DBMS privileges
All DBMS privileges are relevant system-wide. Like user management, they do not belong to one specific database or graph. For more details on the differences between graphs, databases, and the DBMS, refer to Cypher Manual → Cypher and Neo4j.
You can only grant, deny, or revoke privileges to or from existing roles. |
The admin
role privileges
The admin
role role is a built-in superuser role that has all privileges on the DBMS and can perform all administrative tasks.
This includes the following tasks and their relevant privileges:
-
Change configuration parameters.
-
Manage privilege management.
-
Manage impersonation privileges.
-
Manage procedure security.
-
Manage load data security.
To enable a user to perform these tasks, you can grant them the admin
role, but it is also possible to make a custom role with a subset of these privileges.
All privileges are also assignable using Cypher commands.
The following sections describe the privileges that are available for DBMS administration and show some examples of how to use Cypher commands to manage them.
Using a custom role to manage DBMS privileges
You can create a custom role to manage DBMS privileges by granting the privileges you want to the role.
Alternatively, you can copy the admin
role and revoke or deny the unwanted privileges.
The following examples show how to create a custom role with a subset of the privileges that the admin
role using both methods.
Create a custom administrator role from scratch
Create an administrator role that can only manage users and roles by creating a new role and granting the USER MANAGEMENT
and ROLE MANAGEMENT
privileges.
-
Create the new role:
CREATE ROLE userAndRoleAdministrator;
-
Grant the privilege to manage users:
GRANT USER MANAGEMENT ON DBMS TO userAndRoleAdministrator;
-
Grant the privilege to manage roles:
GRANT ROLE MANAGEMENT ON DBMS TO userAndRoleAdministrator;
As a result, the
userAndRoleAdministrator
role has privileges that only allow user and role management. -
To list all privileges for the role
userAndRoleAdministrator
as commands, use the following query:SHOW ROLE userAndRoleAdministrator PRIVILEGES AS COMMANDS;
Table 1. Result command "GRANT ROLE MANAGEMENT ON DBMS TO `userAndRoleAdministrator`"
"GRANT USER MANAGEMENT ON DBMS TO `userAndRoleAdministrator`"
Rows: 2
This role does not allow all DBMS capabilities.
For example, the role is missing privileges for managing, creating, and dropping databases, as well as executing |
Create a more powerful custom administrator role from scratch
You can also create a custom administrator role with limited capabilities.
This can be done by creating a new role and granting all DBMS
privileges, then denying the ones you do not want the role to have, and then granting additional privileges you want to include.
For example, you can create a custom administrator role customAdministrator
that has all DBMS privileges except for creating, dropping, and modifying databases, and also has the privilege for managing transactions.
-
Create a new role:
CREATE ROLE customAdministrator;
-
Grant the privilege for all DBMS capabilities:
GRANT ALL DBMS PRIVILEGES ON DBMS TO customAdministrator;
-
Explicitly deny the privilege to manage databases:
DENY DATABASE MANAGEMENT ON DBMS TO customAdministrator;
-
Grant the transaction management privilege:
GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO customAdministrator;
As a result, the
customAdministrator
role has privileges that include managing transactions and all DBMS privileges except creating, dropping, and modifying databases. -
To list all privileges for the role
customAdministrator
as commands, use the following query:SHOW ROLE customAdministrator PRIVILEGES AS COMMANDS;
Table 2. Result command "DENY DATABASE MANAGEMENT ON DBMS TO `customAdministrator`"
"GRANT ALL DBMS PRIVILEGES ON DBMS TO `customAdministrator`"
"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `customAdministrator`"
Rows: 3
Create a custom administrator role by copying the admin
role
You can also create a custom administrator role by copying the admin
role and then revoking or denying the privileges you do not want.
For example, you can create a new role called newAdministrator
that has all the privileges of the admin
role, and then revoke the ability to read/write/load data, manage constraints, indexes, name, and remove ability to access all databases, except the system
database.
-
Create a new role by copying the
admin
role:CREATE ROLE newAdministrator AS COPY OF admin;
-
Revoke the ability to read/write/load data:
REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM newAdministrator; REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM newAdministrator; REVOKE GRANT WRITE ON GRAPH * FROM newAdministrator; REVOKE GRANT LOAD ON ALL DATA FROM newAdministrator;
-
Revoke the ability to manage index/constraint/name:
REVOKE GRANT CONSTRAINT MANAGEMENT ON DATABASE * FROM newAdministrator; REVOKE GRANT INDEX MANAGEMENT ON DATABASE * FROM newAdministrator; REVOKE GRANT NAME MANAGEMENT ON DATABASE * FROM newAdministrator; REVOKE GRANT SHOW CONSTRAINT ON DATABASE * FROM newAdministrator; REVOKE GRANT SHOW INDEX ON DATABASE * FROM newAdministrator;
-
Revoke the ability to access all databases:
REVOKE GRANT ACCESS ON DATABASE * FROM newAdministrator;
-
Grant the ability to access the
system
database:GRANT ACCESS ON DATABASE system TO newAdministrator;
-
To list all privileges for the role
newAdministrator
as commands, use the following query:SHOW ROLE newAdministrator PRIVILEGES AS COMMANDS;
Table 3. Result command "GRANT ACCESS ON DATABASE
system
TO `newAdministrator`""GRANT ALL DBMS PRIVILEGES ON DBMS TO `newAdministrator`"
"GRANT START ON DATABASE * TO `newAdministrator`"
"GRANT STOP ON DATABASE * TO `newAdministrator`"
"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `newAdministrator`"
Rows: 5
The DBMS ROLE MANAGEMENT
privileges
The DBMS privileges for role management can be granted, denied, or revoked like other privileges.
For more details about the syntax descriptions, see Reading the administration commands syntax. |
Command | Description |
---|---|
|
Enables the specified roles to create new roles. |
|
Enables the specified roles to change the name of roles. |
|
Enables the specified roles to delete roles. |
|
Enables the specified roles to assign roles to users. |
|
Enables the specified roles to remove roles from users. |
|
Enables the specified roles to list roles. |
|
Enables the specified roles to create, delete, assign, remove, and list roles. |
Grant privilege to create roles
You can grant the privilege to add roles using the CREATE ROLE
command.
For example:
GRANT CREATE ROLE ON DBMS TO roleAdder;
As a result, the roleAdder
role has privileges that only allow adding roles.
To list all privileges for the role roleAdder
as commands, use the following query:
SHOW ROLE roleAdder PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to rename roles
You can grant the privilege to rename roles using the RENAME ROLE
privilege.
For example:
GRANT RENAME ROLE ON DBMS TO roleNameModifier;
As a result, the roleNameModifier
role has privileges that only allow renaming roles.
To list all privileges for the role roleNameModifier
, use the following query:
SHOW ROLE roleNameModifier PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to delete roles
You can grant the privilege to delete roles using the DROP ROLE
privilege.
For example:
GRANT DROP ROLE ON DBMS TO roleDropper;
As a result, the roleDropper
role has privileges that only allow deleting roles.
To list all privileges for the role roleDropper
, use the following query:
SHOW ROLE roleDropper PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to assign roles
You can grant the privilege to assign roles to users using the ASSIGN ROLE
privilege.
For example:
GRANT ASSIGN ROLE ON DBMS TO roleAssigner;
As a result, the roleAssigner
role has privileges that only allow assigning/granting roles.
To list all privileges for the role roleAssigner
as commands, use the following query:
SHOW ROLE roleAssigner PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to remove roles
You can grant the privilege to remove roles from users using the REMOVE ROLE
privilege.
For example:
GRANT REMOVE ROLE ON DBMS TO roleRemover;
As a result, the roleRemover
role has privileges that only allow removing/revoking roles.
To list all privileges for the role roleRemover
as commands, use the following query:
SHOW ROLE roleRemover PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to show roles
You can grant the privilege to show roles using the SHOW ROLE
privilege.
A role with this privilege is allowed to execute the SHOW ROLES
and SHOW POPULATED ROLES
administration commands.
In order to use |
The following query shows an example of how to grant the SHOW ROLE
privilege:
GRANT SHOW ROLE ON DBMS TO roleViewer;
As a result, the roleViewer
role has privileges that only allow showing roles.
To list all privileges for the role roleViewer
as commands, use the following query:
SHOW ROLE roleViewer PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to manage roles
You can grant the privilege to create, rename, delete, assign, remove, and list roles using the ROLE MANAGEMENT
privilege.
For example:
GRANT ROLE MANAGEMENT ON DBMS TO roleManager;
As a result, the roleManager
role has all privileges to manage roles.
To list all privileges for the role roleManager
as commands, use the following query:
SHOW ROLE roleManager PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
The DBMS USER MANAGEMENT
privileges
The DBMS privileges for user management can be granted, denied, or revoked like other privileges.
For more details about the syntax descriptions, see Reading the administration commands syntax. |
Command | Description |
---|---|
|
Enables the specified roles to create new users. |
|
Enables the specified roles to change the name of users. |
|
Enables the specified roles to modify users. |
|
Enables the specified roles to modify users' passwords and whether those passwords must be changed upon first login. |
|
Enables the specified roles to |
|
Enables the specified roles to modify users' home database. |
|
Enables the specified roles to modify the account status of users. |
|
Enables the specified roles to delete users. |
|
Enables the specified roles to list users. |
|
Enables the specified roles to create, delete, modify, and list users. |
Grant privilege to create users
You can grant the privilege to add users using the CREATE USER
privilege.
For example:
GRANT CREATE USER ON DBMS TO userAdder
As a result, the userAdder
role has privileges that only allow adding users.
To list all privileges for the role userAdder
as commands, use the following query:
SHOW ROLE userAdder PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to rename users
You can grant the privilege to rename users using the RENAME USER
privilege.
For example:
GRANT RENAME USER ON DBMS TO userNameModifier
As a result, the userNameModifier
role has privileges that only allow renaming users.
To list all privileges for the role userNameModifier
as commands, use the following query:
SHOW ROLE userNameModifier PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to modify users
You can grant the privilege to modify users using the ALTER USER
privilege.
For example:
GRANT ALTER USER ON DBMS TO userModifier
As a result, the userModifier
role has privileges that only allow modifying users.
To list all privileges for the role userModifier
as commands, use the following query:
SHOW ROLE userModifier PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
The ALTER USER
privilege allows the user to run the ALTER USER
administration command with one or several of the SET PASSWORD
, SET PASSWORD CHANGE [NOT] REQUIRED
, SET AUTH
, REMOVE AUTH
, SET STATUS
, SET HOME DATABASE
, and REMOVE HOME DATABASE
parts.
For example:
ALTER USER jake SET PASSWORD 'verysecret' SET STATUS SUSPENDED
Note that the combination of the |
Grant privilege to modify users' passwords
You can grant the privilege to modify users' passwords and whether those passwords must be changed upon first login using the SET PASSWORDS
privilege.
For example:
GRANT SET PASSWORDS ON DBMS TO passwordModifier
As a result, the passwordModifier
role has privileges that only allow modifying users' passwords and whether those passwords must be changed upon first login.
To list all privileges for the role passwordModifier
as commands, use the following query:
SHOW ROLE passwordModifier PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
The SET PASSWORDS
privilege allows the user to run the ALTER USER
administration command with one or both of the SET PASSWORD
and SET PASSWORD CHANGE [NOT] REQUIRED
parts.
ALTER USER jake SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED
Grant privilege to modify users' auth information
You can grant the privilege to modify users' auth information using the SET AUTH
privilege.
For example:
GRANT SET AUTH ON DBMS TO authModifier
As a result, the authModifier
role has privileges that only allow modifying users' auth information.
The SET AUTH
privilege allows the user to run the ALTER USER
administration command with one or both of the SET
AUTH
and REMOVE AUTH
parts.
For example:
ALTER USER jake REMOVE AUTH 'native' SET AUTH 'oidc-okta' { SET id 'jakesUniqueOktaUserId' }
Grant privilege to modify the account status of users
You can grant the privilege to modify the account status of users using the SET USER STATUS
privilege.
For example:
GRANT SET USER STATUS ON DBMS TO statusModifier
As a result, the statusModifier
role has privileges that only allow modifying the account status of users.
To list all privileges for the role statusModifier
as commands, use the following query:
SHOW ROLE statusModifier PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
The SET USER STATUS
privilege allows the user to run the ALTER USER
administration command with only the SET STATUS
part:
ALTER USER jake SET STATUS ACTIVE
Grant privilege to modify the home database of users
You can grant the privilege to modify the home database of users using the SET USER HOME DATABASE
privilege.
For example:
GRANT SET USER HOME DATABASE ON DBMS TO homeDbModifier
As a result, the homeDbModifier
role has privileges that only allow modifying the home database of users.
To list all privileges for the role homeDbModifier
as commands, use the following query:
SHOW ROLE homeDbModifier PRIVILEGES AS COMMANDS;
command |
---|
|
|
Rows: 2 |
The SET USER HOME DATABASE
privilege allows the user to run the ALTER USER
administration command with only the SET HOME DATABASE
or REMOVE HOME DATABASE
part:
ALTER USER jake SET HOME DATABASE otherDb
ALTER USER jake REMOVE HOME DATABASE
Grant privilege to delete users
You can grant the privilege to delete users using the DROP USER
privilege.
For example:
GRANT DROP USER ON DBMS TO userDropper
As a result, the userDropper
role has privileges that only allow deleting users.
To list all privileges for the role userDropper
as commands, use the following query:
SHOW ROLE userDropper PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to show users
You can grant the privilege to show users using the SHOW USER
privilege.
For example:
GRANT SHOW USER ON DBMS TO userViewer
As a result, the userViewer
role has privileges that only allow showing users.
To list all privileges for the role userViewer
as commands, use the following query:
SHOW ROLE userViewer PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to manage users
You can grant the privilege to create, rename, modify, delete, and list users using the USER MANAGEMENT
privilege.
For example:
GRANT USER MANAGEMENT ON DBMS TO userManager
As a result, the userManager
role has all privileges to manage users.
To list all privileges for the role userManager
as commands, use the following query:
SHOW ROLE userManager PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
The DBMS IMPERSONATE
privileges
The DBMS privileges for impersonation can be granted, denied, or revoked like other privileges.
Impersonation is the ability of a user to assume another user’s roles (and therefore privileges), with the restriction of not being able to execute updating admin
commands as the impersonated user (i.e. they would still be able to use SHOW
commands).
You can use the IMPERSONATE
privilege to allow a user to impersonate another user.
For more details about the syntax descriptions, see Reading the administration commands syntax. |
Command | Description |
---|---|
|
Enables the specified roles to impersonate any user. |
|
Enables the specified roles to impersonate the specified users. |
Grant privilege to impersonate all users
You can grant the privilege to impersonate all users using the IMPERSONATE (*)
privilege.
For example:
GRANT IMPERSONATE (*) ON DBMS TO allUserImpersonator
As a result, the allUserImpersonator
role has privileges that allow impersonating all users.
To list all privileges for the role allUserImpersonator
as commands, use the following query:
SHOW ROLE allUserImpersonator PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to impersonate specific users
You can also grant the privilege to impersonate specific users or a subset of users.
For example:
GRANT IMPERSONATE (alice, bob) ON DBMS TO userImpersonator;
As a result, the userImpersonator
role has privileges that allow impersonating only alice
and bob
.
Then, you deny the privilege to impersonate alice
:
DENY IMPERSONATE (alice) ON DBMS TO userImpersonator;
As a result, the userImpersonator
user would be able to impersonate only bob
.
To list all privileges for the role userImpersonator
as commands, use the following query:
SHOW ROLE userImpersonator PRIVILEGES AS COMMANDS;
command |
---|
|
|
|
Rows: 3 |
The DBMS DATABASE MANAGEMENT
privileges
The DBMS privileges for database management can be granted, denied, or revoked like other privileges.
For more details about the syntax descriptions, see Reading the administration commands syntax. |
Command | Description |
---|---|
|
Enables the specified roles to create new standard databases. |
|
Enables the specified roles to delete standard databases. |
|
Enables the specified roles to modify standard databases. |
|
Enables the specified roles to modify access to standard databases. |
|
Enables the specified roles to set the default query language on a standard database. |
|
Enables the specified roles to create new composite databases. |
|
Enables the specified roles to delete composite databases. |
|
Enables the specified roles to modify composite databases. |
|
Enables the specified roles to create, delete or modify composite databases. |
|
Enables the specified roles to create, delete, and modify databases. |
Grant privilege to create standard databases
You can grant the privilege to create standard databases using the CREATE DATABASE
privilege.
For example:
GRANT CREATE DATABASE ON DBMS TO databaseAdder
As a result, the databaseAdder
role has privileges that only allow creating standard databases.
To list all privileges for the role databaseAdder
as commands, use the following query:
SHOW ROLE databaseAdder PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to create composite databases
You can grant the privilege to create composite databases using the CREATE COMPOSITE DATABASE
privilege.
For example:
GRANT CREATE COMPOSITE DATABASE ON DBMS TO compositeDatabaseAdder
As a result, the compositeDatabaseAdder
role has privileges that only allow creating composite databases.
To list all privileges for the role compositeDatabaseAdder
as commands, use the following query:
SHOW ROLE compositeDatabaseAdder PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to delete standard databases
You can grant the privilege to delete standard databases using the DROP DATABASE
privilege.
For example:
GRANT DROP DATABASE ON DBMS TO databaseDropper
As a result, the databaseDropper
role has privileges that only allow deleting standard databases.
To list all privileges for the role databaseDropper
as commands, use the following query:
SHOW ROLE databaseDropper PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to delete composite databases
You can grant the privilege to delete composite databases using the DROP COMPOSITE DATABASE
privilege.
For example:
GRANT DROP COMPOSITE DATABASE ON DBMS TO compositeDatabaseDropper
As a result, the compositeDatabaseDropper
role has privileges that only allow deleting composite databases.
To list all privileges for the role compositeDatabaseDropper
as commands, use the following query:
SHOW ROLE compositeDatabaseDropper PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to modify standard databases
You can grant the privilege to modify standard databases using the ALTER DATABASE
privilege.
For example:
GRANT ALTER DATABASE ON DBMS TO databaseModifier;
As a result, the databaseModifier
role has privileges that only allow modifying standard databases.
To list all privileges for the role databaseModifier
as commands, use the following query:
SHOW ROLE databaseModifier PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to modify access to standard databases
You can grant the privilege to modify access to standard databases using the SET DATABASE ACCESS
privilege.
For example:
GRANT SET DATABASE ACCESS ON DBMS TO accessModifier
As a result, the accessModifier
role has privileges that only allow modifying access to standard databases.
To list all privileges for the role accessModifier
as commands, use the following query:
SHOW ROLE accessModifier PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to modify the default language of standard databases
You can grant the privilege to modify the default language of standard databases using the SET DATABASE DEFAULT LANGUAGE
privilege.
For example:
GRANT SET DATABASE DEFAULT LANGUAGE ON DBMS TO languageModifier
As a result, the languageModifier
role has privileges that only allow modifying default language to standard databases.
To list all privileges for the role languageModifier
as commands, use the following query:
SHOW ROLE languageModifier PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to modify composite databases
You can grant the privilege to modify composite databases using the ALTER COMPOSITE DATABASE
privilege.
For example:
GRANT ALTER COMPOSITE DATABASE ON DBMS TO compositeDatabaseModifier;
As a result, the compositeDatabaseModifier
role has privileges that only allow modifying composite databases.
To list all privileges for the role compositeDatabaseModifier
as commands, use the following query:
SHOW ROLE compositeDatabaseModifier PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to manage composite databases
You can grant the privilege to create, delete, and modify composite databases using the COMPOSITE DATABASE MANAGEMENT
privilege.
For example:
GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO compositeDatabaseManager;
As a result, the compositeDatabaseManager
role has all privileges to manage composite databases.
To list all privileges for the role compositeDatabaseManager
as commands, use the following query:
SHOW ROLE compositeDatabaseManager PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to manage standard and composite databases
You can grant the privilege to create, delete, and modify standard and composite databases using the DATABASE MANAGEMENT
privilege.
For example:
GRANT DATABASE MANAGEMENT ON DBMS TO databaseManager;
As a result, the databaseManager
role has all privileges to manage standard and composite databases.
To list all privileges for the role databaseManager
as commands, use the following query:
SHOW ROLE databaseManager PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
The DBMS ALIAS MANAGEMENT
privileges
The DBMS privileges for alias management can be granted, denied, or revoked like other privileges. This applies to both local and remote aliases.
For more details about the syntax descriptions, see Reading the administration commands syntax. |
Command | Description |
---|---|
|
Enables the specified roles to create new aliases. |
|
Enables the specified roles to delete aliases. |
|
Enables the specified roles to modify aliases. |
|
Enables the specified roles to list aliases. |
|
Enables the specified roles to list, create, delete, and modify aliases. |
Grant privilege to create aliases
You can grant the privilege to create aliases using the CREATE ALIAS
privilege.
For example:
GRANT CREATE ALIAS ON DBMS TO aliasAdder;
As a result, the aliasAdder
role has privileges that only allow creating aliases.
To list all privileges for the role aliasAdder
as commands, use the following query:
SHOW ROLE aliasAdder PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to delete aliases
You can grant the privilege to delete aliases using the DROP ALIAS
privilege.
For example:
GRANT DROP ALIAS ON DBMS TO aliasDropper;
As a result, the aliasDropper
role has privileges that only allow deleting aliases.
See all privileges for the role aliasDropper
as commands, use the following query:
SHOW ROLE aliasDropper PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to modify aliases
You can grant the privilege to modify aliases using the ALTER ALIAS
privilege.
For example:
GRANT ALTER ALIAS ON DBMS TO aliasModifier;
As a result, the aliasModifier
role has privileges that only allow modifying aliases.
To list all privileges for the role aliasModifier
as commands, use the following query:
SHOW ROLE aliasModifier PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to list aliases
You can grant the privilege to list aliases using the SHOW ALIAS
privilege.
For example:
GRANT SHOW ALIAS ON DBMS TO aliasViewer;
As a result, the aliasViewer
role has privileges that only allow modifying aliases.
To list all privileges for the role aliasViewer
as commands, use the following query:
SHOW ROLE aliasViewer PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to manage aliases
You can grant the privilege to create, delete, modify, and list aliases using the ALIAS MANAGEMENT
privilege.
For example:
GRANT ALIAS MANAGEMENT ON DBMS TO aliasManager;
As a result, the aliasManager
role has all privileges to manage aliases.
To list all privileges for the role aliasManager
as commands, use the following query:
SHOW ROLE aliasManager PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
The DBMS SERVER MANAGEMENT
privileges
The DBMS privileges for server management can be granted, denied, or revoked like other privileges.
For more details about the syntax descriptions, see Reading the administration commands syntax. |
Command | Description |
---|---|
|
Enables the specified roles to show, enable, rename, alter, reallocate, deallocate, and drop servers. |
|
Enables the specified roles to show servers. |
Grant privilege to manage servers
You can grant the privilege to show, enable, rename, alter, reallocate, deallocate, and drop servers using the SERVER MANAGEMENT
privilege.
For example:
GRANT SERVER MANAGEMENT ON DBMS TO serverManager;
As a result, the serverManager
role has all privileges to manage servers.
To list all privileges for the role serverManager
as commands, use the following query:
SHOW ROLE serverManager PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to show servers
You can grant the privilege to show servers using the SHOW SERVERS
privilege.
For example:
GRANT SHOW SERVERS ON DBMS TO serverViewer;
As a result, the serverViewer
role has privileges that only allow showing servers.
To list all privileges for the role serverViewer
as commands, use the following query:
SHOW ROLE serverViewer PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
The DBMS PRIVILEGE MANAGEMENT
privileges
The DBMS privileges for privilege management can be granted, denied, or revoked like other privileges.
For more details about the syntax descriptions, see Reading the administration commands syntax. |
Command | Description |
---|---|
|
Enables the specified roles to list privileges. |
|
Enables the specified roles to assign privileges using the |
|
Enables the specified roles to remove privileges using the |
|
Enables the specified roles to list, assign, and remove privileges. |
Grant privilege to list privileges
You can grant the SHOW PRIVILEGE
privilege to allow a user to list privileges using the SHOW PRIVILEGE
, SHOW ROLE roleName PRIVILEGES
, and SHOW USER username PRIVILEGES
administration commands.
The SHOW USER username PRIVILEGES
command also requires the SHOW USER
privilege.
For example:
GRANT SHOW PRIVILEGE ON DBMS TO privilegeViewer;
As a result, the privilegeViewer
role has privileges that only allow showing privileges.
To list all privileges for the role privilegeViewer
as commands, use the following query:
SHOW ROLE privilegeViewer PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
No specific privileges are required for showing the current user’s privileges through the If a non-native auth provider like LDAP is in use, |
Grant privilege to assign privileges
You can grant the privilege to assign privileges using the ASSIGN PRIVILEGE
privilege.
A user with this privilege is allowed to execute GRANT
and DENY
administration commands.
For example:
GRANT ASSIGN PRIVILEGE ON DBMS TO privilegeAssigner;
As a result, the privilegeAssigner
role has privileges that only allow assigning privileges.
To list all privileges for the role privilegeAssigner
as commands, use the following query:
SHOW ROLE privilegeAssigner PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to remove privileges
You can grant the privilege to remove privileges from roles using the REMOVE PRIVILEGE
privilege.
A user with this privilege is allowed to execute REVOKE
administration commands.
For example:
GRANT REMOVE PRIVILEGE ON DBMS TO privilegeRemover;
As a result, the privilegeRemover
role has privileges that only allow removing privileges.
To list all privileges for the role privilegeRemover
as commands, use the following query:
SHOW ROLE privilegeRemover PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to manage privileges
You can grant the privilege to list, assign, and remove privileges using the PRIVILEGE MANAGEMENT
privilege.
For example:
GRANT PRIVILEGE MANAGEMENT ON DBMS TO privilegeManager;
As a result, the privilegeManager
role has all privileges to manage privileges.
To list all privileges for the role privilegeManager
as commands, use the following query:
SHOW ROLE privilegeManager PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
The DBMS EXECUTE
privileges
The DBMS privileges for procedure and user-defined function execution can be granted, denied, or revoked like other privileges.
For more details about the syntax descriptions, see Reading the administration commands syntax. |
Command | Description |
---|---|
|
Enables the specified roles to execute the given procedures. |
|
Enables the specified roles to use elevated privileges when executing the given procedures. |
|
Enables the specified roles to execute procedures annotated with |
|
Enables the specified roles to execute the given user-defined functions. |
|
Enables the specified roles to use elevated privileges when executing the given user-defined functions. |
Grant privilege to execute procedures
You can grant the privilege to execute procedures using the EXECUTE PROCEDURE
privilege.
A role with this privilege is allowed to execute the procedures matched by the name-globbing.
Grant privilege to execute some procedures
The following query allow the execution of procedures starting with db.schema
:
GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO procedureExecutor;
Users with the role procedureExecutor
can run any procedure in the db.schema
namespace.
The procedures are executed using the user’s own privileges.
To list all privileges for the role procedureExecutor
as commands, use the following query:
SHOW ROLE procedureExecutor PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to execute all but some procedures
You can grant the privilege to execute all except a few procedures using EXECUTE PROCEDURES *
and deny the unwanted procedures.
For example, the following queries allow the execution of all procedures, except those starting with dbms.cluster
:
GRANT EXECUTE PROCEDURE * ON DBMS TO deniedProcedureExecutor;
DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO deniedProcedureExecutor;
Users with the role deniedProcedureExecutor
can run any procedure except those starting with dbms.cluster
.
The procedures are executed using the user’s own privileges.
To list all privileges for the role deniedProcedureExecutor
as commands, use the following query:
SHOW ROLE deniedProcedureExecutor PRIVILEGES AS COMMANDS;
command |
---|
|
|
Rows: 2 |
The dbms.cluster.checkConnectivity
, dbms.cluster.cordonServer
, dbms.cluster.protocols
, dbms.cluster.readReplicaToggle
, dbms.cluster.routing.getRoutingTable
, dbms.cluster.secondaryReplicationDisable
, dbms.cluster.setAutomaticallyEnableFreeServers
, and dbms.cluster.uncordonServer
procedures are blocked, as well as any others starting with dbms.cluster
.
Grant privilege to execute procedures with elevated privileges
You can grant the privilege to execute procedures with elevated privileges using the EXECUTE BOOSTED PROCEDURE
privilege.
A user with this privilege will not be restricted to their other privileges when executing the procedures matched by the name-globbing.
The EXECUTE BOOSTED PROCEDURE
privilege only affects the elevation, and not the execution of the procedure.
Therefore, it is needed to grant EXECUTE PROCEDURE
privilege for the procedures as well.
Both EXECUTE PROCEDURE
and EXECUTE BOOSTED PROCEDURE
are needed to execute a procedure with elevated privileges.
Grant privilege to execute some procedures with elevated privileges
You can grant the privilege to execute some procedures with elevated privileges using EXECUTE BOOSTED PROCEDURE *
.
For example, the following query allow the execution of the procedures db.labels
and db.relationshipTypes
with elevated privileges, and all other procedures with the user’s own privileges:
GRANT EXECUTE PROCEDURE * ON DBMS TO boostedProcedureExecutor;
GRANT EXECUTE BOOSTED PROCEDURE db.labels, db.relationshipTypes ON DBMS TO boostedProcedureExecutor
Users with the role boostedProcedureExecutor
can thus run the db.labels
and the db.relationshipTypes
procedures with full privileges, seeing everything in the graph and not just the labels and types that the user has TRAVERSE
privilege on.
Without the EXECUTE PROCEDURE
, no procedures could be executed at all.
To list all privileges for the role boostedProcedureExecutor
as commands, use the following query:
SHOW ROLE boostedProcedureExecutor PRIVILEGES AS COMMANDS;
command |
---|
|
|
|
Rows: 3 |
Combination of granting execution and denying privilege elevation
As with grant, denying EXECUTE BOOSTED PROCEDURE
on its own only affects the elevation and not the execution of the procedure.
For example:
GRANT EXECUTE PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor1;
DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor1;
As a result, the deniedBoostedProcedureExecutor1
role has privileges that allow the execution of all procedures using the user’s own privileges.
They also prevent the db.labels
procedure from being elevated.
Still, the denied EXECUTE BOOSTED PROCEDURE
does not block execution of db.labels
.
To list all privileges for role deniedBoostedProcedureExecutor1
as commands, use the following query:
SHOW ROLE deniedBoostedProcedureExecutor1 PRIVILEGES AS COMMANDS;
command |
---|
|
|
Rows: 2 |
Combination of granting privilege elevation and denying execution
You can also grant the privilege to execute procedures with elevated privileges and deny the execution of specific procedures.
For example:
GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor2;
DENY EXECUTE PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor2;
As a result, the deniedBoostedProcedureExecutor2
role has privileges that allow elevating the privileges for all procedures, but cannot execute any due to missing or denied EXECUTE PROCEDURE
privileges.
To list all privileges for the role deniedBoostedProcedureExecutor2
as commands, use the following query:
SHOW ROLE deniedBoostedProcedureExecutor2 PRIVILEGES AS COMMANDS;
command |
---|
|
|
Rows: 2 |
Combination of granting and denying privilege elevation
You can also grant the privilege to execute procedures with elevated privileges and deny the elevation for specific procedures.
For example, the following queries allow has privileges that allow elevating the privileges for all procedures except db.labels
.
However, no procedures can be executed due to a missing EXECUTE PROCEDURE
privilege.
GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor3;
DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor3;
As a result, the deniedBoostedProcedureExecutor3
role has privileges that allow elevating the privileges for all procedures except db.labels
.
However, no procedures can be executed due to missing EXECUTE PROCEDURE
privilege.
To list all privileges for the role deniedBoostedProcedureExecutor3
as commands, use the following query:
SHOW ROLE deniedBoostedProcedureExecutor3 PRIVILEGES AS COMMANDS;
command |
---|
|
|
Rows: 2 |
Control procedure output with privileges
You can control the output of procedures based on the privileges granted or denied to a role using the EXECUTE PROCEDURE
and EXECUTE BOOSTED PROCEDURE
privileges.
For example, assume there is a procedure called myProc
.
This procedure gives the result A
and B
for a user with only the EXECUTE PROCEDURE
privilege and A
, B
and C
for a user with both the EXECUTE PROCEDURE
and EXECUTE BOOSTED PROCEDURE
privileges.
Now, adapt the privileges from sections Combination of granting execution and denying privilege elevation (example 1), Combination of granting privilege elevation and denying execution (example 2), and Combination of granting and denying privilege elevations (example 3) to be applied to this procedure and show what is returned.
With the privileges from example 1, granted EXECUTE PROCEDURE *
and denied EXECUTE BOOSTED PROCEDURE myProc
, the myProc
procedure returns the result A
and B
.
With the privileges from example 2, granted EXECUTE BOOSTED PROCEDURE *
and denied EXECUTE PROCEDURE myProc
, execution of the myProc
procedure is not allowed.
With the privileges from example 3, granted EXECUTE BOOSTED PROCEDURE *
and denied EXECUTE BOOSTED PROCEDURE myProc
, execution of the myProc
procedure is not allowed.
For comparison, when granted:
-
EXECUTE PROCEDURE myProc
: themyProc
procedure returns the resultA
andB
. -
EXECUTE BOOSTED PROCEDURE myProc
: execution of themyProc
procedure is not allowed. -
EXECUTE PROCEDURE myProc
andEXECUTE BOOSTED PROCEDURE myProc
: themyProc
procedure returns the resultA
,B
, andC
.
Grant privilege to execute admin procedures
Admin procedures (annotated with @Admin
) are special in that they require elevated privileges to be executed at all.
This means that to execute an admin procedure you need both the EXECUTE PROCEDURE
and EXECUTE BOOSTED PROCEDURE
privileges for that procedure.
For a user to be allowed to execute all admin procedures, they can either be granted the two privileges for each of the admin procedures (which would need to be updated each time a new admin procedure is added), all procedures (which would then affect all non-admin procedures as well) or the EXECUTE ADMIN PROCEDURES
privilege.
The EXECUTE ADMIN PROCEDURES
privilege is equivalent to granting the EXECUTE PROCEDURE
and EXECUTE BOOSTED PROCEDURE
privileges on each of the admin procedures.
This also have the additional advantage that any newly added admin
procedure is automatically included in this privilege.
For example:
GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO adminProcedureExecutor;
Users with the role adminProcedureExecutor
can run any admin
procedure with elevated privileges.
As a result, the adminProcedureExecutor
role has privileges that allow the execution of all admin procedures.
To list all privileges for the role adminProcedureExecutor
as commands, use the following query:
SHOW ROLE adminProcedureExecutor PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
In order to compare this with the EXECUTE PROCEDURE
and EXECUTE BOOSTED PROCEDURE
privileges, revisit the myProc
procedure, but this time as an admin
procedure, which will give the result A
, B
and C
when allowed to execute.
By starting with a user only granted the EXECUTE PROCEDURE myProc
or the EXECUTE BOOSTED PROCEDURE myProc
privilege, execution of the myProc
procedure is not allowed.
However, for a user granted the EXECUTE ADMIN PROCEDURES
or both EXECUTE PROCEDURE myProc
and EXECUTE BOOSTED PROCEDURE myProc
, the myProc
procedure returns the result A
, B
and C
.
Any denied EXECUTE
privilege results in the procedure not being allowed to be executed.
In this case, it does not matter whether EXECUTE PROCEDURE
, EXECUTE BOOSTED PROCEDURE
or EXECUTE ADMIN PROCEDURES
is being denied.
Grant privilege to execute user-defined functions
You can grant the privilege to execute user-defined functions (UDFs) using the EXECUTE USER DEFINED FUNCTION
privilege.
A role with this privilege is allowed to execute the UDFs matched by the name-globbing.
The |
Grant privilege to execute some user-defined functions
The following query shows an example of how to grant the EXECUTE USER DEFINED FUNCTION
privilege:
GRANT EXECUTE USER DEFINED FUNCTION apoc.coll.* ON DBMS TO functionExecutor;
Or in short form:
GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO functionExecutor;
Users with the role functionExecutor
can thus run any UDF in the apoc.coll
namespace.
The functions are executed using the user’s own privileges.
As a result, the functionExecutor
role has privileges that only allow executing UDFs in the apoc.coll
namespace.
To list all privileges for the role functionExecutor
as commands, use the following query:
SHOW ROLE functionExecutor PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to execute all but some user-defined functions
To allow the execution of all but a few UDFs, you can grant EXECUTE USER DEFINED FUNCTIONS *
and deny the unwanted UDFs.
For example, the following queries allow the execution of all UDFs except those starting with apoc.any.prop
:
GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO deniedFunctionExecutor;
DENY EXECUTE USER DEFINED FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor;
Or in short form:
GRANT EXECUTE FUNCTIONS * ON DBMS TO deniedFunctionExecutor;
DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor;
As a result, the deniedFunctionExecutor
role has privileges that only allow the execution of all UDFs except those starting with apoc.any.prop
.
The functions are executed using the user’s own privileges.
To list all privileges for the role deniedFunctionExecutor
as commands, use the following query:
SHOW ROLE deniedFunctionExecutor PRIVILEGES AS COMMANDS;
command |
---|
|
|
Rows: 2 |
The apoc.any.property
and apoc.any.properties
are blocked, as well as any other UDFs starting with apoc.any.prop
.
Grant privilege to execute user-defined functions with elevated privileges
You can grant the privilege to execute user-defined functions (UDFs) with elevated privileges using the EXECUTE BOOSTED USER DEFINED FUNCTION
privilege.
A user with this privilege will not be restricted to their other privileges when executing the UDFs matched by the name-globbing.
The EXECUTE BOOSTED USER DEFINED FUNCTION
privilege only affects the elevation and not the execution of the function.
Therefore, it is needed to grant EXECUTE USER DEFINED FUNCTION
privilege for the UDFs as well.
Both EXECUTE USER DEFINED FUNCTION
and EXECUTE BOOSTED USER DEFINED FUNCTION
are needed to execute a function with elevated privileges.
The |
Grant privilege to execute some user-defined functions with elevated privileges
The following query shows an example of how to grant the EXECUTE BOOSTED USER DEFINED FUNCTION
privilege:
GRANT EXECUTE USER DEFINED FUNCTION * ON DBMS TO boostedFunctionExecutor;
GRANT EXECUTE BOOSTED USER DEFINED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor;
Or in short form:
GRANT EXECUTE FUNCTION * ON DBMS TO boostedFunctionExecutor;
GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor;
Users with the role boostedFunctionExecutor
can thus run apoc.any.properties
with full privileges and see every property on the node/relationship, not just the properties that the user has READ
privilege on.
Without the EXECUTE USER DEFINED FUNCTION
, you cannot execute any UDFs at all.
As a result, the boostedFunctionExecutor
role has privileges that allow executing the UDF apoc.any.properties
with elevated privileges, and all other UDFs with the users' own privileges.
To list all privileges for the role boostedFunctionExecutor
as commands, use the following query:
SHOW ROLE boostedFunctionExecutor PRIVILEGES AS COMMANDS;
command |
---|
|
|
Rows: 2 |
The DBMS SETTING
privileges
You can grant the privilege to show configuration settings using the SHOW SETTING
privilege.
A role with this privilege is allowed to list the configuration settings matched by the name-globbing.
For more details about the syntax descriptions, see Reading the administration commands syntax. |
Command | Description |
---|---|
|
Enables the specified roles to list given configuration settings. |
Grant privilege to show all settings
You can grant the privilege to show all settings using SHOW SETTING *
or all settings in a namespace using SHOW SETTING namespace.*
.
The following query shows an example of how to grant SHOW SETTING
privilege to view all settings in the server.bolt
namespace:
GRANT SHOW SETTING server.bolt.* ON DBMS TO configurationViewer;
Users with the role configurationViewer
can then view any setting in the server.bolt
namespace.
As a result, the configurationViewer
role has privileges that only allow listing settings in the server.bolt
namespace.
To list all privileges for the role configurationViewer
as commands, use the following query:
SHOW ROLE configurationViewer PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Grant privilege to show all but some settings
You can grant the privilege to show all but a few settings using SHOW SETTINGS *
and deny the unwanted settings.
For example, the following queries allow you to view all settings, except those starting with dbms.security
:
GRANT SHOW SETTINGS * ON DBMS TO deniedConfigurationViewer;
DENY SHOW SETTING dbms.security* ON DBMS TO deniedConfigurationViewer;
As a result, the deniedConfigurationViewer
role has privileges that allow listing all settings except those starting with dbms.security
.
To list all privileges for the role deniedConfigurationViewer
as commands, use the following query:
SHOW ROLE deniedConfigurationViewer PRIVILEGES AS COMMANDS;
command |
---|
|
|
Rows: 2 |
As the query result shows, viewing settings starting with dbms.security
is blocked, but the rest can still be listed.
Granting ALL DBMS PRIVILEGES
You can grant the ALL DBMS PRIVILEGES
privilege to a role.
The ALL DBMS PRIVILEGES
privilege is equivalent to granting the following privileges:
-
Create, drop, assign, remove, and show roles.
-
Create, alter, drop, show, and impersonate users.
-
Create, alter, drop, and show databases and aliases.
-
Enable, alter, rename, reallocate, deallocate, drop, and show servers.
-
Show, assign, and remove privileges.
-
Execute all procedures with elevated privileges.
-
Execute all user-defined functions with elevated privileges.
-
Show all configuration settings.
For more details about the syntax descriptions, see Reading the administration commands syntax. |
GRANT [IMMUTABLE] ALL [[DBMS] PRIVILEGES]
ON DBMS
TO role[, ...]
For example, to grant the role dbmsManager
all DBMS abilities, use the following query:
GRANT ALL DBMS PRIVILEGES ON DBMS TO dbmsManager;
To list all privileges for the role dbmsManager
as commands, use the following query:
SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS;
command |
---|
|
Rows: 1 |
Name-globbing for procedures, user-defined functions, and settings
The name-globbing for procedures, user-defined functions, and setting names is a simplified version of globbing for filename expansions.
It only allows two wildcard characters: *
and ?
, which are used for multiple and single-character matches.
In this case, *
means 0 or more characters, and ?
matches exactly one character.
The name-globbing is subject to the Cypher Manual → Naming rules and recommendations, with the exception that it may include dots, stars, and question marks without the need for escaping using backticks. Each part of the name-globbing separated by dots may be individually quoted.
For example, |
Given the following list of procedures:
-
mine.public.exampleProcedure
-
mine.public.exampleProcedure1
-
mine.public.exampleProcedure2
-
mine.public.with#Special§Characters
-
mine.private.exampleProcedure
-
mine.private.exampleProcedure1
-
mine.private.exampleProcedure2
-
mine.private.with#Special§Characters
-
your.exampleProcedure
The following examples demonstrate how name-globbing patterns can be used in controlling access to procedures. Note that the same rules apply to user-defined functions and settings.
GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1;
Users with the role globbing1
can run all the procedures.
GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2;
Users with the role globbing2
can run procedures mine.public.exampleProcedure
and mine.private.exampleProcedure
, but no other procedures.
GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3;
Users with the role globbing3
can run procedures mine.public.exampleProcedure1
, mine.private.exampleProcedure1
, and mine.private.exampleProcedure2
, but no other procedures.
GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4;
Users with the role globbing4
can run procedures your.exampleProcedure
, mine.public.exampleProcedure
, and mine.private.exampleProcedure
, but no other procedures.
GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5;
Users with the role globbing5
can run procedures mine.public.exampleProcedure
, mine.public.exampleProcedure1
and mine.public.exampleProcedure42
, but no other procedures.
GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6;
Users with the role globbing6
can run procedures mine.public.with#Special§Characters
, and mine.private.with#Special§Characters
, but no other procedures.
The name-globbing may be fully or partially quoted.
Both |