Write privileges
Write privileges are defined for different parts of the graph:
-
CREATE
- allows creating nodes and relationships. -
DELETE
- allows deleting nodes and relationships. -
SET LABEL
- allows setting the specified node labels using theSET
clause. -
REMOVE LABEL
- allows removing the specified node labels using theREMOVE
clause. -
SET PROPERTY
- allows setting properties on nodes and relationships.
There are also compound privileges that combine the above specific privileges:
-
MERGE
- allowsMATCH
,CREATE
, andSET PROPERTY
to apply theMERGE
command. -
WRITE
- allows allWRITE
operations on an entire graph. -
ALL GRAPH PRIVILEGES
- allows allREAD
andWRITE
operations on an entire graph.
For more details about the syntax descriptions, see Cypher syntax for administration commands. |
The CREATE
privilege
The CREATE
privilege allows a user to create new node and relationship elements on a graph.
For more details, see the Cypher Manual → CREATE
clause.
GRANT [IMMUTABLE] CREATE
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
For example, to grant the role regularUsers
the ability to CREATE
elements on the graph neo4j
, use:
GRANT CREATE ON GRAPH neo4j ELEMENTS * TO regularUsers
The CREATE
privilege can also be denied:
DENY [IMMUTABLE] CREATE
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
For example, to deny the role regularUsers
the ability to CREATE
nodes with the label foo
on all graphs, use:
DENY CREATE ON GRAPH * NODES foo TO regularUsers
If the user attempts to create nodes with a label that does not already exist on the database, then the user must also possess the |
If a label or a relationship type does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information. |
The DELETE
privilege
The DELETE
privilege allows a user to delete node and relationship elements on a graph.
For more details, see the Cypher Manual → DELETE
clause.
GRANT [IMMUTABLE] DELETE
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
For example, to grant the role regularUsers
the ability to DELETE
elements on the graph neo4j
, use:
GRANT DELETE ON GRAPH neo4j ELEMENTS * TO regularUsers
The DELETE
privilege can also be denied:
DENY [IMMUTABLE] DELETE
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
For example, to deny the role regularUsers
the ability to DELETE
relationships with the relationship type bar
on all graphs, use:
DENY DELETE ON GRAPH * RELATIONSHIPS bar TO regularUsers
Users with |
If a label or a relationship type does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information. |
The SET LABEL
privilege
The SET LABEL
privilege allows you to set labels on a node using the Cypher SET
clause:
GRANT [IMMUTABLE] SET LABEL { * | label[, ...] }
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
TO role[, ...]
For example, to grant the role regularUsers
the ability to SET
any label on nodes of the graph neo4j
, use:
GRANT SET LABEL * ON GRAPH neo4j TO regularUsers
Unlike many of the other |
The SET LABEL
privilege can also be denied:
DENY [IMMUTABLE] SET LABEL { * | label[, ...] }
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
TO role[, ...]
For example, to deny the role regularUsers
the ability to SET
the label foo
on nodes of all graphs, use:
DENY SET LABEL foo ON GRAPH * TO regularUsers
If no instances of this label exist on the database, then the |
If a label does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information. |
The REMOVE LABEL
privilege
The REMOVE LABEL
privilege allows you to remove labels from a node by using the Cypher REMOVE
clause:
GRANT [IMMUTABLE] REMOVE LABEL { * | label[, ...] }
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
TO role[, ...]
For example, to grant the role regularUsers
the ability to REMOVE
any label from nodes of the graph neo4j
, use:
GRANT REMOVE LABEL * ON GRAPH neo4j TO regularUsers
Unlike many of the other |
The REMOVE LABEL
privilege can also be denied:
DENY [IMMUTABLE] REMOVE LABEL { * | label[, ...] }
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
TO role[, ...]
For example, denying the role regularUsers
the ability to remove the label foo
from nodes of all graphs, use:
DENY REMOVE LABEL foo ON GRAPH * TO regularUsers
If a label does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information. |
The SET PROPERTY
privilege
The SET PROPERTY
privilege allows a user to set a property on a node or relationship element in a graph by using the Cypher SET
clause:
GRANT [IMMUTABLE] SET PROPERTY "{" { * | property[, ...] } "}"
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
For example, to grant the role regularUsers
the ability to SET
any property on all elements of the graph neo4j
, use:
GRANT SET PROPERTY {*} ON HOME GRAPH ELEMENTS * TO regularUsers
The SET PROPERTY
privilege can also be denied:
DENY [IMMUTABLE] SET PROPERTY "{" { * | property[, ...] } "}"
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
For example, to deny the role regularUsers
the ability to SET
the property foo
on nodes with the label bar
on all graphs, use:
DENY SET PROPERTY { foo } ON GRAPH * NODES bar TO regularUsers
If the user attempts to set a property with a property name that does not already exist on the database, the user must also possess the |
If a label, a relationship type, or a property name does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information. |
The MERGE
privilege
The MERGE
privilege is a compound privilege that combines TRAVERSE
and READ
(i.e. MATCH
) with CREATE
and SET PROPERTY
.
This is intended to enable the use of the Cypher MERGE
command, but it is also applicable to all reads and writes that require these privileges.
GRANT [IMMUTABLE] MERGE "{" { * | property[, ...] } "}"
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
[
ELEMENT[S] { * | label-or-rel-type[, ...] }
| NODE[S] { * | label[, ...] }
| RELATIONSHIP[S] { * | rel-type[, ...] }
]
TO role[, ...]
For example, to grant the role regularUsers
the ability to MERGE
on all elements of the graph neo4j
, use:
GRANT MERGE {*} ON GRAPH neo4j ELEMENTS * TO regularUsers
It is not possible to deny the MERGE
privilege.
If you wish to prevent a user from creating elements and setting properties: use DENY CREATE
or DENY SET PROPERTY
.
If the user attempts to create nodes with a label that does not already exist on the database, the user must also possess the
|
If a label, a relationship type, or a property name does not exist in the database, the user cannot use the corresponding privilege until it is created. See Privileges for non-existing labels, relationship types, and property names for more information. |
The WRITE
privilege
The WRITE
privilege allows the user to execute any WRITE
command on a graph.
GRANT [IMMUTABLE] WRITE
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
TO role[, ...]
For example, to grant the role regularUsers
the ability to WRITE
on the graph neo4j
, use:
GRANT WRITE ON GRAPH neo4j TO regularUsers
Unlike the more specific |
The WRITE
privilege can also be denied:
DENY [IMMUTABLE] WRITE
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
TO role[, ...]
For example, to deny the role regularUsers
the ability to WRITE
on the graph neo4j
, use:
DENY WRITE ON GRAPH neo4j TO regularUsers
Users with |
The ALL GRAPH PRIVILEGES
privilege
The ALL GRAPH PRIVILEGES
privilege allows the user to execute any command on a graph:
GRANT [IMMUTABLE] ALL [ [ GRAPH ] PRIVILEGES ]
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
TO role[, ...]
For example, to grant the role regularUsers
ALL GRAPH PRIVILEGES
on the graph neo4j
, use:
GRANT ALL GRAPH PRIVILEGES ON GRAPH neo4j TO regularUsers
Unlike the more specific |
The |
The ALL GRAPH PRIVILEGES
privilege can also be denied:
DENY [IMMUTABLE] ALL [ [ GRAPH ] PRIVILEGES ]
ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
TO role[, ...]
For example, to deny the role regularUsers
all graph privileges on the graph neo4j
, use:
DENY ALL GRAPH PRIVILEGES ON GRAPH neo4j TO regularUsers