Load privileges

This feature is available from Neo4j 5.13.

This section explains how to use Cypher to manage load privileges. All load privileges apply to the whole system. Like DBMS privileges, they do not belong to one specific database or graph. For more details on the differences between graphs, databases, and the DBMS, refer to Cypher Manual → Cypher and Neo4j.

privileges grant and deny syntax load privileges
Figure 1. Syntax of GRANT and DENY load Privileges

The load privileges apply to the Cypher LOAD CSV clause, deciding whether or not the data can be loaded from the given source.

Load privileges syntax

The load privileges are assigned using Cypher administrative commands. They can be granted, denied, and revoked in the same way as other privileges. For more details, see RBAC and fine-grained privileges.

Table 1. Load privileges command syntax
Command Description
GRANT [IMMUTABLE] LOAD
  ON ALL DATA
  TO role[, ...]

Enables the specified roles to load external data in queries.

GRANT [IMMUTABLE] LOAD
  ON CIDR cidr
  TO role[, ...]

Enables the specified roles to load external data from the given CIDR range in queries.Introduced in 5.16

More details about the syntax descriptions can be found Cypher syntax for administration commands.

Unlike other privileges, the LOAD privilege is not granted, denied, or revoked on DBMS, DATABASE, or GRAPH, but instead on the data source to load from. Adding ON ALL DATA means a role has the privilege to load data from all sources. To only allow loading data from sources given by a specific CIDR range use ON CIDR cidr.

It is strongly recommended to permit resource loading only over secure protocols such as HTTPS instead of insecure protocols like HTTP. This can be done by limiting the accessible ranges to only trusted sources that use secure protocols. If allowing an insecure protocol is absolutely unavoidable, Neo4j takes measures internally to enhance the security of these requests within their limitations. However, this means that insecure URLs on virtual hosts will not function unless you add the JVM argument -Dsun.net.http.allowRestrictedHeaders=true to the configuration setting server.jvm.additional.

The ALL DATA privilege

The load privilege on ALL DATA enables or disables loading data. If granted, the user can load data from any source. If missing or denied, no data can be loaded at all.

Example 1. Grant users with the role roleLoadAllData the ability to load data with LOAD CSV
GRANT LOAD ON ALL DATA TO roleLoadAllData
Example 2. List all privileges for the role roleLoadAllData as commands
SHOW ROLE roleLoadAllData PRIVILEGES AS COMMANDS
Table 2. Result
command

"GRANT LOAD ON ALL DATA TO `roleLoadAllData`"

Rows: 1

The LOAD ON ALL DATA privilege is granted to the PUBLIC role by default.

The CIDR privilege

This feature is available from Neo4j 5.16.

The load privilege on CIDR cidr enables or disables loading data from the given IPv4 or IPv6 CIDR range. If granted, the user can load data from sources in the given CIDR range. If missing or denied, no data can be loaded from sources in the given CIDR range.

Example 3. Denies users with the role roleLoadCidr the ability to load data with LOAD CSV from 127.0.0.1/32
DENY LOAD ON CIDR "127.0.0.1/32" TO roleLoadCidr
Example 4. List all privileges for the role roleLoadCidr as commands
SHOW ROLE roleLoadCidr PRIVILEGES AS COMMANDS
Table 3. Result
command

"DENY LOAD ON CIDR "127.0.0.1/32" TO `roleLoadCidr`"

Rows: 1