Load privileges
This feature is available from Neo4j 5.13.
This section explains how to use Cypher to manage load privileges. All load privileges apply to the whole system. Like DBMS privileges, they do not belong to one specific database or graph. For more details on the differences between graphs, databases, and the DBMS, refer to Cypher Manual → Cypher and Neo4j.
The load privileges apply to the Cypher LOAD CSV
clause, deciding whether or not the data can be loaded from the given source.
Load privileges syntax
The load privileges are assigned using Cypher administrative commands. They can be granted, denied, and revoked in the same way as other privileges. For more details, see RBAC and fine-grained privileges.
Command | Description |
---|---|
|
Enables the specified roles to load external data in queries. |
|
Enables the specified roles to load external data from the given CIDR range in queries.Introduced in 5.16 |
More details about the syntax descriptions can be found Cypher syntax for administration commands. |
Unlike other privileges, the LOAD
privilege is not granted, denied, or revoked on DBMS
, DATABASE
, or GRAPH
, but instead on the data source to load from.
Adding ON ALL DATA
means a role has the privilege to load data from all sources.
To only allow loading data from sources given by a specific CIDR range use ON CIDR cidr
.
It is strongly recommended to permit resource loading only over secure protocols such as HTTPS instead of insecure protocols like HTTP.
This can be done by limiting the accessible ranges to only trusted sources that use secure protocols.
If allowing an insecure protocol is absolutely unavoidable, Neo4j takes measures internally to enhance the security of these requests within their limitations.
However, this means that insecure URLs on virtual hosts will not function unless you add the JVM argument |
The ALL DATA
privilege
The load privilege on ALL DATA
enables or disables loading data.
If granted, the user can load data from any source.
If missing or denied, no data can be loaded at all.
roleLoadAllData
the ability to load data with LOAD CSV
GRANT LOAD ON ALL DATA TO roleLoadAllData
roleLoadAllData
as commandsSHOW ROLE roleLoadAllData PRIVILEGES AS COMMANDS
command |
---|
|
Rows: 1 |
The LOAD ON ALL DATA
privilege is granted to the PUBLIC
role by default.
The CIDR
privilege
This feature is available from Neo4j 5.16.
The load privilege on CIDR cidr
enables or disables loading data from the given IPv4 or IPv6 CIDR range.
If granted, the user can load data from sources in the given CIDR range.
If missing or denied, no data can be loaded from sources in the given CIDR range.
roleLoadCidr
the ability to load data with LOAD CSV
from 127.0.0.1/32
DENY LOAD ON CIDR "127.0.0.1/32" TO roleLoadCidr
roleLoadCidr
as commandsSHOW ROLE roleLoadCidr PRIVILEGES AS COMMANDS
command |
---|
|
Rows: 1 |