relationshipTypes` with elevated privileges, and all other procedures with the user's own privileges: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE * ON DBMS TO boostedProcedureExecutor; -GRANT EXECUTE BOOSTED PROCEDURE db.labels, db.relationshipTypes ON DBMS TO boostedProcedureExecutor ----- - -Users with the role `boostedProcedureExecutor` can thus run the `db.labels` and the `db.relationshipTypes` procedures with full privileges, seeing everything in the graph and not just the labels and types that the user has `TRAVERSE` privilege on. -Without the `EXECUTE PROCEDURE`, no procedures could be executed at all. - -To list all privileges for the role `boostedProcedureExecutor` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE boostedProcedureExecutor PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT EXECUTE PROCEDURE * ON DBMS TO `boostedProcedureExecutor`" -|"GRANT EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `boostedProcedureExecutor`" -|"GRANT EXECUTE BOOSTED PROCEDURE db.relationshipTypes ON DBMS TO `boostedProcedureExecutor`" -a|Rows: 3 -|=== - -[[grant-execute-procedure-deny-elevation]] -==== Combination of granting execution and denying privilege elevation - -As with grant, denying `EXECUTE BOOSTED PROCEDURE` on its own only affects the elevation and not the execution of the procedure. - -For example: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor1; -DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor1; ----- - -As a result, the `deniedBoostedProcedureExecutor1` role has privileges that allow the execution of all procedures using the user’s own privileges. -They also prevent the `db.labels` procedure from being elevated. -Still, the denied `EXECUTE BOOSTED PROCEDURE` does not block execution of `db.labels`. - -To list all privileges for role `deniedBoostedProcedureExecutor1` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedBoostedProcedureExecutor1 PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor1`" -|"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor1`" -a|Rows: 2 -|=== - -[[grant-privilege-elevation-deny-execution]] -==== Combination of granting privilege elevation and denying execution - -You can also grant the privilege to execute procedures with elevated privileges and deny the execution of specific procedures. - -For example: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor2; ----- - -[source, cypher, role=noplay] ----- -DENY EXECUTE PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor2; ----- - -As a result, the `deniedBoostedProcedureExecutor2` role has privileges that allow elevating the privileges for all procedures, but cannot execute any due to missing or denied `EXECUTE PROCEDURE` privileges. - -To list all privileges for the role `deniedBoostedProcedureExecutor2` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedBoostedProcedureExecutor2 PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY EXECUTE PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor2`" -|"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor2`" -a|Rows: 2 -|=== - -[[grant-deny-privilege-elevation]] -==== Combination of granting and denying privilege elevation - -You can also grant the privilege to execute procedures with elevated privileges and deny the elevation for specific procedures. - -For example, the following queries allow has privileges that allow elevating the privileges for all procedures except `db.labels`. -However, no procedures can be executed due to a missing `EXECUTE PROCEDURE` privilege. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor3; ----- - -[source, cypher, role=noplay] ----- -DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor3; ----- - -As a result, the `deniedBoostedProcedureExecutor3` role has privileges that allow elevating the privileges for all procedures except `db.labels`. -However, no procedures can be executed due to missing `EXECUTE PROCEDURE` privilege. - -To list all privileges for the role `deniedBoostedProcedureExecutor3` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedBoostedProcedureExecutor3 PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor3`" -|"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor3`" -a|Rows: 2 -|=== - -==== Control procedure output with privileges - -You can control the output of procedures based on the privileges granted or denied to a role using the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges. -For example, assume there is a procedure called `myProc`. - -This procedure gives the result `A` and `B` for a user with only the `EXECUTE PROCEDURE` privilege and `A`, `B` and `C` for a user with both the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges. - -Now, adapt the privileges from sections <> (example 1), <> (example 2), and <> (example 3) to be applied to this procedure and show what is returned. - -With the privileges from example 1, granted `EXECUTE PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A` and `B`. - -With the privileges from example 2, granted `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE PROCEDURE myProc`, execution of the `myProc` procedure is not allowed. - -With the privileges from example 3, granted `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, execution of the `myProc` procedure is not allowed. - -For comparison, when granted: - -* `EXECUTE PROCEDURE myProc`: the `myProc` procedure returns the result `A` and `B`. -* `EXECUTE BOOSTED PROCEDURE myProc`: execution of the `myProc` procedure is not allowed. -* `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE myProc`: the `myProc` procedure returns the result `A`, `B`, and `C`. - - -[[access-control-admin-procedure]] -=== Grant privilege to execute admin procedures - -Admin procedures (annotated with `@Admin`) are special in that they require elevated privileges to be executed at all. -This means that to execute an admin procedure you need both the <> and <> privileges for that procedure. - -For a user to be allowed to execute all admin procedures, they can either be granted the two privileges for each of the admin procedures (which would need to be updated each time a new admin procedure is added), all procedures (which would then affect all non-admin procedures as well) or the `EXECUTE ADMIN PROCEDURES` privilege. - -The `EXECUTE ADMIN PROCEDURES` privilege is equivalent to granting the <> and <> privileges on each of the admin procedures. -This also have the additional advantage that any newly added `admin` procedure is automatically included in this privilege. + -For example: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO adminProcedureExecutor; ----- - -Users with the role `adminProcedureExecutor` can run any `admin` procedure with elevated privileges. -As a result, the `adminProcedureExecutor` role has privileges that allow the execution of all admin procedures. -To list all privileges for the role `adminProcedureExecutor` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE adminProcedureExecutor PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO `adminProcedureExecutor`" -a|Rows: 1 -|=== - -In order to compare this with the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges, revisit the `myProc` procedure, but this time as an `admin` procedure, which will give the result `A`, `B` and `C` when allowed to execute. - -By starting with a user only granted the `EXECUTE PROCEDURE myProc` or the `EXECUTE BOOSTED PROCEDURE myProc` privilege, execution of the `myProc` procedure is not allowed. - -However, for a user granted the `EXECUTE ADMIN PROCEDURES` or both `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A`, `B` and `C`. - -Any denied `EXECUTE` privilege results in the procedure not being allowed to be executed. -In this case, it does not matter whether `EXECUTE PROCEDURE`, `EXECUTE BOOSTED PROCEDURE` or `EXECUTE ADMIN PROCEDURES` is being denied. - -[[access-control-execute-user-defined-function]] -=== Grant privilege to execute user-defined functions - -//EXECUTE [USER [DEFINED]] FUNCTION[S] -You can grant the privilege to execute user-defined functions (UDFs) using the `EXECUTE USER DEFINED FUNCTION` privilege. -A role with this privilege is allowed to execute the UDFs matched by the <>. - -[IMPORTANT] -==== -The `EXECUTE USER DEFINED FUNCTION` privilege does not apply to built-in functions, which are always executable. -==== - -==== Grant privilege to execute some user-defined functions - -The following query shows an example of how to grant the `EXECUTE USER DEFINED FUNCTION` privilege: - -[source,cypher,role=noplay] ----- -GRANT EXECUTE USER DEFINED FUNCTION apoc.coll.* ON DBMS TO functionExecutor; ----- - -Or in short form: - -[source,cypher,role=noplay] ----- -GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO functionExecutor; ----- - -Users with the role `functionExecutor` can thus run any UDF in the `apoc.coll` namespace. -The functions are executed using the user's own privileges. - -As a result, the `functionExecutor` role has privileges that only allow executing UDFs in the `apoc.coll` namespace. -To list all privileges for the role `functionExecutor` as commands, use the following query: - -[source,cypher,role=noplay] ----- -SHOW ROLE functionExecutor PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO `functionExecutor`" -a|Rows: 1 -|=== - -==== Grant privilege to execute all but some user-defined functions - -To allow the execution of all but a few UDFs, you can grant `+EXECUTE USER DEFINED FUNCTIONS *+` and deny the unwanted UDFs. -For example, the following queries allow the execution of all UDFs except those starting with `apoc.any.prop`: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO deniedFunctionExecutor; ----- - -[source, cypher, role=noplay] ----- -DENY EXECUTE USER DEFINED FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor; ----- - -Or in short form: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE FUNCTIONS * ON DBMS TO deniedFunctionExecutor; ----- - -[source, cypher, role=noplay] ----- -DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor; ----- - -As a result, the `deniedFunctionExecutor` role has privileges that only allow the execution of all UDFs except those starting with `apoc.any.prop`. -The functions are executed using the user's own privileges. -To list all privileges for the role `deniedFunctionExecutor` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedFunctionExecutor PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO `deniedFunctionExecutor`" -|"GRANT EXECUTE FUNCTION * ON DBMS TO `deniedFunctionExecutor`" -a|Rows: 2 -|=== - -The `apoc.any.property` and `apoc.any.properties` are blocked, as well as any other UDFs starting with `apoc.any.prop`. - -[[access-control-execute-boosted-user-defined-function]] -=== Grant privilege to execute user-defined functions with elevated privileges - -//EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] -You can grant the privilege to execute user-defined functions (UDFs) with elevated privileges using the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege. + -A user with this privilege will not be restricted to their other privileges when executing the UDFs matched by the <>. -The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege only affects the elevation and not the execution of the function. -Therefore, it is needed to grant `EXECUTE USER DEFINED FUNCTION` privilege for the UDFs as well. -Both `EXECUTE USER DEFINED FUNCTION` and `EXECUTE BOOSTED USER DEFINED FUNCTION` are needed to execute a function with elevated privileges. - -[IMPORTANT] -==== -The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege does not apply to built-in functions, as they have no concept of elevated privileges. -==== - -==== Grant privilege to execute some user-defined functions with elevated privileges - -The following query shows an example of how to grant the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege: - -[source,cypher,role=noplay] ----- -GRANT EXECUTE USER DEFINED FUNCTION * ON DBMS TO boostedFunctionExecutor; -GRANT EXECUTE BOOSTED USER DEFINED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor; ----- - -Or in short form: - -[source,cypher,role=noplay] ----- -GRANT EXECUTE FUNCTION * ON DBMS TO boostedFunctionExecutor; -GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor; ----- - -Users with the role `boostedFunctionExecutor` can thus run `apoc.any.properties` with full privileges and see every property on the node/relationship, not just the properties that the user has `READ` privilege on. -Without the `EXECUTE USER DEFINED FUNCTION`, you cannot execute any UDFs at all. - -As a result, the `boostedFunctionExecutor` role has privileges that allow executing the UDF `apoc.any.properties` with elevated privileges, and all other UDFs with the users' own privileges. -To list all privileges for the role `boostedFunctionExecutor` as commands, use the following query: - -[source,cypher,role=noplay] ----- -SHOW ROLE boostedFunctionExecutor PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer",width="100%",cols="m"] -|=== -|command -|"GRANT EXECUTE FUNCTION * ON DBMS TO `boostedFunctionExecutor`" -|"GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO `boostedFunctionExecutor`" -a|Rows: 2 -|=== - - -[[access-control-dbms-administration-setting]] -== The DBMS `SETTING` privileges - -You can grant the privilege to show configuration settings using the `SHOW SETTING` privilege. -A role with this privilege is allowed to list the configuration settings matched by the <>. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. -==== - -.Setting privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command -| Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW SETTING[S] name-globbing[, ...] - ON DBMS - TO role[, ...] -| Enables the specified roles to list given configuration settings. -|=== - -=== Grant privilege to show all settings - -You can grant the privilege to show all settings using `SHOW SETTING \*` or all settings in a namespace using `SHOW SETTING namespace.*`. -The following query shows an example of how to grant `SHOW SETTING` privilege to view all settings in the `server.bolt` namespace: - -[source, cypher, role=noplay] ----- -GRANT SHOW SETTING server.bolt.* ON DBMS TO configurationViewer; ----- - -Users with the role `configurationViewer` can then view any setting in the `server.bolt` namespace. - -As a result, the `configurationViewer` role has privileges that only allow listing settings in the `server.bolt` namespace. -To list all privileges for the role `configurationViewer` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE configurationViewer PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW SETTING server.bolt.* ON DBMS TO `configurationViewer`" -a|Rows: 1 -|=== - -=== Grant privilege to show all but some settings - -You can grant the privilege to show all but a few settings using `SHOW SETTINGS *` and deny the unwanted settings. + -For example, the following queries allow you to view all settings, except those starting with `dbms.security`: - -[source, cypher, role=noplay] ----- -GRANT SHOW SETTINGS * ON DBMS TO deniedConfigurationViewer; ----- - -[source, cypher, role=noplay] ----- -DENY SHOW SETTING dbms.security* ON DBMS TO deniedConfigurationViewer; ----- - -As a result, the `deniedConfigurationViewer` role has privileges that allow listing all settings except those starting with `dbms.security`. -To list all privileges for the role `deniedConfigurationViewer` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedConfigurationViewer PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY SHOW SETTING dbms.security* ON DBMS TO `deniedConfigurationViewer`" -|"GRANT SHOW SETTING * ON DBMS TO `deniedConfigurationViewer`" -a|Rows: 2 -|=== - -As the query result shows, viewing settings starting with `dbms.security` is blocked, but the rest can still be listed. - - -[[access-control-dbms-administration-all]] -== Granting `ALL DBMS PRIVILEGES` - -You can grant the `ALL DBMS PRIVILEGES` privilege to a role. + -The `ALL DBMS PRIVILEGES` privilege is equivalent to granting the following privileges: - -* Create, drop, assign, remove, and show roles. -* Create, alter, drop, show, and impersonate users. -* Create, alter, drop, and show databases and aliases. -* Enable, alter, rename, reallocate, deallocate, drop, and show servers. -* Show, assign, and remove privileges. -* Execute all procedures with elevated privileges. -* Execute all user-defined functions with elevated privileges. -* Show all configuration settings. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. -==== - -[source, syntax, role=noheader] ----- -GRANT [IMMUTABLE] ALL [[DBMS] PRIVILEGES] - ON DBMS - TO role[, ...] ----- - -For example, to grant the role `dbmsManager` all DBMS abilities, use the following query: - -[source, cypher, role=noplay] ----- -GRANT ALL DBMS PRIVILEGES ON DBMS TO dbmsManager; ----- - -To list all privileges for the role `dbmsManager` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS; ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALL DBMS PRIVILEGES ON DBMS TO `dbmsManager`" -a|Rows: 1 -|=== - -[[access-control-name-globbing]] -== Name-globbing for procedures, user-defined functions, and settings - -The name-globbing for procedures, user-defined functions, and setting names is a simplified version of globbing for filename expansions. -It only allows two wildcard characters: `+*+` and `?`, which are used for multiple and single-character matches. -In this case, `+*+` means 0 or more characters, and `?` matches exactly one character. - -[NOTE] -==== -The name-globbing is subject to the link:{neo4j-docs-base-uri}/cypher-manual/current/syntax/naming/[Cypher Manual -> Naming rules and recommendations], with the exception that it may include dots, stars, and question marks without the need for escaping using backticks. - -Each part of the name-globbing separated by dots may be individually quoted. -For example, `++mine.`procedureWith%`++` is allowed, but not `++mine.procedure`With%`++`. -Also, note that wildcard characters behave as wildcards even when quoted. -For example, using `++`*`++` is equivalent to using `+*+`, and thus allows executing all functions or procedures and not only the procedure or function named `+*+`. -==== - -Given the following list of procedures: - -* `mine.public.exampleProcedure` -* `mine.public.exampleProcedure1` -* `mine.public.exampleProcedure2` -* `mine.public.with#Special§Characters` -* `mine.private.exampleProcedure` -* `mine.private.exampleProcedure1` -* `mine.private.exampleProcedure2` -* `mine.private.with#Special§Characters` -* `your.exampleProcedure` - -The following examples demonstrate how name-globbing patterns can be used in controlling access to procedures. -Note that the same rules apply to user-defined functions and settings. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1; ----- - -Users with the role `globbing1` can run all the procedures. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2; ----- - -Users with the role `globbing2` can run procedures `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but no other procedures. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3; ----- - -Users with the role `globbing3` can run procedures `mine.public.exampleProcedure1`, `mine.private.exampleProcedure1`, and `mine.private.exampleProcedure2`, but no other procedures. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4; ----- - -Users with the role `globbing4` can run procedures `your.exampleProcedure`, `mine.public.exampleProcedure`, and `mine.private.exampleProcedure`, but no other procedures. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5; ----- - -Users with the role `globbing5` can run procedures `mine.public.exampleProcedure`, `mine.public.exampleProcedure1` and `mine.public.exampleProcedure42`, but no other procedures. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6; ----- - -Users with the role `globbing6` can run procedures `mine.public.with#Special§Characters`, and `mine.private.with#Special§Characters`, but no other procedures. - -[NOTE] -==== -The name-globbing may be fully or partially quoted. -Both `+*+` and `+?+` are interpreted as wildcards in both cases. -==== - diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-admin-role.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-admin-role.adoc new file mode 100644 index 000000000..cb6abfd1d --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-admin-role.adoc @@ -0,0 +1,261 @@ +:description: Details the privileges associated with the administrator role for managing the DBMS. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated += Administrator role privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +You can manage DBMS privileges using either the built-in `admin` role or by creating a custom role with the specific privileges you need. + +== Using the built-in `admin` role to manage DBMS privileges + +The xref:authentication-authorization/built-in-roles.adoc#access-control-built-in-roles-admin[`admin` role] role is a built-in superuser role that has all privileges on the DBMS and can perform all administrative tasks. + +This includes the following tasks and their relevant privileges: + +* Create, delete, and modify xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[databases] and xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[aliases]. +* Change configuration parameters. +* xref:authentication-authorization/database-administration.adoc#access-control-database-administration-transaction[Manage transactions]. +* Manage xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[users] and xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[roles]. +* Manage xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[privilege management]. +* Manage xref:authentication-authorization/privileges-reads.adoc[read] and xref:authentication-authorization/privileges-writes.adoc[write] sub-graph privileges. +* Manage xref:authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc[impersonation privileges]. +* Manage xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[procedure security]. +* Manage xref:authentication-authorization/load-privileges.adoc[load data security]. + +To enable a user to perform these tasks, you can grant them the `admin` role, but it is also possible to make a custom role with a subset of these privileges. +All privileges are also assignable using Cypher commands. + + +[[access-control-dbms-administration-custom]] +== Using a custom role to manage DBMS privileges + +You can create a custom role to manage DBMS privileges by granting the privileges you want to the role. +Alternatively, you can copy the `admin` role and revoke or deny the unwanted privileges. +The following examples show how to create a custom role with a subset of the privileges that the `admin` role using both methods. + +=== Create a custom administrator role from scratch + +Create an administrator role that can only manage users and roles by creating a new role and granting the `USER MANAGEMENT` and `ROLE MANAGEMENT` privileges. + +. Create the new role: ++ +[source, cypher, role=noplay] +---- +CREATE ROLE userAndRoleAdministrator; +---- +. Grant the privilege to manage users: ++ +[source, cypher, role=noplay] +---- +GRANT USER MANAGEMENT ON DBMS TO userAndRoleAdministrator; +---- +. Grant the privilege to manage roles: ++ +[source, cypher, role=noplay] +---- +GRANT ROLE MANAGEMENT ON DBMS TO userAndRoleAdministrator; +---- ++ +As a result, the `userAndRoleAdministrator` role has privileges that only allow user and role management. +. To list all privileges for the role `userAndRoleAdministrator` as commands, use the following query: ++ +[source, cypher, role=noplay] +---- +SHOW ROLE userAndRoleAdministrator PRIVILEGES AS COMMANDS; +---- ++ +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ROLE MANAGEMENT ON DBMS TO `userAndRoleAdministrator`" +|"GRANT USER MANAGEMENT ON DBMS TO `userAndRoleAdministrator`" +a|Rows: 2 +|=== + +[NOTE] +==== +This role does not allow all DBMS capabilities. +For example, the role is missing privileges for managing, creating, and dropping databases, as well as executing `admin` procedures. +To create a more powerful administrator, you can grant a different set of privileges. +==== + +=== Create a more powerful custom administrator role from scratch + +You can also create a custom administrator role with limited capabilities. +This can be done by creating a new role and granting all `DBMS` privileges, then denying the ones you do not want the role to have, and then granting additional privileges you want to include. +For example, you can create a custom administrator role `customAdministrator` that has all DBMS privileges except for creating, dropping, and modifying databases, and also has the privilege for managing transactions. + +. Create a new role: ++ +[source, cypher, role=noplay] +---- +CREATE ROLE customAdministrator; +---- +. Grant the privilege for all DBMS capabilities: ++ +[source, cypher, role=noplay] +---- +GRANT ALL DBMS PRIVILEGES ON DBMS TO customAdministrator; +---- +. Explicitly deny the privilege to manage databases: ++ +[source, cypher, role=noplay] +---- +DENY DATABASE MANAGEMENT ON DBMS TO customAdministrator; +---- +. Grant the transaction management privilege: ++ +[source, cypher, role=noplay] +---- +GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO customAdministrator; +---- ++ +As a result, the `customAdministrator` role has privileges that include managing transactions and all DBMS privileges except creating, dropping, and modifying databases. +. To list all privileges for the role `customAdministrator` as commands, use the following query: ++ +[source, cypher, role=noplay] +---- +SHOW ROLE customAdministrator PRIVILEGES AS COMMANDS; +---- ++ +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY DATABASE MANAGEMENT ON DBMS TO `customAdministrator`" +|"GRANT ALL DBMS PRIVILEGES ON DBMS TO `customAdministrator`" +|"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `customAdministrator`" +a|Rows: 3 +|=== + +=== Create a custom administrator role by copying the `admin` role + +You can also create a custom administrator role by copying the `admin` role and then revoking or denying the privileges you do not want. +For example, you can create a new role called `newAdministrator` that has all the privileges of the `admin` role, and then revoke the ability to read/write/load data, manage constraints, indexes, name, and remove ability to access all databases, except the `system` database. + +. Create a new role by copying the `admin` role: ++ +[source, cypher, role=noplay] +---- +CREATE ROLE newAdministrator AS COPY OF admin; +---- + +. Revoke the ability to read/write/load data: ++ +[source, cypher, role=noplay] +---- +REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM newAdministrator; +REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM newAdministrator; +REVOKE GRANT WRITE ON GRAPH * FROM newAdministrator; +REVOKE GRANT LOAD ON ALL DATA FROM newAdministrator; +---- + +. Revoke the ability to manage index/constraint/name: ++ +[source, cypher, role=noplay] +---- +REVOKE GRANT CONSTRAINT MANAGEMENT ON DATABASE * FROM newAdministrator; +REVOKE GRANT INDEX MANAGEMENT ON DATABASE * FROM newAdministrator; +REVOKE GRANT NAME MANAGEMENT ON DATABASE * FROM newAdministrator; +REVOKE GRANT SHOW CONSTRAINT ON DATABASE * FROM newAdministrator; +REVOKE GRANT SHOW INDEX ON DATABASE * FROM newAdministrator; +---- + +. Revoke the ability to access all databases: ++ +[source, cypher, role=noplay] +---- +REVOKE GRANT ACCESS ON DATABASE * FROM newAdministrator; +---- +. Grant the ability to access the `system` database: ++ +[source, cypher, role=noplay] +---- +GRANT ACCESS ON DATABASE system TO newAdministrator; +---- + +. To list all privileges for the role `newAdministrator` as commands, use the following query: ++ +[source, cypher, role=noplay] +---- +SHOW ROLE newAdministrator PRIVILEGES AS COMMANDS; +---- ++ +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +| "GRANT ACCESS ON DATABASE `system` TO `newAdministrator`" +| "GRANT ALL DBMS PRIVILEGES ON DBMS TO `newAdministrator`" +| "GRANT START ON DATABASE * TO `newAdministrator`" +| "GRANT STOP ON DATABASE * TO `newAdministrator`" +| "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `newAdministrator`" +a|Rows: 5 +|=== + diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc new file mode 100644 index 000000000..7d507f3da --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc @@ -0,0 +1,246 @@ +:description: Details the DBMS privileges for alias management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-alias-management-privileges]] += The DBMS `ALIAS MANAGEMENT` privileges +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for alias management can be granted, denied, or revoked like other privileges. +This applies to both local and remote aliases. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Alias management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to create new aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to delete aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALTER ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to modify aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to list aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALIAS MANAGEMENT +ON DBMS +TO role[, ...] +| Enables the specified roles to list, create, delete, and modify aliases. + +|=== + +== Grant privilege to create aliases + +You can grant the privilege to create aliases using the `CREATE ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE ALIAS ON DBMS TO aliasAdder; +---- + +As a result, the `aliasAdder` role has privileges that only allow creating aliases. +To list all privileges for the role `aliasAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE ALIAS ON DBMS TO `aliasAdder`" +a|Rows: 1 +|=== + +== Grant privilege to delete aliases + +You can grant the privilege to delete aliases using the `DROP ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP ALIAS ON DBMS TO aliasDropper; +---- + +As a result, the `aliasDropper` role has privileges that only allow deleting aliases. +See all privileges for the role `aliasDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP ALIAS ON DBMS TO `aliasDropper`" +a|Rows: 1 +|=== + +== Grant privilege to modify aliases + +You can grant the privilege to modify aliases using the `ALTER ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALTER ALIAS ON DBMS TO aliasModifier; +---- + +As a result, the `aliasModifier` role has privileges that only allow modifying aliases. +To list all privileges for the role `aliasModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALTER ALIAS ON DBMS TO `aliasModifier`" +a|Rows: 1 +|=== + + +== Grant privilege to list aliases + +You can grant the privilege to list aliases using the `SHOW ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW ALIAS ON DBMS TO aliasViewer; +---- + +As a result, the `aliasViewer` role has privileges that only allow modifying aliases. +To list all privileges for the role `aliasViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW ALIAS ON DBMS TO `aliasViewer`" +a|Rows: 1 +|=== + +== Grant privilege to manage aliases + +You can grant the privilege to create, delete, modify, and list aliases using the `ALIAS MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALIAS MANAGEMENT ON DBMS TO aliasManager; +---- + +As a result, the `aliasManager` role has all privileges to manage aliases. +To list all privileges for the role `aliasManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALIAS MANAGEMENT ON DBMS TO `aliasManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc new file mode 100644 index 000000000..0738abbbb --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc @@ -0,0 +1,443 @@ +:description: Details the DBMS privileges for database management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-database-management-privileges]] += The DBMS `DATABASE MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for database management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Database management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to create new standard databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to delete standard databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALTER DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to modify standard databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET DATABASE ACCESS + ON DBMS + TO role[, ...] +| Enables the specified roles to modify access to standard databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET DATABASE DEFAULT LANGUAGE + ON DBMS + TO role[, ...] +| Enables the specified roles to set the default query language on a standard database. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE COMPOSITE DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to create new composite databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP COMPOSITE DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to delete composite databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALTER COMPOSITE DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to modify composite databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] COMPOSITE DATABASE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create, delete or modify composite databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DATABASE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create, delete, and modify databases. + +|=== + +[NOTE] +==== +From Cypher 25 (Neo4j server 2025.08), the `ALTER DATABASE`, `SET DATABASE ACCESS`, `SET DATABASE DEFAULT LANGUAGE`, and `ALTER COMPOSITE DATABASE` privileges can be granted both as database privileges and as DBMS privileges. +The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. +For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. +==== + +== Grant privilege to create standard databases + +You can grant the privilege to create standard databases using the `CREATE DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE DATABASE ON DBMS TO databaseAdder +---- + +As a result, the `databaseAdder` role has privileges that only allow creating standard databases. +To list all privileges for the role `databaseAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE DATABASE ON DBMS TO `databaseAdder`" +a|Rows: 1 +|=== + +== Grant privilege to create composite databases + +You can grant the privilege to create composite databases using the `CREATE COMPOSITE DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE COMPOSITE DATABASE ON DBMS TO compositeDatabaseAdder +---- + +As a result, the `compositeDatabaseAdder` role has privileges that only allow creating composite databases. +To list all privileges for the role `compositeDatabaseAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE compositeDatabaseAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE COMPOSITE DATABASE ON DBMS TO `compositeDatabaseAdder`" +a|Rows: 1 +|=== + +== Grant privilege to delete standard databases + +You can grant the privilege to delete standard databases using the `DROP DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP DATABASE ON DBMS TO databaseDropper +---- + +As a result, the `databaseDropper` role has privileges that only allow deleting standard databases. +To list all privileges for the role `databaseDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP DATABASE ON DBMS TO `databaseDropper`" +a|Rows: 1 +|=== + +== Grant privilege to delete composite databases + +You can grant the privilege to delete composite databases using the `DROP COMPOSITE DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP COMPOSITE DATABASE ON DBMS TO compositeDatabaseDropper +---- + +As a result, the `compositeDatabaseDropper` role has privileges that only allow deleting composite databases. +To list all privileges for the role `compositeDatabaseDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE compositeDatabaseDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP COMPOSITE DATABASE ON DBMS TO `compositeDatabaseDropper`" +a|Rows: 1 +|=== + +== Grant privilege to modify standard databases + +You can grant the privilege to modify standard databases using the `ALTER DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALTER DATABASE ON DBMS TO databaseModifier; +---- + +As a result, the `databaseModifier` role has privileges that only allow modifying standard databases. +To list all privileges for the role `databaseModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALTER DATABASE ON DBMS TO `databaseModifier`" +a|Rows: 1 +|=== + +[NOTE] +==== +From Cypher 25 (Neo4j server 2025.08), the `ALTER DATABASE` privileges can be granted both as database privileges and as DBMS privileges. +The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. +For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. +==== + +== Grant privilege to modify access to standard databases + +You can grant the privilege to modify access to standard databases using the `SET DATABASE ACCESS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET DATABASE ACCESS ON DBMS TO accessModifier +---- + +As a result, the `accessModifier` role has privileges that only allow modifying access to standard databases. +To list all privileges for the role `accessModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE accessModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET DATABASE ACCESS ON DBMS TO `accessModifier`" +a|Rows: 1 +|=== + +[NOTE] +==== +From Cypher 25 (Neo4j server 2025.08), the `SET DATABASE ACCESS` privileges can be granted both as database privileges and as DBMS privileges. +The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. +For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. +==== + +[role=label--new-2025.06] +== Grant privilege to modify the default language of standard databases + +You can grant the privilege to modify the default language of standard databases using the `SET DATABASE DEFAULT LANGUAGE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET DATABASE DEFAULT LANGUAGE ON DBMS TO languageModifier +---- + +As a result, the `languageModifier` role has privileges that only allow modifying default language to standard databases. +To list all privileges for the role `languageModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE languageModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET DATABASE DEFAULT LANGUAGE ON DBMS TO `languageModifier`" +a|Rows: 1 +|=== + +[NOTE] +==== +From Cypher 25 (Neo4j server 2025.08), the `SET DATABASE DEFAULT LANGUAGE` privileges can be granted both as database privileges and as DBMS privileges. +The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. +For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. +==== + +[role=label--new-2025.06] +[[grant-privilege-alter-composite-database]] +== Grant privilege to modify composite databases + +You can grant the privilege to modify composite databases using the `ALTER COMPOSITE DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALTER COMPOSITE DATABASE ON DBMS TO compositeDatabaseModifier; +---- + +As a result, the `compositeDatabaseModifier` role has privileges that only allow modifying composite databases. +To list all privileges for the role `compositeDatabaseModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE compositeDatabaseModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALTER COMPOSITE DATABASE ON DBMS TO `compositeDatabaseModifier`" +a|Rows: 1 +|=== + +[NOTE] +==== +From Cypher 25 (Neo4j server 2025.08), the `ALTER COMPOSITE DATABASE` privileges can be granted both as database privileges and as DBMS privileges. +The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. +For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. +==== + +== Grant privilege to manage composite databases + +You can grant the privilege to create, delete, and modify composite databases using the `COMPOSITE DATABASE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO compositeDatabaseManager; +---- + +As a result, the `compositeDatabaseManager` role has all privileges to manage composite databases. +To list all privileges for the role `compositeDatabaseManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE compositeDatabaseManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO `compositeDatabaseManager`" +a|Rows: 1 +|=== + +== Grant privilege to manage standard and composite databases + +You can grant the privilege to create, delete, and modify standard and composite databases using the `DATABASE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DATABASE MANAGEMENT ON DBMS TO databaseManager; +---- + +As a result, the `databaseManager` role has all privileges to manage standard and composite databases. +To list all privileges for the role `databaseManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DATABASE MANAGEMENT ON DBMS TO `databaseManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-execute-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-execute-privileges.adoc new file mode 100644 index 000000000..b4df65379 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-execute-privileges.adoc @@ -0,0 +1,544 @@ +:description: Details the DBMS privileges for procedure and user-defined function execution. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-execute-privileges]] += The DBMS `EXECUTE` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for procedure and user-defined function execution can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Execute privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command +| Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE PROCEDURE[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to execute the given procedures. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE BOOSTED PROCEDURE[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to use elevated privileges when executing the given procedures. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE ADMIN[ISTRATOR] PROCEDURES + ON DBMS + TO role[, ...] +| Enables the specified roles to execute procedures annotated with `@Admin`. The procedures are executed with elevated privileges. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to execute the given user-defined functions. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to use elevated privileges when executing the given user-defined functions. +|=== + +[[access-control-execute-procedure]] +== Grant privilege to execute procedures + +You can grant the privilege to execute procedures using the `EXECUTE PROCEDURE` privilege. + +A role with this privilege is allowed to execute the procedures matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. + +=== Grant privilege to execute some procedures + +The following query allow the execution of procedures starting with `db.schema`: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO procedureExecutor; +---- + +Users with the role `procedureExecutor` can run any procedure in the `db.schema` namespace. +The procedures are executed using the user's own privileges. + +To list all privileges for the role `procedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE procedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO `procedureExecutor`" +a|Rows: 1 +|=== + +=== Grant privilege to execute all but some procedures + +You can grant the privilege to execute all except a few procedures using `EXECUTE PROCEDURES *` and deny the unwanted procedures. +For example, the following queries allow the execution of all procedures, except those starting with `dbms.cluster`: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO deniedProcedureExecutor; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO deniedProcedureExecutor; +---- + +Users with the role `deniedProcedureExecutor` can run any procedure except those starting with `dbms.cluster`. +The procedures are executed using the user's own privileges. + +To list all privileges for the role `deniedProcedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedProcedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO `deniedProcedureExecutor`" +|"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedProcedureExecutor`" +a|Rows: 2 +|=== + + +The `dbms.cluster.checkConnectivity`, `dbms.cluster.cordonServer`, `dbms.cluster.protocols`, `dbms.cluster.readReplicaToggle`, `dbms.cluster.routing.getRoutingTable`, `dbms.cluster.secondaryReplicationDisable`, `dbms.cluster.setAutomaticallyEnableFreeServers`, and `dbms.cluster.uncordonServer` procedures are blocked, as well as any others starting with `dbms.cluster`. + + +[[access-control-execute-boosted-procedure]] +== Grant privilege to execute procedures with elevated privileges + +You can grant the privilege to execute procedures with elevated privileges using the `EXECUTE BOOSTED PROCEDURE` privilege. + +A user with this privilege will not be restricted to their other privileges when executing the procedures matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. +The `EXECUTE BOOSTED PROCEDURE` privilege only affects the elevation, and not the execution of the procedure. +Therefore, it is needed to grant `EXECUTE PROCEDURE` privilege for the procedures as well. +Both `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` are needed to execute a procedure with elevated privileges. + +=== Grant privilege to execute some procedures with elevated privileges + +You can grant the privilege to execute some procedures with elevated privileges using `EXECUTE BOOSTED PROCEDURE *`. + +For example, the following query allow the execution of the procedures `db.labels` and `db.relationshipTypes` with elevated privileges, and all other procedures with the user's own privileges: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO boostedProcedureExecutor; +GRANT EXECUTE BOOSTED PROCEDURE db.labels, db.relationshipTypes ON DBMS TO boostedProcedureExecutor +---- + +Users with the role `boostedProcedureExecutor` can thus run the `db.labels` and the `db.relationshipTypes` procedures with full privileges, seeing everything in the graph and not just the labels and types that the user has `TRAVERSE` privilege on. +Without the `EXECUTE PROCEDURE`, no procedures could be executed at all. + +To list all privileges for the role `boostedProcedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE boostedProcedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE PROCEDURE * ON DBMS TO `boostedProcedureExecutor`" +|"GRANT EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `boostedProcedureExecutor`" +|"GRANT EXECUTE BOOSTED PROCEDURE db.relationshipTypes ON DBMS TO `boostedProcedureExecutor`" +a|Rows: 3 +|=== + +[[grant-execute-procedure-deny-elevation]] +=== Combination of granting execution and denying privilege elevation + +As with grant, denying `EXECUTE BOOSTED PROCEDURE` on its own only affects the elevation and not the execution of the procedure. + +For example: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor1; +DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor1; +---- + +As a result, the `deniedBoostedProcedureExecutor1` role has privileges that allow the execution of all procedures using the user’s own privileges. +They also prevent the `db.labels` procedure from being elevated. +Still, the denied `EXECUTE BOOSTED PROCEDURE` does not block execution of `db.labels`. + +To list all privileges for role `deniedBoostedProcedureExecutor1` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedBoostedProcedureExecutor1 PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor1`" +|"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor1`" +a|Rows: 2 +|=== + +[[grant-privilege-elevation-deny-execution]] +=== Combination of granting privilege elevation and denying execution + +You can also grant the privilege to execute procedures with elevated privileges and deny the execution of specific procedures. + +For example: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor2; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor2; +---- + +As a result, the `deniedBoostedProcedureExecutor2` role has privileges that allow elevating the privileges for all procedures, but cannot execute any due to missing or denied `EXECUTE PROCEDURE` privileges. + +To list all privileges for the role `deniedBoostedProcedureExecutor2` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedBoostedProcedureExecutor2 PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor2`" +|"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor2`" +a|Rows: 2 +|=== + +[[grant-deny-privilege-elevation]] +=== Combination of granting and denying privilege elevation + +You can also grant the privilege to execute procedures with elevated privileges and deny the elevation for specific procedures. + +For example, the following queries allow has privileges that allow elevating the privileges for all procedures except `db.labels`. +However, no procedures can be executed due to a missing `EXECUTE PROCEDURE` privilege. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor3; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor3; +---- + +As a result, the `deniedBoostedProcedureExecutor3` role has privileges that allow elevating the privileges for all procedures except `db.labels`. +However, no procedures can be executed due to missing `EXECUTE PROCEDURE` privilege. + +To list all privileges for the role `deniedBoostedProcedureExecutor3` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedBoostedProcedureExecutor3 PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor3`" +|"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor3`" +a|Rows: 2 +|=== + +=== Control procedure output with privileges + +You can control the output of procedures based on the privileges granted or denied to a role using the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges. +For example, assume there is a procedure called `myProc`. + +This procedure gives the result `A` and `B` for a user with only the `EXECUTE PROCEDURE` privilege and `A`, `B` and `C` for a user with both the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges. + +Now, adapt the privileges from sections <> (example 1), <> (example 2), and <> (example 3) to be applied to this procedure and show what is returned. + +With the privileges from example 1, granted `EXECUTE PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A` and `B`. + +With the privileges from example 2, granted `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE PROCEDURE myProc`, execution of the `myProc` procedure is not allowed. + +With the privileges from example 3, granted `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, execution of the `myProc` procedure is not allowed. + +For comparison, when granted: + +* `EXECUTE PROCEDURE myProc`: the `myProc` procedure returns the result `A` and `B`. +* `EXECUTE BOOSTED PROCEDURE myProc`: execution of the `myProc` procedure is not allowed. +* `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE myProc`: the `myProc` procedure returns the result `A`, `B`, and `C`. + + +[[access-control-admin-procedure]] +== Grant privilege to execute admin procedures + +Admin procedures (annotated with `@Admin`) are special in that they require elevated privileges to be executed at all. +This means that to execute an admin procedure you need both the <> and <> privileges for that procedure. + +For a user to be allowed to execute all admin procedures, they can either be granted the two privileges for each of the admin procedures (which would need to be updated each time a new admin procedure is added), all procedures (which would then affect all non-admin procedures as well) or the `EXECUTE ADMIN PROCEDURES` privilege. + +The `EXECUTE ADMIN PROCEDURES` privilege is equivalent to granting the <> and <> privileges on each of the admin procedures. +This also have the additional advantage that any newly added `admin` procedure is automatically included in this privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO adminProcedureExecutor; +---- + +Users with the role `adminProcedureExecutor` can run any `admin` procedure with elevated privileges. +As a result, the `adminProcedureExecutor` role has privileges that allow the execution of all admin procedures. +To list all privileges for the role `adminProcedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE adminProcedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO `adminProcedureExecutor`" +a|Rows: 1 +|=== + +In order to compare this with the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges, revisit the `myProc` procedure, but this time as an `admin` procedure, which will give the result `A`, `B` and `C` when allowed to execute. + +By starting with a user only granted the `EXECUTE PROCEDURE myProc` or the `EXECUTE BOOSTED PROCEDURE myProc` privilege, execution of the `myProc` procedure is not allowed. + +However, for a user granted the `EXECUTE ADMIN PROCEDURES` or both `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A`, `B` and `C`. + +Any denied `EXECUTE` privilege results in the procedure not being allowed to be executed. +In this case, it does not matter whether `EXECUTE PROCEDURE`, `EXECUTE BOOSTED PROCEDURE` or `EXECUTE ADMIN PROCEDURES` is being denied. + +[[access-control-execute-user-defined-function]] +== Grant privilege to execute user-defined functions + +//EXECUTE [USER [DEFINED]] FUNCTION[S] +You can grant the privilege to execute user-defined functions (UDFs) using the `EXECUTE USER DEFINED FUNCTION` privilege. +A role with this privilege is allowed to execute the UDFs matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. + +[IMPORTANT] +==== +The `EXECUTE USER DEFINED FUNCTION` privilege does not apply to built-in functions, which are always executable. +==== + +=== Grant privilege to execute some user-defined functions + +The following query shows an example of how to grant the `EXECUTE USER DEFINED FUNCTION` privilege: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE USER DEFINED FUNCTION apoc.coll.* ON DBMS TO functionExecutor; +---- + +Or in short form: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO functionExecutor; +---- + +Users with the role `functionExecutor` can thus run any UDF in the `apoc.coll` namespace. +The functions are executed using the user's own privileges. + +As a result, the `functionExecutor` role has privileges that only allow executing UDFs in the `apoc.coll` namespace. +To list all privileges for the role `functionExecutor` as commands, use the following query: + +[source,cypher,role=noplay] +---- +SHOW ROLE functionExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO `functionExecutor`" +a|Rows: 1 +|=== + +=== Grant privilege to execute all but some user-defined functions + +To allow the execution of all but a few UDFs, you can grant `+EXECUTE USER DEFINED FUNCTIONS *+` and deny the unwanted UDFs. +For example, the following queries allow the execution of all UDFs except those starting with `apoc.any.prop`: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO deniedFunctionExecutor; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE USER DEFINED FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor; +---- + +Or in short form: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE FUNCTIONS * ON DBMS TO deniedFunctionExecutor; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor; +---- + +As a result, the `deniedFunctionExecutor` role has privileges that only allow the execution of all UDFs except those starting with `apoc.any.prop`. +The functions are executed using the user's own privileges. +To list all privileges for the role `deniedFunctionExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedFunctionExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO `deniedFunctionExecutor`" +|"GRANT EXECUTE FUNCTION * ON DBMS TO `deniedFunctionExecutor`" +a|Rows: 2 +|=== + +The `apoc.any.property` and `apoc.any.properties` are blocked, as well as any other UDFs starting with `apoc.any.prop`. + +[[access-control-execute-boosted-user-defined-function]] +== Grant privilege to execute user-defined functions with elevated privileges + +//EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] +You can grant the privilege to execute user-defined functions (UDFs) with elevated privileges using the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege. + +A user with this privilege will not be restricted to their other privileges when executing the UDFs matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. +The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege only affects the elevation and not the execution of the function. +Therefore, it is needed to grant `EXECUTE USER DEFINED FUNCTION` privilege for the UDFs as well. +Both `EXECUTE USER DEFINED FUNCTION` and `EXECUTE BOOSTED USER DEFINED FUNCTION` are needed to execute a function with elevated privileges. + +[IMPORTANT] +==== +The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege does not apply to built-in functions, as they have no concept of elevated privileges. +==== + +=== Grant privilege to execute some user-defined functions with elevated privileges + +The following query shows an example of how to grant the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE USER DEFINED FUNCTION * ON DBMS TO boostedFunctionExecutor; +GRANT EXECUTE BOOSTED USER DEFINED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor; +---- + +Or in short form: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE FUNCTION * ON DBMS TO boostedFunctionExecutor; +GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor; +---- + +Users with the role `boostedFunctionExecutor` can thus run `apoc.any.properties` with full privileges and see every property on the node/relationship, not just the properties that the user has `READ` privilege on. +Without the `EXECUTE USER DEFINED FUNCTION`, you cannot execute any UDFs at all. + +As a result, the `boostedFunctionExecutor` role has privileges that allow executing the UDF `apoc.any.properties` with elevated privileges, and all other UDFs with the users' own privileges. +To list all privileges for the role `boostedFunctionExecutor` as commands, use the following query: + +[source,cypher,role=noplay] +---- +SHOW ROLE boostedFunctionExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer",width="100%",cols="m"] +|=== +|command +|"GRANT EXECUTE FUNCTION * ON DBMS TO `boostedFunctionExecutor`" +|"GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO `boostedFunctionExecutor`" +a|Rows: 2 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc new file mode 100644 index 000000000..4b2922e85 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc @@ -0,0 +1,167 @@ +:description: Details the DBMS privileges for impersonation. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-impersonate-privileges]] += The DBMS `IMPERSONATE` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for impersonation can be granted, denied, or revoked like other privileges. + +Impersonation is the ability of a user to assume another user's roles (and therefore privileges), with the restriction of not being able to execute updating `admin` commands as the impersonated user (i.e. they would still be able to use `SHOW` commands). + +You can use the `IMPERSONATE` privilege to allow a user to impersonate another user. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Impersonation privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] IMPERSONATE [(*)] + ON DBMS + TO role[, ...] +| Enables the specified roles to impersonate any user. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] IMPERSONATE (user[, ...]) + ON DBMS + TO role[, ...] +| Enables the specified roles to impersonate the specified users. + +|=== + +== Grant privilege to impersonate all users + +You can grant the privilege to impersonate all users using the `IMPERSONATE (*)` privilege. + +For example: + +.Query +[source, cypher, role=noplay] +---- +GRANT IMPERSONATE (*) ON DBMS TO allUserImpersonator +---- + +As a result, the `allUserImpersonator` role has privileges that allow impersonating all users. +To list all privileges for the role `allUserImpersonator` as commands, use the following query: + +.Query +[source, cypher, role=noplay] +---- +SHOW ROLE allUserImpersonator PRIVILEGES AS COMMANDS; +---- +.Result +[options="header,footer", width="100%", cols="m"] +|=== +| command +| "GRANT IMPERSONATE (*) ON DBMS TO `allUserImpersonator`" +a|Rows: 1 +|=== + +== Grant privilege to impersonate specific users + +You can also grant the privilege to impersonate specific users or a subset of users. + +For example: + +.Query +[source, cypher, role=noplay] +---- +GRANT IMPERSONATE (alice, bob) ON DBMS TO userImpersonator; +---- + +As a result, the `userImpersonator` role has privileges that allow impersonating only `alice` and `bob`. +Then, you deny the privilege to impersonate `alice`: + +.Query +[source, cypher, role=noplay] +---- +DENY IMPERSONATE (alice) ON DBMS TO userImpersonator; +---- + +As a result, the `userImpersonator` user would be able to impersonate only `bob`. + +To list all privileges for the role `userImpersonator` as commands, use the following query: + +.Query +[source, cypher, role=noplay] +---- +SHOW ROLE userImpersonator PRIVILEGES AS COMMANDS; +---- +.Result +[options="header,footer", width="100%", cols="m"] +|=== +| command +| "DENY IMPERSONATE (alice) ON DBMS TO `userImpersonator`" +| "GRANT IMPERSONATE (alice) ON DBMS TO `userImpersonator`" +| "GRANT IMPERSONATE (bob) ON DBMS TO `userImpersonator`" +a|Rows: 3 +|=== diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc new file mode 100644 index 000000000..d0f12109e --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc @@ -0,0 +1,224 @@ +:description: Details the DBMS privileges for privilege management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-privilege-management-privileges]] += The DBMS `PRIVILEGE MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for privilege management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Privilege management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW PRIVILEGE + ON DBMS + TO role[, ...] +| Enables the specified roles to list privileges. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ASSIGN PRIVILEGE + ON DBMS + TO role[, ...] +| Enables the specified roles to assign privileges using the `GRANT` and `DENY` commands. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] REMOVE PRIVILEGE + ON DBMS + TO role[, ...] +| Enables the specified roles to remove privileges using the `REVOKE` command. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] PRIVILEGE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to list, assign, and remove privileges. +|=== + +== Grant privilege to list privileges + +You can grant the `SHOW PRIVILEGE` privilege to allow a user to list privileges using the `SHOW PRIVILEGE`, `SHOW ROLE roleName PRIVILEGES`, and `SHOW USER username PRIVILEGES` administration commands. +The `SHOW USER username PRIVILEGES` command also requires the `SHOW USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW PRIVILEGE ON DBMS TO privilegeViewer; +---- + +As a result, the `privilegeViewer` role has privileges that only allow showing privileges. +To list all privileges for the role `privilegeViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW PRIVILEGE ON DBMS TO `privilegeViewer`" +a|Rows: 1 +|=== + +[NOTE] +==== +No specific privileges are required for showing the current user's privileges through the `SHOW USER _username_ PRIVILEGES` or `SHOW USER PRIVILEGES` commands. + +If a non-native auth provider like LDAP is in use, `SHOW USER PRIVILEGES` will only work with a limited capacity by making it only possible for a user to show their own privileges. +Other users' privileges cannot be listed when using a non-native auth provider. +==== + +== Grant privilege to assign privileges + +You can grant the privilege to assign privileges using the `ASSIGN PRIVILEGE` privilege. + +A user with this privilege is allowed to execute `GRANT` and `DENY` administration commands. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ASSIGN PRIVILEGE ON DBMS TO privilegeAssigner; +---- + +As a result, the `privilegeAssigner` role has privileges that only allow assigning privileges. +To list all privileges for the role `privilegeAssigner` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeAssigner PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ASSIGN PRIVILEGE ON DBMS TO `privilegeAssigner`" +a|Rows: 1 +|=== + +== Grant privilege to remove privileges + +You can grant the privilege to remove privileges from roles using the `REMOVE PRIVILEGE` privilege. + +A user with this privilege is allowed to execute `REVOKE` administration commands. + +For example: + +[source, cypher, role=noplay] +---- +GRANT REMOVE PRIVILEGE ON DBMS TO privilegeRemover; +---- + +As a result, the `privilegeRemover` role has privileges that only allow removing privileges. +To list all privileges for the role `privilegeRemover` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeRemover PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT REMOVE PRIVILEGE ON DBMS TO `privilegeRemover`" +a|Rows: 1 +|=== + +== Grant privilege to manage privileges + +You can grant the privilege to list, assign, and remove privileges using the `PRIVILEGE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT PRIVILEGE MANAGEMENT ON DBMS TO privilegeManager; +---- + +As a result, the `privilegeManager` role has all privileges to manage privileges. +To list all privileges for the role `privilegeManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT PRIVILEGE MANAGEMENT ON DBMS TO `privilegeManager`" +a|Rows: 1 +|=== diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc new file mode 100644 index 000000000..7dc60475d --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc @@ -0,0 +1,316 @@ +:description: Details the DBMS privileges for role management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-role-management-privileges]] += The DBMS `ROLE MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for role management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Role management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to create new roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] RENAME ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to change the name of roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to delete roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ASSIGN ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to assign roles to users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] REMOVE ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to remove roles from users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to list roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ROLE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create, delete, assign, remove, and list roles. + +|=== + +== Grant privilege to create roles + +You can grant the privilege to add roles using the `CREATE ROLE` command. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE ROLE ON DBMS TO roleAdder; +---- + +As a result, the `roleAdder` role has privileges that only allow adding roles. +To list all privileges for the role `roleAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE ROLE ON DBMS TO `roleAdder`" +a|Rows: 1 +|=== + +== Grant privilege to rename roles + +You can grant the privilege to rename roles using the `RENAME ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT RENAME ROLE ON DBMS TO roleNameModifier; +---- + +As a result, the `roleNameModifier` role has privileges that only allow renaming roles. +To list all privileges for the role `roleNameModifier`, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleNameModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT RENAME ROLE ON DBMS TO `roleNameModifier`" +a|Rows: 1 +|=== + +== Grant privilege to delete roles + +You can grant the privilege to delete roles using the `DROP ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP ROLE ON DBMS TO roleDropper; +---- + +As a result, the `roleDropper` role has privileges that only allow deleting roles. +To list all privileges for the role `roleDropper`, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP ROLE ON DBMS TO `roleDropper`" +a|Rows: 1 +|=== + +== Grant privilege to assign roles + +You can grant the privilege to assign roles to users using the `ASSIGN ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ASSIGN ROLE ON DBMS TO roleAssigner; +---- + +As a result, the `roleAssigner` role has privileges that only allow assigning/granting roles. +To list all privileges for the role `roleAssigner` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleAssigner PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ASSIGN ROLE ON DBMS TO `roleAssigner`" +a|Rows: 1 +|=== + +== Grant privilege to remove roles + +You can grant the privilege to remove roles from users using the `REMOVE ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT REMOVE ROLE ON DBMS TO roleRemover; +---- + +As a result, the `roleRemover` role has privileges that only allow removing/revoking roles. +To list all privileges for the role `roleRemover` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleRemover PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT REMOVE ROLE ON DBMS TO `roleRemover`" +a|Rows: 1 +|=== + +== Grant privilege to show roles + +You can grant the privilege to show roles using the `SHOW ROLE` privilege. +A role with this privilege is allowed to execute the `SHOW ROLES` and `SHOW POPULATED ROLES` administration commands. + +[NOTE] +==== +In order to use `SHOW ROLES WITH USERS` and `SHOW POPULATED ROLES WITH USERS` administration commands, both the `SHOW ROLE` and the `SHOW USER` privileges are required. +==== + +The following query shows an example of how to grant the `SHOW ROLE` privilege: + +[source, cypher, role=noplay] +---- +GRANT SHOW ROLE ON DBMS TO roleViewer; +---- + +As a result, the `roleViewer` role has privileges that only allow showing roles. +To list all privileges for the role `roleViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW ROLE ON DBMS TO `roleViewer`" +a|Rows: 1 +|=== + +== Grant privilege to manage roles + +You can grant the privilege to create, rename, delete, assign, remove, and list roles using the `ROLE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ROLE MANAGEMENT ON DBMS TO roleManager; +---- + +As a result, the `roleManager` role has all privileges to manage roles. +To list all privileges for the role `roleManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ROLE MANAGEMENT ON DBMS TO `roleManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc new file mode 100644 index 000000000..1a6c3aea2 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc @@ -0,0 +1,149 @@ +:description: Details the DBMS privileges for server management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-server-management-privileges]] += The DBMS `SERVER MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for server management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Server management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SERVER MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to show, enable, rename, alter, reallocate, deallocate, and drop servers. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW SERVERS + ON DBMS + TO role[, ...] +| Enables the specified roles to show servers. +|=== + +== Grant privilege to manage servers + +You can grant the privilege to show, enable, rename, alter, reallocate, deallocate, and drop servers using the `SERVER MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SERVER MANAGEMENT ON DBMS TO serverManager; +---- + +As a result, the `serverManager` role has all privileges to manage servers. +To list all privileges for the role `serverManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE serverManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SERVER MANAGEMENT ON DBMS TO `serverManager`" +a|Rows: 1 +|=== + + +== Grant privilege to show servers + +You can grant the privilege to show servers using the `SHOW SERVERS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW SERVERS ON DBMS TO serverViewer; +---- + +As a result, the `serverViewer` role has privileges that only allow showing servers. +To list all privileges for the role `serverViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE serverViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW SERVERS ON DBMS TO `serverViewer`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-setting-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-setting-privileges.adoc new file mode 100644 index 000000000..11a648145 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-setting-privileges.adoc @@ -0,0 +1,154 @@ +:description: Details the DBMS privileges for viewing and setting configuration settings. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-setting-privileges]] += The DBMS `SETTING` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +You can grant the privilege to show configuration settings using the `SHOW SETTING` privilege. +A role with this privilege is allowed to list the configuration settings matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Setting privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command +| Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW SETTING[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to list given configuration settings. +|=== + +== Grant privilege to show all settings + +You can grant the privilege to show all settings using `SHOW SETTING \*` or all settings in a namespace using `SHOW SETTING namespace.*`. +The following query shows an example of how to grant `SHOW SETTING` privilege to view all settings in the `server.bolt` namespace: + +[source, cypher, role=noplay] +---- +GRANT SHOW SETTING server.bolt.* ON DBMS TO configurationViewer; +---- + +Users with the role `configurationViewer` can then view any setting in the `server.bolt` namespace. + +As a result, the `configurationViewer` role has privileges that only allow listing settings in the `server.bolt` namespace. +To list all privileges for the role `configurationViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE configurationViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW SETTING server.bolt.* ON DBMS TO `configurationViewer`" +a|Rows: 1 +|=== + +== Grant privilege to show all but some settings + +You can grant the privilege to show all but a few settings using `SHOW SETTINGS *` and deny the unwanted settings. + +For example, the following queries allow you to view all settings, except those starting with `dbms.security`: + +[source, cypher, role=noplay] +---- +GRANT SHOW SETTINGS * ON DBMS TO deniedConfigurationViewer; +---- + +[source, cypher, role=noplay] +---- +DENY SHOW SETTING dbms.security* ON DBMS TO deniedConfigurationViewer; +---- + +As a result, the `deniedConfigurationViewer` role has privileges that allow listing all settings except those starting with `dbms.security`. +To list all privileges for the role `deniedConfigurationViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedConfigurationViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY SHOW SETTING dbms.security* ON DBMS TO `deniedConfigurationViewer`" +|"GRANT SHOW SETTING * ON DBMS TO `deniedConfigurationViewer`" +a|Rows: 2 +|=== + +As the query result shows, viewing settings starting with `dbms.security` is blocked, but the rest can still be listed. \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc new file mode 100644 index 000000000..762fc1016 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc @@ -0,0 +1,441 @@ +:description: Details the DBMS privileges for user management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-user-management-privileges]] += The DBMS `USER MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for user management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.User management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE USER + ON DBMS + TO role[, ...] +| Enables the specified roles to create new users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] RENAME USER + ON DBMS + TO role[, ...] +| Enables the specified roles to change the name of users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALTER USER + ON DBMS + TO role[, ...] +| Enables the specified roles to modify users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET PASSWORD[S] + ON DBMS + TO role[, ...] +| Enables the specified roles to modify users' passwords and whether those passwords must be changed upon first login. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET AUTH + ON DBMS + TO role[, ...] +| Enables the specified roles to `SET` or `REMOVE` users' xref:authentication-authorization/auth-providers.adoc[auth providers]. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET USER HOME DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to modify users' home database. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET USER STATUS + ON DBMS + TO role[, ...] +| Enables the specified roles to modify the account status of users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP USER + ON DBMS + TO role[, ...] +| Enables the specified roles to delete users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW USER + ON DBMS + TO role[, ...] +| Enables the specified roles to list users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] USER MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create, delete, modify, and list users. + +|=== + +== Grant privilege to create users + +You can grant the privilege to add users using the `CREATE USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE USER ON DBMS TO userAdder +---- + +As a result, the `userAdder` role has privileges that only allow adding users. +To list all privileges for the role `userAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE USER ON DBMS TO `userAdder`" +a|Rows: 1 +|=== + +== Grant privilege to rename users + +You can grant the privilege to rename users using the `RENAME USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT RENAME USER ON DBMS TO userNameModifier +---- + +As a result, the `userNameModifier` role has privileges that only allow renaming users. +To list all privileges for the role `userNameModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userNameModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT RENAME USER ON DBMS TO `userNameModifier`" +a|Rows: 1 +|=== + +== Grant privilege to modify users + +You can grant the privilege to modify users using the `ALTER USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALTER USER ON DBMS TO userModifier +---- + +As a result, the `userModifier` role has privileges that only allow modifying users. +To list all privileges for the role `userModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALTER USER ON DBMS TO `userModifier`" +a|Rows: 1 +|=== + + +The `ALTER USER` privilege allows the user to run the `ALTER USER` administration command with one or several of the `SET PASSWORD`, `SET PASSWORD CHANGE [NOT] REQUIRED`, `SET AUTH`, `REMOVE AUTH`, `SET STATUS`, `SET HOME DATABASE`, and `REMOVE HOME DATABASE` parts. + +For example: + +[source, cypher, role=noplay] +---- +ALTER USER jake SET PASSWORD 'verysecret' SET STATUS SUSPENDED +---- + +[NOTE] +==== +Note that the combination of the `SET PASSWORDS`, `SET AUTH`, `SET USER STATUS`, and `SET USER HOME DATABASE` privileges is equivalent to the `ALTER USER` privilege. +==== + +== Grant privilege to modify users' passwords + +You can grant the privilege to modify users' passwords and whether those passwords must be changed upon first login using the `SET PASSWORDS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET PASSWORDS ON DBMS TO passwordModifier +---- + +As a result, the `passwordModifier` role has privileges that only allow modifying users' passwords and whether those passwords must be changed upon first login. +To list all privileges for the role `passwordModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE passwordModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET PASSWORD ON DBMS TO `passwordModifier`" +a|Rows: 1 +|=== + +The `SET PASSWORDS` privilege allows the user to run the `ALTER USER` administration command with one or both of the `SET PASSWORD` and `SET PASSWORD CHANGE [NOT] REQUIRED` parts. + +[source, cypher, role=noplay] +---- +ALTER USER jake SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED +---- + +== Grant privilege to modify users' auth information + +You can grant the privilege to modify users' auth information using the `SET AUTH` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET AUTH ON DBMS TO authModifier +---- +As a result, the `authModifier` role has privileges that only allow modifying users' auth information. + +The `SET AUTH` privilege allows the user to run the `ALTER USER` administration command with one or both of the `SET +AUTH` and `REMOVE AUTH` parts. + +For example: + +[source, cypher, role=noplay] +---- +ALTER USER jake REMOVE AUTH 'native' SET AUTH 'oidc-okta' { SET id 'jakesUniqueOktaUserId' } +---- + +== Grant privilege to modify the account status of users + +You can grant the privilege to modify the account status of users using the `SET USER STATUS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET USER STATUS ON DBMS TO statusModifier +---- + +As a result, the `statusModifier` role has privileges that only allow modifying the account status of users. +To list all privileges for the role `statusModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE statusModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET USER STATUS ON DBMS TO `statusModifier`" +a|Rows: 1 +|=== + +The `SET USER STATUS` privilege allows the user to run the `ALTER USER` administration command with only the `SET STATUS` part: + +[source, cypher, role=noplay] +---- +ALTER USER jake SET STATUS ACTIVE +---- + +== Grant privilege to modify the home database of users + +You can grant the privilege to modify the home database of users using the `SET USER HOME DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET USER HOME DATABASE ON DBMS TO homeDbModifier +---- + +As a result, the `homeDbModifier` role has privileges that only allow modifying the home database of users. +To list all privileges for the role `homeDbModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE homeDbModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET USER HOME DATABASE ON DBMS TO `homeDbModifier`" +|"GRANT SET USER STATUS ON DBMS TO `homeDbModifier`" +a|Rows: 2 +|=== + +The `SET USER HOME DATABASE` privilege allows the user to run the `ALTER USER` administration command with only the `SET HOME DATABASE` or `REMOVE HOME DATABASE` part: + +[source, cypher, role=noplay] +---- +ALTER USER jake SET HOME DATABASE otherDb +---- + +[source, cypher, role=noplay] +---- +ALTER USER jake REMOVE HOME DATABASE +---- + +== Grant privilege to delete users + +You can grant the privilege to delete users using the `DROP USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP USER ON DBMS TO userDropper +---- + +As a result, the `userDropper` role has privileges that only allow deleting users. +To list all privileges for the role `userDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP USER ON DBMS TO `userDropper`" +a|Rows: 1 +|=== + + +== Grant privilege to show users + +You can grant the privilege to show users using the `SHOW USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW USER ON DBMS TO userViewer +---- + +As a result, the `userViewer` role has privileges that only allow showing users. +To list all privileges for the role `userViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW USER ON DBMS TO `userViewer`" +a|Rows: 1 +|=== + +== Grant privilege to manage users + +You can grant the privilege to create, rename, modify, delete, and list users using the `USER MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT USER MANAGEMENT ON DBMS TO userManager +---- + +As a result, the `userManager` role has all privileges to manage users. +To list all privileges for the role `userManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW USER ON DBMS TO `userManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/index.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/index.adoc new file mode 100644 index 000000000..51b4046aa --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/index.adoc @@ -0,0 +1,213 @@ +:description: How to use Cypher to manage Neo4j DBMS administrative privileges. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +[[access-control-dbms-administration]] += DBMS privileges + +All DBMS privileges are relevant system-wide. +Like user management, they do not belong to one specific database or graph. +For more details on the differences between graphs, databases, and the DBMS, refer to link:{neo4j-docs-base-uri}/cypher-manual/current/introduction/cypher-neo4j/[Cypher Manual -> Cypher and Neo4j]. + +image::privileges-grant-and-deny-syntax-dbms-privileges.svg[width="800", title="Syntax of `GRANT` and `DENY` DBMS privileges"] + +image::privileges-hierarchy-dbms.svg[width="800", title="DBMS privileges hierarchy", role=popup] + +[NOTE] +==== +You can only grant, deny, or revoke privileges to or from existing roles. +==== + +[[access-control-dbms-administration-all]] +== Granting `ALL DBMS PRIVILEGES` + +You can grant the `ALL DBMS PRIVILEGES` privilege to a role. + +The `ALL DBMS PRIVILEGES` privilege is equivalent to granting the following privileges: + +* Create, drop, assign, remove, and show roles. +* Create, alter, drop, show, and impersonate users. +* Create, alter, drop, and show databases and aliases. +* Enable, alter, rename, reallocate, deallocate, drop, and show servers. +* Show, assign, and remove privileges. +* Execute all procedures with elevated privileges. +* Execute all user-defined functions with elevated privileges. +* Show all configuration settings. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +[source, syntax, role=noheader] +---- +GRANT [IMMUTABLE] ALL [[DBMS] PRIVILEGES] + ON DBMS + TO role[, ...] +---- + +For example, to grant the role `dbmsManager` all DBMS abilities, use the following query: + +[source, cypher, role=noplay] +---- +GRANT ALL DBMS PRIVILEGES ON DBMS TO dbmsManager; +---- + +To list all privileges for the role `dbmsManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALL DBMS PRIVILEGES ON DBMS TO `dbmsManager`" +a|Rows: 1 +|=== + +[[access-control-name-globbing]] +== Name-globbing for procedures, user-defined functions, and settings + +The name-globbing for procedures, user-defined functions, and setting names is a simplified version of globbing for filename expansions. +It only allows two wildcard characters: `+*+` and `?`, which are used for multiple and single-character matches. +In this case, `+*+` means 0 or more characters, and `?` matches exactly one character. + +[NOTE] +==== +The name-globbing is subject to the link:{neo4j-docs-base-uri}/cypher-manual/current/syntax/naming/[Cypher Manual -> Naming rules and recommendations], with the exception that it may include dots, stars, and question marks without the need for escaping using backticks. + +Each part of the name-globbing separated by dots may be individually quoted. +For example, `++mine.`procedureWith%`++` is allowed, but not `++mine.procedure`With%`++`. +Also, note that wildcard characters behave as wildcards even when quoted. +For example, using `++`*`++` is equivalent to using `+*+`, and thus allows executing all functions or procedures and not only the procedure or function named `+*+`. +==== + +Given the following list of procedures: + +* `mine.public.exampleProcedure` +* `mine.public.exampleProcedure1` +* `mine.public.exampleProcedure2` +* `mine.public.with#Special§Characters` +* `mine.private.exampleProcedure` +* `mine.private.exampleProcedure1` +* `mine.private.exampleProcedure2` +* `mine.private.with#Special§Characters` +* `your.exampleProcedure` + +The following examples demonstrate how name-globbing patterns can be used in controlling access to procedures. +Note that the same rules apply to user-defined functions and settings. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1; +---- + +Users with the role `globbing1` can run all the procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2; +---- + +Users with the role `globbing2` can run procedures `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3; +---- + +Users with the role `globbing3` can run procedures `mine.public.exampleProcedure1`, `mine.private.exampleProcedure1`, and `mine.private.exampleProcedure2`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4; +---- + +Users with the role `globbing4` can run procedures `your.exampleProcedure`, `mine.public.exampleProcedure`, and `mine.private.exampleProcedure`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5; +---- + +Users with the role `globbing5` can run procedures `mine.public.exampleProcedure`, `mine.public.exampleProcedure1` and `mine.public.exampleProcedure42`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6; +---- + +Users with the role `globbing6` can run procedures `mine.public.with#Special§Characters`, and `mine.private.with#Special§Characters`, but no other procedures. + +[NOTE] +==== +The name-globbing may be fully or partially quoted. +Both `+*+` and `+?+` are interpreted as wildcards in both cases. +==== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc b/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc index 356d04186..6e4f948d6 100644 --- a/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc +++ b/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc @@ -4,7 +4,7 @@ :description: This section explains how to use Cypher to manage immutable roles and privileges. -Immutable privileges are useful for restricting the actions of users who can themselves administer xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[privileges]. +Immutable privileges are useful for restricting the actions of users who can themselves administer xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[privileges]. Immutable roles are useful for providing _system roles_, which appear as permanent parts of the DBMS. @@ -82,7 +82,7 @@ The result shows that all users are restricted from adding or removing privilege === Creating permanent roles that cannot be changed -You can use immutable roles to create permanent built-in system roles that cannot be modified even by users who have xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[`ROLE MANAGEMENT` privileges]. +You can use immutable roles to create permanent built-in system roles that cannot be modified even by users who have xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[`ROLE MANAGEMENT` privileges]. For example, you want to create an `analyst` role that cannot be dropped, renamed, or have any of its privileges changed (even by users with the `ROLE MANAGEMENT` and `PRIVILEGE MANAGEMENT` privileges). diff --git a/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc b/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc index f21e47852..b561dc4c1 100644 --- a/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc +++ b/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc @@ -22,12 +22,12 @@ Please refer to link:{neo4j-docs-base-uri}/java-reference/{page-version}/extendi [[auth-manage-procedure-permissions]] == Manage procedure permissions -Procedure permissions can be managed using the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-execute[native execute privileges]. +Procedure permissions can be managed using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[native execute privileges]. These control whether the user is allowed to execute a procedure and which set of privileges apply during the execution. -A procedure may be run using the xref:authentication-authorization/dbms-administration.adoc#access-control-execute-procedure[`EXECUTE PROCEDURE` privilege]. +A procedure may be run using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-procedure[`EXECUTE PROCEDURE` privilege]. -This allows the user to execute procedures that match the xref:authentication-authorization/dbms-administration.adoc#access-control-name-globbing[globbed procedures]. +This allows the user to execute procedures that match the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[globbed procedures]. .Grant privilege to execute a procedure ==== @@ -48,7 +48,7 @@ GRANT TRAVERSE ON GRAPH * RELATIONSHIP R1 TO role When calling the `db.schema.visualization` procedure, the user will only see the `A` and `B` nodes and `R1` relationships, even though there might exist other nodes and relationships. ==== -A procedure may also be executed with elevated privileges using the xref:authentication-authorization/dbms-administration.adoc#access-control-execute-boosted-procedure[`EXECUTE BOOSTED PROCEDURE` privilege]. +A procedure may also be executed with elevated privileges using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-boosted-procedure[`EXECUTE BOOSTED PROCEDURE` privilege]. [NOTE] -- @@ -74,12 +74,12 @@ When calling the `db.schema.visualization` procedure, the user will see all node [[auth-manage-function-permissions]] == Manage user-defined function permissions -User-defined function permissions can be managed using the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-execute[native execute privileges]. +User-defined function permissions can be managed using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[native execute privileges]. These control if the user is both allowed to execute a user-defined function and which set of privileges apply during the execution. -A user-defined function may be executed using the xref:authentication-authorization/dbms-administration.adoc#access-control-execute-user-defined-function[`EXECUTE USER DEFINED FUNCTION` privilege]. +A user-defined function may be executed using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-user-defined-function[`EXECUTE USER DEFINED FUNCTION` privilege]. -This allows the user to execute user-defined functions that match the xref:authentication-authorization/dbms-administration.adoc#access-control-name-globbing[globbed user-defined function]. +This allows the user to execute user-defined functions that match the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[globbed user-defined function]. .Grant privilege to execute a user-defined function ==== @@ -100,7 +100,7 @@ When calling the user-defined function `MATCH (a:A) RETURN apoc.any.properties(a ==== A user-defined function may also be executed with elevated privileges using the -xref:authentication-authorization/dbms-administration.adoc#access-control-execute-boosted-user-defined-function[`EXECUTE BOOSTED USER DEFINED FUNCTION` privilege]. +xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-boosted-user-defined-function[`EXECUTE BOOSTED USER DEFINED FUNCTION` privilege]. [NOTE] -- diff --git a/modules/ROOT/pages/authentication-authorization/manage-privileges.adoc b/modules/ROOT/pages/authentication-authorization/manage-privileges.adoc index de242b9e4..3a0051dc6 100644 --- a/modules/ROOT/pages/authentication-authorization/manage-privileges.adoc +++ b/modules/ROOT/pages/authentication-authorization/manage-privileges.adoc @@ -199,7 +199,7 @@ Use `REVOKE` if you want to remove a privilege. Common errors, such as misspellings or attempts to revoke privileges that have not been granted or denied, will result in notifications. In Cypher 25, notifications for impossible `REVOKE` commands, where a user, a role, or a database does not exist, have been replaced with errors. -See link:{neo4j-docs-base-uri}/status-codes/{page-version}/notifications/all-notifications[Status Codes -> Notification codes] for details on notifications. +See link:https://neo4j.com/docs/status-codes/current/notifications/all-notifications/[Status Codes for Errors & Notifications -> List of notification codes] for details on notifications. The general `GRANT` and `DENY` syntaxes are illustrated in the following image: diff --git a/modules/ROOT/pages/authentication-authorization/manage-roles.adoc b/modules/ROOT/pages/authentication-authorization/manage-roles.adoc index 0be1fe591..cea1a18ed 100644 --- a/modules/ROOT/pages/authentication-authorization/manage-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/manage-roles.adoc @@ -62,7 +62,7 @@ GRANT SHOW ROLE ---- -See xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +See xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -97,14 +97,14 @@ a| GRANT SHOW ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. [source, privilege, role="noheader"] ---- GRANT SHOW USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -140,7 +140,7 @@ a| GRANT SHOW PRIVILEGE ---- -See xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[DBMS PRIVILEGE MANAGEMENT privileges]. +See xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[DBMS PRIVILEGE MANAGEMENT privileges]. |=== @@ -172,7 +172,7 @@ a| GRANT CREATE ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -206,7 +206,7 @@ GRANT CREATE ROLE GRANT DROP ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -237,7 +237,7 @@ a| GRANT RENAME ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -268,7 +268,7 @@ a| GRANT DROP ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -299,7 +299,7 @@ a| GRANT ASSIGN ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -330,7 +330,7 @@ a| GRANT REMOVE ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -589,7 +589,7 @@ Immutable roles are those that cannot be modified in the usual way. This means they cannot be created, renamed, dropped, or have privileges granted to or revoked from them under normal operating conditions. See xref:authentication-authorization/immutable-roles-privileges.adoc[Immutable roles and privileges] for details of when and how the `IMMUTABLE` keyword may be used. -They are useful in cases where you need a permanent built-in system role that cannot be modified even by users who have xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[`ROLE MANAGEMENT` privileges] but yet can be granted to and revoked from users in the same way as an ordinary role. +They are useful in cases where you need a permanent built-in system role that cannot be modified even by users who have xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[`ROLE MANAGEMENT` privileges] but yet can be granted to and revoked from users in the same way as an ordinary role. [[access-control-rename-roles]] @@ -745,7 +745,7 @@ SHOW USERS Common errors, such as attempts to grant roles to users who have already been granted those roles, will lead to notifications. Some of these notifications may be replaced with errors in a future major version of Neo4j. -See link:{neo4j-docs-base-uri}/status-codes/{page-version}/notifications/all-notifications[Status Codes -> Notification codes] for details on notifications. +See link:https://neo4j.com/docs/status-codes/current/notifications/all-notifications/[Status Codes for Errors & Notifications -> List of notification codes] for details on notifications. [[access-control-revoke-roles]] == Revoking roles from users @@ -815,7 +815,7 @@ REVOKE ROLES role1, role2 FROM user1, user2, user3 Common errors, such as misspellings or attempts to revoke roles from users who have not been granted those roles, will lead to notifications. In Cypher 25, notifications for impossible `REVOKE` commands, where a user, a role, or a database does not exist, have been replaced with errors. -See link:{neo4j-docs-base-uri}/status-codes/{page-version}/notifications/all-notifications[Status Codes -> Notification codes] for details on notifications. +See link:https://neo4j.com/docs/status-codes/current/notifications/all-notifications/[Status Codes for Errors & Notifications -> List of notification codes] for details on notifications. [[access-control-drop-roles]] == Deleting roles diff --git a/modules/ROOT/pages/authentication-authorization/manage-users.adoc b/modules/ROOT/pages/authentication-authorization/manage-users.adoc index ee9edf9d1..617109378 100644 --- a/modules/ROOT/pages/authentication-authorization/manage-users.adoc +++ b/modules/ROOT/pages/authentication-authorization/manage-users.adoc @@ -94,7 +94,7 @@ a| GRANT SHOW USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -129,14 +129,14 @@ a| GRANT SHOW PRIVILEGE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[DBMS PRIVILEGE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[DBMS PRIVILEGE MANAGEMENT privileges]. [source, privilege, role="noheader"] ---- GRANT SHOW USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -187,7 +187,7 @@ a| GRANT CREATE USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -237,7 +237,7 @@ a| GRANT CREATE USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. [source, privilege, role="noheader"] @@ -245,7 +245,7 @@ For more information, see xref:authentication-authorization/dbms-administration. GRANT DROP USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -274,7 +274,7 @@ a| GRANT RENAME USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -340,7 +340,7 @@ GRANT SET USER HOME DATABASE GRANT SET AUTH ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -396,7 +396,7 @@ a| GRANT DROP USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== diff --git a/modules/ROOT/pages/changes-deprecations-removals.adoc b/modules/ROOT/pages/changes-deprecations-removals.adoc index 0d2da7375..619bcb8ec 100644 --- a/modules/ROOT/pages/changes-deprecations-removals.adoc +++ b/modules/ROOT/pages/changes-deprecations-removals.adoc @@ -603,7 +603,7 @@ Since Neo4j 5.26, the server-side Notification API and the `getNotifications()` Starting from 2025.04, using the error messages programmatically is deprecated. Because error messages might change in a future release, please parse or use GQLSTATUS error codes in your application code. -For details, see link:{neo4j-docs-base-uri}/status-codes/current/errors/gql-errors/[Status Codes for Errors & Notifications -> List of GQLSTATUS error codes]. +For details, see link:https://neo4j.com/docs/status-codes/current/errors/gql-errors/[Status Codes for Errors & Notifications -> List of GQLSTATUS error codes]. == Changes in Neo4j 2025.x diff --git a/modules/ROOT/pages/clustering/server-syntax.adoc b/modules/ROOT/pages/clustering/server-syntax.adoc index cf6c13675..79af5d755 100644 --- a/modules/ROOT/pages/clustering/server-syntax.adoc +++ b/modules/ROOT/pages/clustering/server-syntax.adoc @@ -37,7 +37,7 @@ For more information see xref:clustering/servers.adoc#server-enabled-state[Enabl | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -65,7 +65,7 @@ For more information see xref:clustering/servers.adoc#_listing_servers[Listing s | Required privilege a| `GRANT SHOW SERVERS` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -90,7 +90,7 @@ For more information see xref:clustering/servers.adoc#alter-server-options[Alter | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== === Rename a server @@ -114,7 +114,7 @@ For more information see xref:clustering/servers.adoc#_renaming_a_server[Renamin | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -139,7 +139,7 @@ For more information see xref:clustering/servers.adoc#_dropping_a_server[Droppin | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -166,7 +166,7 @@ Note that is a cluster-level command, not a server-level command. | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -191,6 +191,6 @@ For more information see xref:clustering/servers.adoc#_deallocating_databases_fr | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== diff --git a/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc b/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc index 203e01e38..69a420f25 100644 --- a/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc +++ b/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc @@ -31,7 +31,7 @@ Local aliases always get the Cypher version of their target database and aliases Available database aliases in composite databases can be seen using `SHOW ALIASES FOR DATABASE`. The name of the composite database a particular database alias appears in the returned `composite` column. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. .Query [source, cypher] diff --git a/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc b/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc index f9938b65d..1c6194786 100644 --- a/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc +++ b/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc @@ -4,7 +4,7 @@ = Managing database aliases for standard databases Database aliases can be created and managed using a set of Cypher administration commands executed against the `system` database. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. When connected to the DBMS over Bolt, administration commands are automatically routed to the `system` database. [NOTE] @@ -76,7 +76,7 @@ You can list all available database aliases using the `SHOW ALIASES FOR DATABASE The command returns a table of all database aliases, whether they belong to a composite database or not. + If you need more details, you can append the command with `YIELD *`. The `YIELD *` clause returns the full set of columns. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. .Available columns [options="header" cols="2m,4a,2m"] @@ -260,7 +260,7 @@ It is also possible to use `SKIP` and `LIMIT` to paginate the results. You can create both local and remote database aliases using the command `CREATE ALIAS`. For more information on local and remote database aliases as part of a composite database, see xref::database-administration/aliases/manage-aliases-composite-databases.adoc#create-composite-database-alias[Create database aliases in composite databases]. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. [NOTE] ==== @@ -552,7 +552,7 @@ SHOW ALIAS `remote-northwind-2021` FOR DATABASE YIELD name, properties You can alter both local and remote database aliases using the `ALTER ALIAS` command. For all aliases, the command allows you to change the target database and properties of the database alias. For remote aliases, the command also allows you to change the URL, user credentials, default language, or driver settings of the database alias. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. Only the clauses used will be altered. [NOTE] @@ -697,7 +697,7 @@ ALTER ALIAS `no-alias` IF EXISTS SET DATABASE TARGET `northwind-graph-2021` == Delete database aliases You can delete both local and remote database aliases using the `DROP ALIAS` command. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. === Delete local database aliases diff --git a/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc b/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc index d486dd2f1..f5321285b 100644 --- a/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc +++ b/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc @@ -33,12 +33,13 @@ In the example above, _Bob_ is the administrator responsible for deciding which Meanwhile, _Alice_ is the administrator that assigns who has access to the privileges set by _Bob_. In the example, _Alice_ will assign that access to _Carol_. -See lxref:authentication-authorization/dbms-administration.adoc[DBMS privileges] for more information. +See xref:authentication-authorization/dbms-administration/index.adoc[DBMS privileges] for more information. ==== _Carol_ can use her own regular credentials to access the remote database `Db1` in DBMS after _Alice_ assigns this privilege to her user profile. This configuration will also allow _Carol_ to access `Db2` in **DBMS B**. -If the administrators decide this should not be the case, then _Bob_ must define the appropriate privileges (see xref:authentication-authorization/index.adoc[Authentication and authorization] for further information). +If the administrators decide this should not be the case, then _Bob_ must define the appropriate privileges. +See xref:authentication-authorization/index.adoc[Authentication and authorization] for further information. == Configure a remote DBMS (_Bob_) @@ -161,9 +162,9 @@ For example, the following command can be used to create a remote database alias CREATE ALIAS `remote-neo4j` FOR DATABASE `neo4j` AT "neo4j+s://location:7687" USER alice PASSWORD 'secretpassword' ---- -In order to do so, either lxref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-database-management[database management] -or lxref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[alias management] privileges are required. -The permission to create an alias can be granted like this: +In order to do so, either xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[database management] +or xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[alias management] privileges are required. +The permission to create an alias can be granted using the following command: [source, Cypher] ---- @@ -208,7 +209,7 @@ USE `remote-neo4j` MATCH (n) RETURN * * Connecting to a remote database alias as a home database. This needs to be set by Administrator A. -See more about lxref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[User Management]. +See more about xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[User Management]. [source, Cypher] ---- diff --git a/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc b/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc index 7eef2427f..affb60806 100644 --- a/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc +++ b/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc @@ -92,7 +92,7 @@ The option `DESTROY DATA` explicitly requests the default behavior of the comman [NOTE] ==== -The dumps produced by `DUMP DATA` are equivalent to those produced by xref:backup-restore/offline-backup.adoc[`neo4j-admin database dump`]. +The dumps produced by `DUMP DATA` are equivalent to those produced by xref:backup-restore/offline-backup.adoc[`neo4j-admin database dump`]. You can also restore them using the xref:backup-restore/restore-dump.adoc[`neo4j-admin database load`] command. ==== @@ -121,7 +121,7 @@ This command does not affect the remote database aliases targeting the database They will simply no longer resolve their targets as if they were created targeting a non-existing database. Using `CASCADE ALIASES` requires the `DROP ALIAS` privilege. -For more information about the privilege, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[ALIAS MANAGEMENT privileges]. +For more information about the privilege, see xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[ALIAS MANAGEMENT privileges]. .Drop a database and the local database alias targeting it ==== diff --git a/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc b/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc index a11476627..f84bcdceb 100644 --- a/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc +++ b/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc @@ -39,7 +39,7 @@ Input arguments are the database name and list of the seeding and topology optio [cols="2a,4",frame="topbot",options="header"] |=== |Option -|Description +|Description |seedingServers |A list of possible seeding servers. @@ -76,7 +76,7 @@ To restore CDC functionality, follow the guide on how link:https://neo4j.com/doc Before recreating a database, any eventual quarantined states need to be addressed. For more information, see xref:database-administration/standard-databases/errors.adoc#quarantine[Standard databases -> Error handling]. -You need xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-database-management[the `CREATE DATABASE` and `DROP DATABASE` privileges] to run the recreate procedure. +You need xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[the `CREATE DATABASE` and `DROP DATABASE` privileges] to run the recreate procedure. Additionally, in a cluster deployment, you have the option to modify <> during the recreation process. diff --git a/modules/ROOT/pages/procedures.adoc b/modules/ROOT/pages/procedures.adoc index d95812fa3..2b928be4a 100644 --- a/modules/ROOT/pages/procedures.adoc +++ b/modules/ROOT/pages/procedures.adoc @@ -54,7 +54,7 @@ Some procedures can only be run by users with `Admin` privileges. Specifically, either the `EXECUTE ADMIN PROCEDURES` privilege or both the `EXECUTE PROCEDURES` and `EXECUTE BOOSTED PROCEDURES` privileges. These procedures are labeled with label:admin-only[]. -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-execute[the `EXECUTE` privileges section]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[the `EXECUTE` privileges]. ==== == Authentication and authorization diff --git a/modules/ROOT/pages/scalability/composite-databases/delete-composite-databases.adoc b/modules/ROOT/pages/scalability/composite-databases/delete-composite-databases.adoc index da913bad9..602e8e235 100644 --- a/modules/ROOT/pages/scalability/composite-databases/delete-composite-databases.adoc +++ b/modules/ROOT/pages/scalability/composite-databases/delete-composite-databases.adoc @@ -33,7 +33,7 @@ This operation does not deletes the actual target databases of the constituent d The `CASCADE ALIASES` option is useful when you want to delete a composite database and its constituent database aliases in one step. Using `CASCADE ALIASES` requires the `DROP ALIAS` privilege. -For more information about this privilege, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[ALIAS MANAGEMENT privileges]. +For more information about this privilege, see xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[ALIAS MANAGEMENT privileges]. .Drop a composite database and its consitutent alias ====