DBMS privileges

All DBMS privileges are relevant system-wide. Like user management, they do not belong to one specific database or graph. For more details on the differences between graphs, databases, and the DBMS, refer to Cypher Manual → Cypher and Neo4j.

privileges grant and deny syntax dbms privileges
Figure 1. Syntax of GRANT and DENY DBMS privileges
privileges hierarchy dbms
Figure 2. DBMS privileges hierarchy

You can only grant, deny, or revoke privileges to or from existing roles.

The admin role privileges

The admin role role is a built-in superuser role that has all privileges on the DBMS and can perform all administrative tasks.

This includes the following tasks and their relevant privileges:

To enable a user to perform these tasks, you can grant them the admin role, but it is also possible to make a custom role with a subset of these privileges. All privileges are also assignable using Cypher commands.

The following sections describe the privileges that are available for DBMS administration and show some examples of how to use Cypher commands to manage them.

Using a custom role to manage DBMS privileges

You can create a custom role to manage DBMS privileges by granting the privileges you want to the role. Alternatively, you can copy the admin role and revoke or deny the unwanted privileges. The following examples show how to create a custom role with a subset of the privileges that the admin role using both methods.

Create a custom administrator role from scratch

Create an administrator role that can only manage users and roles by creating a new role and granting the USER MANAGEMENT and ROLE MANAGEMENT privileges.

  1. Create the new role:

    CREATE ROLE userAndRoleAdministrator;
  2. Grant the privilege to manage users:

    GRANT USER MANAGEMENT ON DBMS TO userAndRoleAdministrator;
  3. Grant the privilege to manage roles:

    GRANT ROLE MANAGEMENT ON DBMS TO userAndRoleAdministrator;

    As a result, the userAndRoleAdministrator role has privileges that only allow user and role management.

  4. To list all privileges for the role userAndRoleAdministrator as commands, use the following query:

    SHOW ROLE userAndRoleAdministrator PRIVILEGES AS COMMANDS;
    Table 1. Result
    command

    "GRANT ROLE MANAGEMENT ON DBMS TO `userAndRoleAdministrator`"

    "GRANT USER MANAGEMENT ON DBMS TO `userAndRoleAdministrator`"

    Rows: 2

This role does not allow all DBMS capabilities. For example, the role is missing privileges for managing, creating, and dropping databases, as well as executing admin procedures. To create a more powerful administrator, you can grant a different set of privileges.

Create a more powerful custom administrator role from scratch

You can also create a custom administrator role with limited capabilities. This can be done by creating a new role and granting all DBMS privileges, then denying the ones you do not want the role to have, and then granting additional privileges you want to include. For example, you can create a custom administrator role customAdministrator that has all DBMS privileges except for creating, dropping, and modifying databases, and also has the privilege for managing transactions.

  1. Create a new role:

    CREATE ROLE customAdministrator;
  2. Grant the privilege for all DBMS capabilities:

    GRANT ALL DBMS PRIVILEGES ON DBMS TO customAdministrator;
  3. Explicitly deny the privilege to manage databases:

    DENY DATABASE MANAGEMENT ON DBMS TO customAdministrator;
  4. Grant the transaction management privilege:

    GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO customAdministrator;

    As a result, the customAdministrator role has privileges that include managing transactions and all DBMS privileges except creating, dropping, and modifying databases.

  5. To list all privileges for the role customAdministrator as commands, use the following query:

    SHOW ROLE customAdministrator PRIVILEGES AS COMMANDS;
    Table 2. Result
    command

    "DENY DATABASE MANAGEMENT ON DBMS TO `customAdministrator`"

    "GRANT ALL DBMS PRIVILEGES ON DBMS TO `customAdministrator`"

    "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `customAdministrator`"

    Rows: 3

Create a custom administrator role by copying the admin role

You can also create a custom administrator role by copying the admin role and then revoking or denying the privileges you do not want. For example, you can create a new role called newAdministrator that has all the privileges of the admin role, and then revoke the ability to read/write/load data, manage constraints, indexes, name, and remove ability to access all databases, except the system database.

  1. Create a new role by copying the admin role:

    CREATE ROLE newAdministrator AS COPY OF admin;
  2. Revoke the ability to read/write/load data:

    REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM newAdministrator;
    REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM newAdministrator;
    REVOKE GRANT WRITE ON GRAPH * FROM newAdministrator;
    REVOKE GRANT LOAD ON ALL DATA FROM newAdministrator;
  3. Revoke the ability to manage index/constraint/name:

    REVOKE GRANT CONSTRAINT MANAGEMENT ON DATABASE * FROM newAdministrator;
    REVOKE GRANT INDEX MANAGEMENT ON DATABASE * FROM newAdministrator;
    REVOKE GRANT NAME MANAGEMENT ON DATABASE * FROM newAdministrator;
    REVOKE GRANT SHOW CONSTRAINT ON DATABASE * FROM newAdministrator;
    REVOKE GRANT SHOW INDEX ON DATABASE * FROM newAdministrator;
  4. Revoke the ability to access all databases:

    REVOKE GRANT ACCESS ON DATABASE * FROM newAdministrator;
  5. Grant the ability to access the system database:

    GRANT ACCESS ON DATABASE system TO newAdministrator;
  6. To list all privileges for the role newAdministrator as commands, use the following query:

    SHOW ROLE newAdministrator PRIVILEGES AS COMMANDS;
    Table 3. Result
    command

    "GRANT ACCESS ON DATABASE system TO `newAdministrator`"

    "GRANT ALL DBMS PRIVILEGES ON DBMS TO `newAdministrator`"

    "GRANT START ON DATABASE * TO `newAdministrator`"

    "GRANT STOP ON DATABASE * TO `newAdministrator`"

    "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `newAdministrator`"

    Rows: 5

The DBMS ROLE MANAGEMENT privileges

The DBMS privileges for role management can be granted, denied, or revoked like other privileges.

For more details about the syntax descriptions, see Reading the administration commands syntax.

Table 4. Role management privileges command syntax
Command Description
GRANT [IMMUTABLE] CREATE ROLE
  ON DBMS
  TO role[, ...]

Enables the specified roles to create new roles.

GRANT [IMMUTABLE] RENAME ROLE
  ON DBMS
  TO role[, ...]

Enables the specified roles to change the name of roles.

GRANT [IMMUTABLE] DROP ROLE
  ON DBMS
  TO role[, ...]

Enables the specified roles to delete roles.

GRANT [IMMUTABLE] ASSIGN ROLE
  ON DBMS
  TO role[, ...]

Enables the specified roles to assign roles to users.

GRANT [IMMUTABLE] REMOVE ROLE
  ON DBMS
  TO role[, ...]

Enables the specified roles to remove roles from users.

GRANT [IMMUTABLE] SHOW ROLE
  ON DBMS
  TO role[, ...]

Enables the specified roles to list roles.

GRANT [IMMUTABLE] ROLE MANAGEMENT
  ON DBMS
  TO role[, ...]

Enables the specified roles to create, delete, assign, remove, and list roles.

Grant privilege to create roles

You can grant the privilege to add roles using the CREATE ROLE command.
For example:

GRANT CREATE ROLE ON DBMS TO roleAdder;

As a result, the roleAdder role has privileges that only allow adding roles. To list all privileges for the role roleAdder as commands, use the following query:

SHOW ROLE roleAdder PRIVILEGES AS COMMANDS;
Table 5. Result
command

"GRANT CREATE ROLE ON DBMS TO `roleAdder`"

Rows: 1

Grant privilege to rename roles

You can grant the privilege to rename roles using the RENAME ROLE privilege.
For example:

GRANT RENAME ROLE ON DBMS TO roleNameModifier;

As a result, the roleNameModifier role has privileges that only allow renaming roles. To list all privileges for the role roleNameModifier, use the following query:

SHOW ROLE roleNameModifier PRIVILEGES AS COMMANDS;
Table 6. Result
command

"GRANT RENAME ROLE ON DBMS TO `roleNameModifier`"

Rows: 1

Grant privilege to delete roles

You can grant the privilege to delete roles using the DROP ROLE privilege.
For example:

GRANT DROP ROLE ON DBMS TO roleDropper;

As a result, the roleDropper role has privileges that only allow deleting roles. To list all privileges for the role roleDropper, use the following query:

SHOW ROLE roleDropper PRIVILEGES AS COMMANDS;
Table 7. Result
command

"GRANT DROP ROLE ON DBMS TO `roleDropper`"

Rows: 1

Grant privilege to assign roles

You can grant the privilege to assign roles to users using the ASSIGN ROLE privilege.
For example:

GRANT ASSIGN ROLE ON DBMS TO roleAssigner;

As a result, the roleAssigner role has privileges that only allow assigning/granting roles. To list all privileges for the role roleAssigner as commands, use the following query:

SHOW ROLE roleAssigner PRIVILEGES AS COMMANDS;
Table 8. Result
command

"GRANT ASSIGN ROLE ON DBMS TO `roleAssigner`"

Rows: 1

Grant privilege to remove roles

You can grant the privilege to remove roles from users using the REMOVE ROLE privilege.
For example:

GRANT REMOVE ROLE ON DBMS TO roleRemover;

As a result, the roleRemover role has privileges that only allow removing/revoking roles. To list all privileges for the role roleRemover as commands, use the following query:

SHOW ROLE roleRemover PRIVILEGES AS COMMANDS;
Table 9. Result
command

"GRANT REMOVE ROLE ON DBMS TO `roleRemover`"

Rows: 1

Grant privilege to show roles

You can grant the privilege to show roles using the SHOW ROLE privilege. A role with this privilege is allowed to execute the SHOW ROLES and SHOW POPULATED ROLES administration commands.

In order to use SHOW ROLES WITH USERS and SHOW POPULATED ROLES WITH USERS administration commands, both the SHOW ROLE and the SHOW USER privileges are required.

The following query shows an example of how to grant the SHOW ROLE privilege:

GRANT SHOW ROLE ON DBMS TO roleViewer;

As a result, the roleViewer role has privileges that only allow showing roles. To list all privileges for the role roleViewer as commands, use the following query:

SHOW ROLE roleViewer PRIVILEGES AS COMMANDS;
Table 10. Result
command

"GRANT SHOW ROLE ON DBMS TO `roleViewer`"

Rows: 1

Grant privilege to manage roles

You can grant the privilege to create, rename, delete, assign, remove, and list roles using the ROLE MANAGEMENT privilege.
For example:

GRANT ROLE MANAGEMENT ON DBMS TO roleManager;

As a result, the roleManager role has all privileges to manage roles. To list all privileges for the role roleManager as commands, use the following query:

SHOW ROLE roleManager PRIVILEGES AS COMMANDS;
Table 11. Result
command

"GRANT ROLE MANAGEMENT ON DBMS TO `roleManager`"

Rows: 1

The DBMS USER MANAGEMENT privileges

The DBMS privileges for user management can be granted, denied, or revoked like other privileges.

For more details about the syntax descriptions, see Reading the administration commands syntax.

Table 12. User management privileges command syntax
Command Description
GRANT [IMMUTABLE] CREATE USER
  ON DBMS
  TO role[, ...]

Enables the specified roles to create new users.

GRANT [IMMUTABLE] RENAME USER
  ON DBMS
  TO role[, ...]

Enables the specified roles to change the name of users.

GRANT [IMMUTABLE] ALTER USER
  ON DBMS
  TO role[, ...]

Enables the specified roles to modify users.

GRANT [IMMUTABLE] SET PASSWORD[S]
  ON DBMS
  TO role[, ...]

Enables the specified roles to modify users' passwords and whether those passwords must be changed upon first login.

GRANT [IMMUTABLE] SET AUTH
  ON DBMS
  TO role[, ...]

Enables the specified roles to SET or REMOVE users' auth providers.

GRANT [IMMUTABLE] SET USER HOME DATABASE
  ON DBMS
  TO role[, ...]

Enables the specified roles to modify users' home database.

GRANT [IMMUTABLE] SET USER STATUS
  ON DBMS
  TO role[, ...]

Enables the specified roles to modify the account status of users.

GRANT [IMMUTABLE] DROP USER
  ON DBMS
  TO role[, ...]

Enables the specified roles to delete users.

GRANT [IMMUTABLE] SHOW USER
  ON DBMS
  TO role[, ...]

Enables the specified roles to list users.

GRANT [IMMUTABLE] USER MANAGEMENT
  ON DBMS
  TO role[, ...]

Enables the specified roles to create, delete, modify, and list users.

Grant privilege to create users

You can grant the privilege to add users using the CREATE USER privilege.
For example:

GRANT CREATE USER ON DBMS TO userAdder

As a result, the userAdder role has privileges that only allow adding users. To list all privileges for the role userAdder as commands, use the following query:

SHOW ROLE userAdder PRIVILEGES AS COMMANDS;
Table 13. Result
command

"GRANT CREATE USER ON DBMS TO `userAdder`"

Rows: 1

Grant privilege to rename users

You can grant the privilege to rename users using the RENAME USER privilege.
For example:

GRANT RENAME USER ON DBMS TO userNameModifier

As a result, the userNameModifier role has privileges that only allow renaming users. To list all privileges for the role userNameModifier as commands, use the following query:

SHOW ROLE userNameModifier PRIVILEGES AS COMMANDS;
Table 14. Result
command

"GRANT RENAME USER ON DBMS TO `userNameModifier`"

Rows: 1

Grant privilege to modify users

You can grant the privilege to modify users using the ALTER USER privilege.
For example:

GRANT ALTER USER ON DBMS TO userModifier

As a result, the userModifier role has privileges that only allow modifying users. To list all privileges for the role userModifier as commands, use the following query:

SHOW ROLE userModifier PRIVILEGES AS COMMANDS;
Table 15. Result
command

"GRANT ALTER USER ON DBMS TO `userModifier`"

Rows: 1

The ALTER USER privilege allows the user to run the ALTER USER administration command with one or several of the SET PASSWORD, SET PASSWORD CHANGE [NOT] REQUIRED, SET AUTH, REMOVE AUTH, SET STATUS, SET HOME DATABASE, and REMOVE HOME DATABASE parts.
For example:

ALTER USER jake SET PASSWORD 'verysecret' SET STATUS SUSPENDED

Note that the combination of the SET PASSWORDS, SET AUTH, SET USER STATUS, and SET USER HOME DATABASE privileges is equivalent to the ALTER USER privilege.

Grant privilege to modify users' passwords

You can grant the privilege to modify users' passwords and whether those passwords must be changed upon first login using the SET PASSWORDS privilege.
For example:

GRANT SET PASSWORDS ON DBMS TO passwordModifier

As a result, the passwordModifier role has privileges that only allow modifying users' passwords and whether those passwords must be changed upon first login. To list all privileges for the role passwordModifier as commands, use the following query:

SHOW ROLE passwordModifier PRIVILEGES AS COMMANDS;
Table 16. Result
command

"GRANT SET PASSWORD ON DBMS TO `passwordModifier`"

Rows: 1

The SET PASSWORDS privilege allows the user to run the ALTER USER administration command with one or both of the SET PASSWORD and SET PASSWORD CHANGE [NOT] REQUIRED parts.

ALTER USER jake SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED

Grant privilege to modify users' auth information

You can grant the privilege to modify users' auth information using the SET AUTH privilege.
For example:

GRANT SET AUTH ON DBMS TO authModifier

As a result, the authModifier role has privileges that only allow modifying users' auth information.

The SET AUTH privilege allows the user to run the ALTER USER administration command with one or both of the SET AUTH and REMOVE AUTH parts.
For example:

ALTER USER jake REMOVE AUTH 'native' SET AUTH 'oidc-okta' { SET id 'jakesUniqueOktaUserId' }

Grant privilege to modify the account status of users

You can grant the privilege to modify the account status of users using the SET USER STATUS privilege.
For example:

GRANT SET USER STATUS ON DBMS TO statusModifier

As a result, the statusModifier role has privileges that only allow modifying the account status of users. To list all privileges for the role statusModifier as commands, use the following query:

SHOW ROLE statusModifier PRIVILEGES AS COMMANDS;
Table 17. Result
command

"GRANT SET USER STATUS ON DBMS TO `statusModifier`"

Rows: 1

The SET USER STATUS privilege allows the user to run the ALTER USER administration command with only the SET STATUS part:

ALTER USER jake SET STATUS ACTIVE

Grant privilege to modify the home database of users

You can grant the privilege to modify the home database of users using the SET USER HOME DATABASE privilege.
For example:

GRANT SET USER HOME DATABASE ON DBMS TO homeDbModifier

As a result, the homeDbModifier role has privileges that only allow modifying the home database of users. To list all privileges for the role homeDbModifier as commands, use the following query:

SHOW ROLE homeDbModifier PRIVILEGES AS COMMANDS;
Table 18. Result
command

"GRANT SET USER HOME DATABASE ON DBMS TO `homeDbModifier`"

"GRANT SET USER STATUS ON DBMS TO `homeDbModifier`"

Rows: 2

The SET USER HOME DATABASE privilege allows the user to run the ALTER USER administration command with only the SET HOME DATABASE or REMOVE HOME DATABASE part:

ALTER USER jake SET HOME DATABASE otherDb
ALTER USER jake REMOVE HOME DATABASE

Grant privilege to delete users

You can grant the privilege to delete users using the DROP USER privilege.
For example:

GRANT DROP USER ON DBMS TO userDropper

As a result, the userDropper role has privileges that only allow deleting users. To list all privileges for the role userDropper as commands, use the following query:

SHOW ROLE userDropper PRIVILEGES AS COMMANDS;
Table 19. Result
command

"GRANT DROP USER ON DBMS TO `userDropper`"

Rows: 1

Grant privilege to show users

You can grant the privilege to show users using the SHOW USER privilege.
For example:

GRANT SHOW USER ON DBMS TO userViewer

As a result, the userViewer role has privileges that only allow showing users. To list all privileges for the role userViewer as commands, use the following query:

SHOW ROLE userViewer PRIVILEGES AS COMMANDS;
Table 20. Result
command

"GRANT SHOW USER ON DBMS TO `userViewer`"

Rows: 1

Grant privilege to manage users

You can grant the privilege to create, rename, modify, delete, and list users using the USER MANAGEMENT privilege.
For example:

GRANT USER MANAGEMENT ON DBMS TO userManager

As a result, the userManager role has all privileges to manage users. To list all privileges for the role userManager as commands, use the following query:

SHOW ROLE userManager PRIVILEGES AS COMMANDS;
Table 21. Result
command

"GRANT SHOW USER ON DBMS TO `userManager`"

Rows: 1

The DBMS IMPERSONATE privileges

The DBMS privileges for impersonation can be granted, denied, or revoked like other privileges.

Impersonation is the ability of a user to assume another user’s roles (and therefore privileges), with the restriction of not being able to execute updating admin commands as the impersonated user (i.e. they would still be able to use SHOW commands).

You can use the IMPERSONATE privilege to allow a user to impersonate another user.

For more details about the syntax descriptions, see Reading the administration commands syntax.

Table 22. Impersonation privileges command syntax
Command Description
GRANT [IMMUTABLE] IMPERSONATE [(*)]
    ON DBMS
    TO role[, ...]

Enables the specified roles to impersonate any user.

GRANT [IMMUTABLE] IMPERSONATE (user[, ...])
    ON DBMS
    TO role[, ...]

Enables the specified roles to impersonate the specified users.

Grant privilege to impersonate all users

You can grant the privilege to impersonate all users using the IMPERSONATE (*) privilege.
For example:

Query
GRANT IMPERSONATE (*) ON DBMS TO allUserImpersonator

As a result, the allUserImpersonator role has privileges that allow impersonating all users. To list all privileges for the role allUserImpersonator as commands, use the following query:

Query
SHOW ROLE allUserImpersonator PRIVILEGES AS COMMANDS;
Table 23. Result
command

"GRANT IMPERSONATE (*) ON DBMS TO `allUserImpersonator`"

Rows: 1

Grant privilege to impersonate specific users

You can also grant the privilege to impersonate specific users or a subset of users.
For example:

Query
GRANT IMPERSONATE (alice, bob) ON DBMS TO userImpersonator;

As a result, the userImpersonator role has privileges that allow impersonating only alice and bob. Then, you deny the privilege to impersonate alice:

Query
DENY IMPERSONATE (alice) ON DBMS TO userImpersonator;

As a result, the userImpersonator user would be able to impersonate only bob.

To list all privileges for the role userImpersonator as commands, use the following query:

Query
SHOW ROLE userImpersonator PRIVILEGES AS COMMANDS;
Table 24. Result
command

"DENY IMPERSONATE (alice) ON DBMS TO `userImpersonator`"

"GRANT IMPERSONATE (alice) ON DBMS TO `userImpersonator`"

"GRANT IMPERSONATE (bob) ON DBMS TO `userImpersonator`"

Rows: 3

The DBMS DATABASE MANAGEMENT privileges

The DBMS privileges for database management can be granted, denied, or revoked like other privileges.

For more details about the syntax descriptions, see Reading the administration commands syntax.

Table 25. Database management privileges command syntax
Command Description
GRANT [IMMUTABLE] CREATE DATABASE
  ON DBMS
  TO role[, ...]

Enables the specified roles to create new standard databases.

GRANT [IMMUTABLE] DROP DATABASE
  ON DBMS
  TO role[, ...]

Enables the specified roles to delete standard databases.

GRANT [IMMUTABLE] ALTER DATABASE
  ON DBMS
  TO role[, ...]

Enables the specified roles to modify standard databases.

GRANT [IMMUTABLE] SET DATABASE ACCESS
  ON DBMS
  TO role[, ...]

Enables the specified roles to modify access to standard databases.

GRANT [IMMUTABLE] SET DATABASE DEFAULT LANGUAGE
  ON DBMS
  TO role[, ...]

Enables the specified roles to set the default query language on a standard database.

GRANT [IMMUTABLE] CREATE COMPOSITE DATABASE
  ON DBMS
  TO role[, ...]

Enables the specified roles to create new composite databases.

GRANT [IMMUTABLE] DROP COMPOSITE DATABASE
  ON DBMS
  TO role[, ...]

Enables the specified roles to delete composite databases.

GRANT [IMMUTABLE] ALTER COMPOSITE DATABASE
  ON DBMS
  TO role[, ...]

Enables the specified roles to modify composite databases.

GRANT [IMMUTABLE] COMPOSITE DATABASE MANAGEMENT
  ON DBMS
  TO role[, ...]

Enables the specified roles to create, delete or modify composite databases.

GRANT [IMMUTABLE] DATABASE MANAGEMENT
  ON DBMS
  TO role[, ...]

Enables the specified roles to create, delete, and modify databases.

Grant privilege to create standard databases

You can grant the privilege to create standard databases using the CREATE DATABASE privilege.
For example:

GRANT CREATE DATABASE ON DBMS TO databaseAdder

As a result, the databaseAdder role has privileges that only allow creating standard databases. To list all privileges for the role databaseAdder as commands, use the following query:

SHOW ROLE databaseAdder PRIVILEGES AS COMMANDS;
Table 26. Result
command

"GRANT CREATE DATABASE ON DBMS TO `databaseAdder`"

Rows: 1

Grant privilege to create composite databases

You can grant the privilege to create composite databases using the CREATE COMPOSITE DATABASE privilege.
For example:

GRANT CREATE COMPOSITE DATABASE ON DBMS TO compositeDatabaseAdder

As a result, the compositeDatabaseAdder role has privileges that only allow creating composite databases. To list all privileges for the role compositeDatabaseAdder as commands, use the following query:

SHOW ROLE compositeDatabaseAdder PRIVILEGES AS COMMANDS;
Table 27. Result
command

"GRANT CREATE COMPOSITE DATABASE ON DBMS TO `compositeDatabaseAdder`"

Rows: 1

Grant privilege to delete standard databases

You can grant the privilege to delete standard databases using the DROP DATABASE privilege.
For example:

GRANT DROP DATABASE ON DBMS TO databaseDropper

As a result, the databaseDropper role has privileges that only allow deleting standard databases. To list all privileges for the role databaseDropper as commands, use the following query:

SHOW ROLE databaseDropper PRIVILEGES AS COMMANDS;
Table 28. Result
command

"GRANT DROP DATABASE ON DBMS TO `databaseDropper`"

Rows: 1

Grant privilege to delete composite databases

You can grant the privilege to delete composite databases using the DROP COMPOSITE DATABASE privilege.
For example:

GRANT DROP COMPOSITE DATABASE ON DBMS TO compositeDatabaseDropper

As a result, the compositeDatabaseDropper role has privileges that only allow deleting composite databases. To list all privileges for the role compositeDatabaseDropper as commands, use the following query:

SHOW ROLE compositeDatabaseDropper PRIVILEGES AS COMMANDS;
Table 29. Result
command

"GRANT DROP COMPOSITE DATABASE ON DBMS TO `compositeDatabaseDropper`"

Rows: 1

Grant privilege to modify standard databases

You can grant the privilege to modify standard databases using the ALTER DATABASE privilege.
For example:

GRANT ALTER DATABASE ON DBMS TO databaseModifier;

As a result, the databaseModifier role has privileges that only allow modifying standard databases. To list all privileges for the role databaseModifier as commands, use the following query:

SHOW ROLE databaseModifier PRIVILEGES AS COMMANDS;
Table 30. Result
command

"GRANT ALTER DATABASE ON DBMS TO `databaseModifier`"

Rows: 1

Grant privilege to modify access to standard databases

You can grant the privilege to modify access to standard databases using the SET DATABASE ACCESS privilege.
For example:

GRANT SET DATABASE ACCESS ON DBMS TO accessModifier

As a result, the accessModifier role has privileges that only allow modifying access to standard databases. To list all privileges for the role accessModifier as commands, use the following query:

SHOW ROLE accessModifier PRIVILEGES AS COMMANDS;
Table 31. Result
command

"GRANT SET DATABASE ACCESS ON DBMS TO `accessModifier`"

Rows: 1

Grant privilege to modify the default language of standard databases

You can grant the privilege to modify the default language of standard databases using the SET DATABASE DEFAULT LANGUAGE privilege.
For example:

GRANT SET DATABASE DEFAULT LANGUAGE ON DBMS TO languageModifier

As a result, the languageModifier role has privileges that only allow modifying default language to standard databases. To list all privileges for the role languageModifier as commands, use the following query:

SHOW ROLE languageModifier PRIVILEGES AS COMMANDS;
Table 32. Result
command

"GRANT SET DATABASE DEFAULT LANGUAGE ON DBMS TO `languageModifier`"

Rows: 1

Grant privilege to modify composite databases

You can grant the privilege to modify composite databases using the ALTER COMPOSITE DATABASE privilege.
For example:

GRANT ALTER COMPOSITE DATABASE ON DBMS TO compositeDatabaseModifier;

As a result, the compositeDatabaseModifier role has privileges that only allow modifying composite databases. To list all privileges for the role compositeDatabaseModifier as commands, use the following query:

SHOW ROLE compositeDatabaseModifier PRIVILEGES AS COMMANDS;
Table 33. Result
command

"GRANT ALTER COMPOSITE DATABASE ON DBMS TO `compositeDatabaseModifier`"

Rows: 1

Grant privilege to manage composite databases

You can grant the privilege to create, delete, and modify composite databases using the COMPOSITE DATABASE MANAGEMENT privilege.
For example:

GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO compositeDatabaseManager;

As a result, the compositeDatabaseManager role has all privileges to manage composite databases. To list all privileges for the role compositeDatabaseManager as commands, use the following query:

SHOW ROLE compositeDatabaseManager PRIVILEGES AS COMMANDS;
Table 34. Result
command

"GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO `compositeDatabaseManager`"

Rows: 1

Grant privilege to manage standard and composite databases

You can grant the privilege to create, delete, and modify standard and composite databases using the DATABASE MANAGEMENT privilege.
For example:

GRANT DATABASE MANAGEMENT ON DBMS TO databaseManager;

As a result, the databaseManager role has all privileges to manage standard and composite databases. To list all privileges for the role databaseManager as commands, use the following query:

SHOW ROLE databaseManager PRIVILEGES AS COMMANDS;
Table 35. Result
command

"GRANT DATABASE MANAGEMENT ON DBMS TO `databaseManager`"

Rows: 1

The DBMS ALIAS MANAGEMENT privileges

The DBMS privileges for alias management can be granted, denied, or revoked like other privileges. This applies to both local and remote aliases.

For more details about the syntax descriptions, see Reading the administration commands syntax.

Table 36. Alias management privileges command syntax
Command Description
GRANT [IMMUTABLE] CREATE ALIAS
ON DBMS
TO role[, ...]

Enables the specified roles to create new aliases.

GRANT [IMMUTABLE] DROP ALIAS
ON DBMS
TO role[, ...]

Enables the specified roles to delete aliases.

GRANT [IMMUTABLE] ALTER ALIAS
ON DBMS
TO role[, ...]

Enables the specified roles to modify aliases.

GRANT [IMMUTABLE] SHOW ALIAS
ON DBMS
TO role[, ...]

Enables the specified roles to list aliases.

GRANT [IMMUTABLE] ALIAS MANAGEMENT
ON DBMS
TO role[, ...]

Enables the specified roles to list, create, delete, and modify aliases.

Grant privilege to create aliases

You can grant the privilege to create aliases using the CREATE ALIAS privilege.
For example:

GRANT CREATE ALIAS ON DBMS TO aliasAdder;

As a result, the aliasAdder role has privileges that only allow creating aliases. To list all privileges for the role aliasAdder as commands, use the following query:

SHOW ROLE aliasAdder PRIVILEGES AS COMMANDS;
Table 37. Result
command

"GRANT CREATE ALIAS ON DBMS TO `aliasAdder`"

Rows: 1

Grant privilege to delete aliases

You can grant the privilege to delete aliases using the DROP ALIAS privilege.
For example:

GRANT DROP ALIAS ON DBMS TO aliasDropper;

As a result, the aliasDropper role has privileges that only allow deleting aliases. See all privileges for the role aliasDropper as commands, use the following query:

SHOW ROLE aliasDropper PRIVILEGES AS COMMANDS;
Table 38. Result
command

"GRANT DROP ALIAS ON DBMS TO `aliasDropper`"

Rows: 1

Grant privilege to modify aliases

You can grant the privilege to modify aliases using the ALTER ALIAS privilege.
For example:

GRANT ALTER ALIAS ON DBMS TO aliasModifier;

As a result, the aliasModifier role has privileges that only allow modifying aliases. To list all privileges for the role aliasModifier as commands, use the following query:

SHOW ROLE aliasModifier PRIVILEGES AS COMMANDS;
Table 39. Result
command

"GRANT ALTER ALIAS ON DBMS TO `aliasModifier`"

Rows: 1

Grant privilege to list aliases

You can grant the privilege to list aliases using the SHOW ALIAS privilege.
For example:

GRANT SHOW ALIAS ON DBMS TO aliasViewer;

As a result, the aliasViewer role has privileges that only allow modifying aliases. To list all privileges for the role aliasViewer as commands, use the following query:

SHOW ROLE aliasViewer PRIVILEGES AS COMMANDS;
Table 40. Result
command

"GRANT SHOW ALIAS ON DBMS TO `aliasViewer`"

Rows: 1

Grant privilege to manage aliases

You can grant the privilege to create, delete, modify, and list aliases using the ALIAS MANAGEMENT privilege.
For example:

GRANT ALIAS MANAGEMENT ON DBMS TO aliasManager;

As a result, the aliasManager role has all privileges to manage aliases. To list all privileges for the role aliasManager as commands, use the following query:

SHOW ROLE aliasManager PRIVILEGES AS COMMANDS;
Table 41. Result
command

"GRANT ALIAS MANAGEMENT ON DBMS TO `aliasManager`"

Rows: 1

The DBMS SERVER MANAGEMENT privileges

The DBMS privileges for server management can be granted, denied, or revoked like other privileges.

For more details about the syntax descriptions, see Reading the administration commands syntax.

Table 42. Server management privileges command syntax
Command Description
GRANT [IMMUTABLE] SERVER MANAGEMENT
  ON DBMS
  TO role[, ...]

Enables the specified roles to show, enable, rename, alter, reallocate, deallocate, and drop servers.

GRANT [IMMUTABLE] SHOW SERVERS
  ON DBMS
  TO role[, ...]

Enables the specified roles to show servers.

Grant privilege to manage servers

You can grant the privilege to show, enable, rename, alter, reallocate, deallocate, and drop servers using the SERVER MANAGEMENT privilege.
For example:

GRANT SERVER MANAGEMENT ON DBMS TO serverManager;

As a result, the serverManager role has all privileges to manage servers. To list all privileges for the role serverManager as commands, use the following query:

SHOW ROLE serverManager PRIVILEGES AS COMMANDS;
Table 43. Result
command

"GRANT SERVER MANAGEMENT ON DBMS TO `serverManager`"

Rows: 1

Grant privilege to show servers

You can grant the privilege to show servers using the SHOW SERVERS privilege.
For example:

GRANT SHOW SERVERS ON DBMS TO serverViewer;

As a result, the serverViewer role has privileges that only allow showing servers. To list all privileges for the role serverViewer as commands, use the following query:

SHOW ROLE serverViewer PRIVILEGES AS COMMANDS;
Table 44. Result
command

"GRANT SHOW SERVERS ON DBMS TO `serverViewer`"

Rows: 1

The DBMS PRIVILEGE MANAGEMENT privileges

The DBMS privileges for privilege management can be granted, denied, or revoked like other privileges.

For more details about the syntax descriptions, see Reading the administration commands syntax.

Table 45. Privilege management privileges command syntax
Command Description
GRANT [IMMUTABLE] SHOW PRIVILEGE
  ON DBMS
  TO role[, ...]

Enables the specified roles to list privileges.

GRANT [IMMUTABLE] ASSIGN PRIVILEGE
  ON DBMS
  TO role[, ...]

Enables the specified roles to assign privileges using the GRANT and DENY commands.

GRANT [IMMUTABLE] REMOVE PRIVILEGE
  ON DBMS
  TO role[, ...]

Enables the specified roles to remove privileges using the REVOKE command.

GRANT [IMMUTABLE] PRIVILEGE MANAGEMENT
  ON DBMS
  TO role[, ...]

Enables the specified roles to list, assign, and remove privileges.

Grant privilege to list privileges

You can grant the SHOW PRIVILEGE privilege to allow a user to list privileges using the SHOW PRIVILEGE, SHOW ROLE roleName PRIVILEGES, and SHOW USER username PRIVILEGES administration commands. The SHOW USER username PRIVILEGES command also requires the SHOW USER privilege.

For example:

GRANT SHOW PRIVILEGE ON DBMS TO privilegeViewer;

As a result, the privilegeViewer role has privileges that only allow showing privileges. To list all privileges for the role privilegeViewer as commands, use the following query:

SHOW ROLE privilegeViewer PRIVILEGES AS COMMANDS;
Table 46. Result
command

"GRANT SHOW PRIVILEGE ON DBMS TO `privilegeViewer`"

Rows: 1

No specific privileges are required for showing the current user’s privileges through the SHOW USER username PRIVILEGES or SHOW USER PRIVILEGES commands.

If a non-native auth provider like LDAP is in use, SHOW USER PRIVILEGES will only work with a limited capacity by making it only possible for a user to show their own privileges. Other users' privileges cannot be listed when using a non-native auth provider.

Grant privilege to assign privileges

You can grant the privilege to assign privileges using the ASSIGN PRIVILEGE privilege.
A user with this privilege is allowed to execute GRANT and DENY administration commands.
For example:

GRANT ASSIGN PRIVILEGE ON DBMS TO privilegeAssigner;

As a result, the privilegeAssigner role has privileges that only allow assigning privileges. To list all privileges for the role privilegeAssigner as commands, use the following query:

SHOW ROLE privilegeAssigner PRIVILEGES AS COMMANDS;
Table 47. Result
command

"GRANT ASSIGN PRIVILEGE ON DBMS TO `privilegeAssigner`"

Rows: 1

Grant privilege to remove privileges

You can grant the privilege to remove privileges from roles using the REMOVE PRIVILEGE privilege.
A user with this privilege is allowed to execute REVOKE administration commands.
For example:

GRANT REMOVE PRIVILEGE ON DBMS TO privilegeRemover;

As a result, the privilegeRemover role has privileges that only allow removing privileges. To list all privileges for the role privilegeRemover as commands, use the following query:

SHOW ROLE privilegeRemover PRIVILEGES AS COMMANDS;
Table 48. Result
command

"GRANT REMOVE PRIVILEGE ON DBMS TO `privilegeRemover`"

Rows: 1

Grant privilege to manage privileges

You can grant the privilege to list, assign, and remove privileges using the PRIVILEGE MANAGEMENT privilege.
For example:

GRANT PRIVILEGE MANAGEMENT ON DBMS TO privilegeManager;

As a result, the privilegeManager role has all privileges to manage privileges. To list all privileges for the role privilegeManager as commands, use the following query:

SHOW ROLE privilegeManager PRIVILEGES AS COMMANDS;
Table 49. Result
command

"GRANT PRIVILEGE MANAGEMENT ON DBMS TO `privilegeManager`"

Rows: 1

The DBMS EXECUTE privileges

The DBMS privileges for procedure and user-defined function execution can be granted, denied, or revoked like other privileges.

For more details about the syntax descriptions, see Reading the administration commands syntax.

Table 50. Execute privileges command syntax
Command Description
GRANT [IMMUTABLE] EXECUTE PROCEDURE[S] name-globbing[, ...]
  ON DBMS
  TO role[, ...]

Enables the specified roles to execute the given procedures.

GRANT [IMMUTABLE] EXECUTE BOOSTED PROCEDURE[S] name-globbing[, ...]
  ON DBMS
  TO role[, ...]

Enables the specified roles to use elevated privileges when executing the given procedures.

GRANT [IMMUTABLE] EXECUTE ADMIN[ISTRATOR] PROCEDURES
  ON DBMS
  TO role[, ...]

Enables the specified roles to execute procedures annotated with @Admin. The procedures are executed with elevated privileges.

GRANT [IMMUTABLE] EXECUTE [USER [DEFINED]] FUNCTION[S] name-globbing[, ...]
  ON DBMS
  TO role[, ...]

Enables the specified roles to execute the given user-defined functions.

GRANT [IMMUTABLE] EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] name-globbing[, ...]
  ON DBMS
  TO role[, ...]

Enables the specified roles to use elevated privileges when executing the given user-defined functions.

Grant privilege to execute procedures

You can grant the privilege to execute procedures using the EXECUTE PROCEDURE privilege.
A role with this privilege is allowed to execute the procedures matched by the name-globbing.

Grant privilege to execute some procedures

The following query allow the execution of procedures starting with db.schema:

GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO procedureExecutor;

Users with the role procedureExecutor can run any procedure in the db.schema namespace. The procedures are executed using the user’s own privileges.

To list all privileges for the role procedureExecutor as commands, use the following query:

SHOW ROLE procedureExecutor PRIVILEGES AS COMMANDS;
Table 51. Result
command

"GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO `procedureExecutor`"

Rows: 1

Grant privilege to execute all but some procedures

You can grant the privilege to execute all except a few procedures using EXECUTE PROCEDURES * and deny the unwanted procedures. For example, the following queries allow the execution of all procedures, except those starting with dbms.cluster:

GRANT EXECUTE PROCEDURE * ON DBMS TO deniedProcedureExecutor;
DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO deniedProcedureExecutor;

Users with the role deniedProcedureExecutor can run any procedure except those starting with dbms.cluster. The procedures are executed using the user’s own privileges.

To list all privileges for the role deniedProcedureExecutor as commands, use the following query:

SHOW ROLE deniedProcedureExecutor PRIVILEGES AS COMMANDS;
Table 52. Result
command

"DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO `deniedProcedureExecutor`"

"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedProcedureExecutor`"

Rows: 2

The dbms.cluster.checkConnectivity, dbms.cluster.cordonServer, dbms.cluster.protocols, dbms.cluster.readReplicaToggle, dbms.cluster.routing.getRoutingTable, dbms.cluster.secondaryReplicationDisable, dbms.cluster.setAutomaticallyEnableFreeServers, and dbms.cluster.uncordonServer procedures are blocked, as well as any others starting with dbms.cluster.

Grant privilege to execute procedures with elevated privileges

You can grant the privilege to execute procedures with elevated privileges using the EXECUTE BOOSTED PROCEDURE privilege.
A user with this privilege will not be restricted to their other privileges when executing the procedures matched by the name-globbing. The EXECUTE BOOSTED PROCEDURE privilege only affects the elevation, and not the execution of the procedure. Therefore, it is needed to grant EXECUTE PROCEDURE privilege for the procedures as well. Both EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE are needed to execute a procedure with elevated privileges.

Grant privilege to execute some procedures with elevated privileges

You can grant the privilege to execute some procedures with elevated privileges using EXECUTE BOOSTED PROCEDURE *.

For example, the following query allow the execution of the procedures db.labels and db.relationshipTypes with elevated privileges, and all other procedures with the user’s own privileges:

GRANT EXECUTE PROCEDURE * ON DBMS TO boostedProcedureExecutor;
GRANT EXECUTE BOOSTED PROCEDURE db.labels, db.relationshipTypes ON DBMS TO boostedProcedureExecutor

Users with the role boostedProcedureExecutor can thus run the db.labels and the db.relationshipTypes procedures with full privileges, seeing everything in the graph and not just the labels and types that the user has TRAVERSE privilege on. Without the EXECUTE PROCEDURE, no procedures could be executed at all.

To list all privileges for the role boostedProcedureExecutor as commands, use the following query:

SHOW ROLE boostedProcedureExecutor PRIVILEGES AS COMMANDS;
Table 53. Result
command

"GRANT EXECUTE PROCEDURE * ON DBMS TO `boostedProcedureExecutor`"

"GRANT EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `boostedProcedureExecutor`"

"GRANT EXECUTE BOOSTED PROCEDURE db.relationshipTypes ON DBMS TO `boostedProcedureExecutor`"

Rows: 3

Combination of granting execution and denying privilege elevation

As with grant, denying EXECUTE BOOSTED PROCEDURE on its own only affects the elevation and not the execution of the procedure.

For example:

GRANT EXECUTE PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor1;
DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor1;

As a result, the deniedBoostedProcedureExecutor1 role has privileges that allow the execution of all procedures using the user’s own privileges. They also prevent the db.labels procedure from being elevated. Still, the denied EXECUTE BOOSTED PROCEDURE does not block execution of db.labels.

To list all privileges for role deniedBoostedProcedureExecutor1 as commands, use the following query:

SHOW ROLE deniedBoostedProcedureExecutor1 PRIVILEGES AS COMMANDS;
Table 54. Result
command

"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor1`"

"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor1`"

Rows: 2

Combination of granting privilege elevation and denying execution

You can also grant the privilege to execute procedures with elevated privileges and deny the execution of specific procedures.

For example:

GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor2;
DENY EXECUTE PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor2;

As a result, the deniedBoostedProcedureExecutor2 role has privileges that allow elevating the privileges for all procedures, but cannot execute any due to missing or denied EXECUTE PROCEDURE privileges.

To list all privileges for the role deniedBoostedProcedureExecutor2 as commands, use the following query:

SHOW ROLE deniedBoostedProcedureExecutor2 PRIVILEGES AS COMMANDS;
Table 55. Result
command

"DENY EXECUTE PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor2`"

"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor2`"

Rows: 2

Combination of granting and denying privilege elevation

You can also grant the privilege to execute procedures with elevated privileges and deny the elevation for specific procedures.

For example, the following queries allow has privileges that allow elevating the privileges for all procedures except db.labels. However, no procedures can be executed due to a missing EXECUTE PROCEDURE privilege.

GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor3;
DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor3;

As a result, the deniedBoostedProcedureExecutor3 role has privileges that allow elevating the privileges for all procedures except db.labels. However, no procedures can be executed due to missing EXECUTE PROCEDURE privilege.

To list all privileges for the role deniedBoostedProcedureExecutor3 as commands, use the following query:

SHOW ROLE deniedBoostedProcedureExecutor3 PRIVILEGES AS COMMANDS;
Table 56. Result
command

"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor3`"

"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor3`"

Rows: 2

Control procedure output with privileges

You can control the output of procedures based on the privileges granted or denied to a role using the EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE privileges. For example, assume there is a procedure called myProc.

This procedure gives the result A and B for a user with only the EXECUTE PROCEDURE privilege and A, B and C for a user with both the EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE privileges.

Now, adapt the privileges from sections Combination of granting execution and denying privilege elevation (example 1), Combination of granting privilege elevation and denying execution (example 2), and Combination of granting and denying privilege elevations (example 3) to be applied to this procedure and show what is returned.

With the privileges from example 1, granted EXECUTE PROCEDURE * and denied EXECUTE BOOSTED PROCEDURE myProc, the myProc procedure returns the result A and B.

With the privileges from example 2, granted EXECUTE BOOSTED PROCEDURE * and denied EXECUTE PROCEDURE myProc, execution of the myProc procedure is not allowed.

With the privileges from example 3, granted EXECUTE BOOSTED PROCEDURE * and denied EXECUTE BOOSTED PROCEDURE myProc, execution of the myProc procedure is not allowed.

For comparison, when granted:

  • EXECUTE PROCEDURE myProc: the myProc procedure returns the result A and B.

  • EXECUTE BOOSTED PROCEDURE myProc: execution of the myProc procedure is not allowed.

  • EXECUTE PROCEDURE myProc and EXECUTE BOOSTED PROCEDURE myProc: the myProc procedure returns the result A, B, and C.

Grant privilege to execute admin procedures

Admin procedures (annotated with @Admin) are special in that they require elevated privileges to be executed at all. This means that to execute an admin procedure you need both the EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE privileges for that procedure.

For a user to be allowed to execute all admin procedures, they can either be granted the two privileges for each of the admin procedures (which would need to be updated each time a new admin procedure is added), all procedures (which would then affect all non-admin procedures as well) or the EXECUTE ADMIN PROCEDURES privilege.

The EXECUTE ADMIN PROCEDURES privilege is equivalent to granting the EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE privileges on each of the admin procedures. This also have the additional advantage that any newly added admin procedure is automatically included in this privilege.
For example:

GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO adminProcedureExecutor;

Users with the role adminProcedureExecutor can run any admin procedure with elevated privileges. As a result, the adminProcedureExecutor role has privileges that allow the execution of all admin procedures. To list all privileges for the role adminProcedureExecutor as commands, use the following query:

SHOW ROLE adminProcedureExecutor PRIVILEGES AS COMMANDS;
Table 57. Result
command

"GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO `adminProcedureExecutor`"

Rows: 1

In order to compare this with the EXECUTE PROCEDURE and EXECUTE BOOSTED PROCEDURE privileges, revisit the myProc procedure, but this time as an admin procedure, which will give the result A, B and C when allowed to execute.

By starting with a user only granted the EXECUTE PROCEDURE myProc or the EXECUTE BOOSTED PROCEDURE myProc privilege, execution of the myProc procedure is not allowed.

However, for a user granted the EXECUTE ADMIN PROCEDURES or both EXECUTE PROCEDURE myProc and EXECUTE BOOSTED PROCEDURE myProc, the myProc procedure returns the result A, B and C.

Any denied EXECUTE privilege results in the procedure not being allowed to be executed. In this case, it does not matter whether EXECUTE PROCEDURE, EXECUTE BOOSTED PROCEDURE or EXECUTE ADMIN PROCEDURES is being denied.

Grant privilege to execute user-defined functions

You can grant the privilege to execute user-defined functions (UDFs) using the EXECUTE USER DEFINED FUNCTION privilege. A role with this privilege is allowed to execute the UDFs matched by the name-globbing.

The EXECUTE USER DEFINED FUNCTION privilege does not apply to built-in functions, which are always executable.

Grant privilege to execute some user-defined functions

The following query shows an example of how to grant the EXECUTE USER DEFINED FUNCTION privilege:

GRANT EXECUTE USER DEFINED FUNCTION apoc.coll.* ON DBMS TO functionExecutor;

Or in short form:

GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO functionExecutor;

Users with the role functionExecutor can thus run any UDF in the apoc.coll namespace. The functions are executed using the user’s own privileges.

As a result, the functionExecutor role has privileges that only allow executing UDFs in the apoc.coll namespace. To list all privileges for the role functionExecutor as commands, use the following query:

SHOW ROLE functionExecutor PRIVILEGES AS COMMANDS;
Table 58. Result
command

"GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO `functionExecutor`"

Rows: 1

Grant privilege to execute all but some user-defined functions

To allow the execution of all but a few UDFs, you can grant EXECUTE USER DEFINED FUNCTIONS * and deny the unwanted UDFs. For example, the following queries allow the execution of all UDFs except those starting with apoc.any.prop:

GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO deniedFunctionExecutor;
DENY EXECUTE USER DEFINED FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor;

Or in short form:

GRANT EXECUTE FUNCTIONS * ON DBMS TO deniedFunctionExecutor;
DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor;

As a result, the deniedFunctionExecutor role has privileges that only allow the execution of all UDFs except those starting with apoc.any.prop. The functions are executed using the user’s own privileges. To list all privileges for the role deniedFunctionExecutor as commands, use the following query:

SHOW ROLE deniedFunctionExecutor PRIVILEGES AS COMMANDS;
Table 59. Result
command

"DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO `deniedFunctionExecutor`"

"GRANT EXECUTE FUNCTION * ON DBMS TO `deniedFunctionExecutor`"

Rows: 2

The apoc.any.property and apoc.any.properties are blocked, as well as any other UDFs starting with apoc.any.prop.

Grant privilege to execute user-defined functions with elevated privileges

You can grant the privilege to execute user-defined functions (UDFs) with elevated privileges using the EXECUTE BOOSTED USER DEFINED FUNCTION privilege.
A user with this privilege will not be restricted to their other privileges when executing the UDFs matched by the name-globbing. The EXECUTE BOOSTED USER DEFINED FUNCTION privilege only affects the elevation and not the execution of the function. Therefore, it is needed to grant EXECUTE USER DEFINED FUNCTION privilege for the UDFs as well. Both EXECUTE USER DEFINED FUNCTION and EXECUTE BOOSTED USER DEFINED FUNCTION are needed to execute a function with elevated privileges.

The EXECUTE BOOSTED USER DEFINED FUNCTION privilege does not apply to built-in functions, as they have no concept of elevated privileges.

Grant privilege to execute some user-defined functions with elevated privileges

The following query shows an example of how to grant the EXECUTE BOOSTED USER DEFINED FUNCTION privilege:

GRANT EXECUTE USER DEFINED FUNCTION * ON DBMS TO boostedFunctionExecutor;
GRANT EXECUTE BOOSTED USER DEFINED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor;

Or in short form:

GRANT EXECUTE FUNCTION * ON DBMS TO boostedFunctionExecutor;
GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor;

Users with the role boostedFunctionExecutor can thus run apoc.any.properties with full privileges and see every property on the node/relationship, not just the properties that the user has READ privilege on. Without the EXECUTE USER DEFINED FUNCTION, you cannot execute any UDFs at all.

As a result, the boostedFunctionExecutor role has privileges that allow executing the UDF apoc.any.properties with elevated privileges, and all other UDFs with the users' own privileges. To list all privileges for the role boostedFunctionExecutor as commands, use the following query:

SHOW ROLE boostedFunctionExecutor PRIVILEGES AS COMMANDS;
Table 60. Result
command

"GRANT EXECUTE FUNCTION * ON DBMS TO `boostedFunctionExecutor`"

"GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO `boostedFunctionExecutor`"

Rows: 2

The DBMS SETTING privileges

You can grant the privilege to show configuration settings using the SHOW SETTING privilege. A role with this privilege is allowed to list the configuration settings matched by the name-globbing.

For more details about the syntax descriptions, see Reading the administration commands syntax.

Table 61. Setting privileges command syntax
Command Description
GRANT [IMMUTABLE] SHOW SETTING[S] name-globbing[, ...]
  ON DBMS
  TO role[, ...]

Enables the specified roles to list given configuration settings.

Grant privilege to show all settings

You can grant the privilege to show all settings using SHOW SETTING * or all settings in a namespace using SHOW SETTING namespace.*. The following query shows an example of how to grant SHOW SETTING privilege to view all settings in the server.bolt namespace:

GRANT SHOW SETTING server.bolt.* ON DBMS TO configurationViewer;

Users with the role configurationViewer can then view any setting in the server.bolt namespace.

As a result, the configurationViewer role has privileges that only allow listing settings in the server.bolt namespace. To list all privileges for the role configurationViewer as commands, use the following query:

SHOW ROLE configurationViewer PRIVILEGES AS COMMANDS;
Table 62. Result
command

"GRANT SHOW SETTING server.bolt.* ON DBMS TO `configurationViewer`"

Rows: 1

Grant privilege to show all but some settings

You can grant the privilege to show all but a few settings using SHOW SETTINGS * and deny the unwanted settings.
For example, the following queries allow you to view all settings, except those starting with dbms.security:

GRANT SHOW SETTINGS * ON DBMS TO deniedConfigurationViewer;
DENY SHOW SETTING dbms.security* ON DBMS TO deniedConfigurationViewer;

As a result, the deniedConfigurationViewer role has privileges that allow listing all settings except those starting with dbms.security. To list all privileges for the role deniedConfigurationViewer as commands, use the following query:

SHOW ROLE deniedConfigurationViewer PRIVILEGES AS COMMANDS;
Table 63. Result
command

"DENY SHOW SETTING dbms.security* ON DBMS TO `deniedConfigurationViewer`"

"GRANT SHOW SETTING * ON DBMS TO `deniedConfigurationViewer`"

Rows: 2

As the query result shows, viewing settings starting with dbms.security is blocked, but the rest can still be listed.

Granting ALL DBMS PRIVILEGES

You can grant the ALL DBMS PRIVILEGES privilege to a role.
The ALL DBMS PRIVILEGES privilege is equivalent to granting the following privileges:

  • Create, drop, assign, remove, and show roles.

  • Create, alter, drop, show, and impersonate users.

  • Create, alter, drop, and show databases and aliases.

  • Enable, alter, rename, reallocate, deallocate, drop, and show servers.

  • Show, assign, and remove privileges.

  • Execute all procedures with elevated privileges.

  • Execute all user-defined functions with elevated privileges.

  • Show all configuration settings.

For more details about the syntax descriptions, see Reading the administration commands syntax.

GRANT [IMMUTABLE] ALL [[DBMS] PRIVILEGES]
    ON DBMS
    TO role[, ...]

For example, to grant the role dbmsManager all DBMS abilities, use the following query:

GRANT ALL DBMS PRIVILEGES ON DBMS TO dbmsManager;

To list all privileges for the role dbmsManager as commands, use the following query:

SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS;
Table 64. Result
command

"GRANT ALL DBMS PRIVILEGES ON DBMS TO `dbmsManager`"

Rows: 1

Name-globbing for procedures, user-defined functions, and settings

The name-globbing for procedures, user-defined functions, and setting names is a simplified version of globbing for filename expansions. It only allows two wildcard characters: * and ?, which are used for multiple and single-character matches. In this case, * means 0 or more characters, and ? matches exactly one character.

The name-globbing is subject to the Cypher Manual → Naming rules and recommendations, with the exception that it may include dots, stars, and question marks without the need for escaping using backticks.

Each part of the name-globbing separated by dots may be individually quoted. For example, mine.`procedureWith%` is allowed, but not mine.procedure`With%`. Also, note that wildcard characters behave as wildcards even when quoted. For example, using `*` is equivalent to using *, and thus allows executing all functions or procedures and not only the procedure or function named *.

Given the following list of procedures:

  • mine.public.exampleProcedure

  • mine.public.exampleProcedure1

  • mine.public.exampleProcedure2

  • mine.public.with#Special§Characters

  • mine.private.exampleProcedure

  • mine.private.exampleProcedure1

  • mine.private.exampleProcedure2

  • mine.private.with#Special§Characters

  • your.exampleProcedure

The following examples demonstrate how name-globbing patterns can be used in controlling access to procedures. Note that the same rules apply to user-defined functions and settings.

GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1;

Users with the role globbing1 can run all the procedures.

GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2;

Users with the role globbing2 can run procedures mine.public.exampleProcedure and mine.private.exampleProcedure, but no other procedures.

GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3;

Users with the role globbing3 can run procedures mine.public.exampleProcedure1, mine.private.exampleProcedure1, and mine.private.exampleProcedure2, but no other procedures.

GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4;

Users with the role globbing4 can run procedures your.exampleProcedure, mine.public.exampleProcedure, and mine.private.exampleProcedure, but no other procedures.

GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5;

Users with the role globbing5 can run procedures mine.public.exampleProcedure, mine.public.exampleProcedure1 and mine.public.exampleProcedure42, but no other procedures.

GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6;

Users with the role globbing6 can run procedures mine.public.with#Special§Characters, and mine.private.with#Special§Characters, but no other procedures.

The name-globbing may be fully or partially quoted. Both * and ? are interpreted as wildcards in both cases.