From fd3a60e6e4ab2645fc7cc350aab2c55163ba8b43 Mon Sep 17 00:00:00 2001 From: Reneta Popova Date: Wed, 3 Dec 2025 13:08:31 +0000 Subject: [PATCH] Split DBMS privileges page (#2738) Co-authored-by: Natalia Ivakina <82437520+NataliaIvakina@users.noreply.github.com> Co-authored-by: Therese Magnusson --- modules/ROOT/content-nav.adoc | 13 +- ...grant-and-deny-syntax-dbms-privileges.svg} | 0 ...dbms.svg => privileges-hierarchy-dbms.svg} | 0 .../built-in-roles.adoc | 2 +- .../dbms-administration.adoc | 2139 ----------------- .../dbms-administration/dbms-admin-role.adoc | 261 ++ .../dbms-alias-management-privileges.adoc | 246 ++ .../dbms-database-management-privileges.adoc | 341 +++ .../dbms-execute-privileges.adoc | 544 +++++ .../dbms-impersonate-privileges.adoc | 167 ++ .../dbms-privilege-management-privileges.adoc | 224 ++ .../dbms-role-management-privileges.adoc | 316 +++ .../dbms-server-management-privileges.adoc | 149 ++ .../dbms-setting-privileges.adoc | 154 ++ .../dbms-user-management-privileges.adoc | 443 ++++ .../dbms-administration/index.adoc | 214 ++ .../immutable-roles-privileges.adoc | 8 +- .../manage-execute-permissions.adoc | 16 +- .../manage-roles.adoc | 24 +- .../manage-users.adoc | 18 +- .../ROOT/pages/clustering/server-syntax.adoc | 14 +- .../manage-aliases-composite-databases.adoc | 2 +- .../manage-aliases-standard-databases.adoc | 22 +- .../remote-database-alias-configuration.adoc | 13 +- .../delete-composite-databases.adoc | 2 +- .../standard-databases/delete-databases.adoc | 4 +- .../standard-databases/recreate-database.adoc | 4 +- modules/ROOT/pages/procedures.adoc | 2 +- 28 files changed, 3139 insertions(+), 2203 deletions(-) rename modules/ROOT/images/{privileges_grant_and_deny_syntax_dbms_privileges.svg => privileges-grant-and-deny-syntax-dbms-privileges.svg} (100%) rename modules/ROOT/images/{privileges_hierarchy_dbms.svg => privileges-hierarchy-dbms.svg} (100%) delete mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration.adoc create mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-admin-role.adoc create mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc create mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc create mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-execute-privileges.adoc create mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc create mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc create mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc create mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc create mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-setting-privileges.adoc create mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc create mode 100644 modules/ROOT/pages/authentication-authorization/dbms-administration/index.adoc diff --git a/modules/ROOT/content-nav.adoc b/modules/ROOT/content-nav.adoc index 8cb5304c7..ba3d41a64 100644 --- a/modules/ROOT/content-nav.adoc +++ b/modules/ROOT/content-nav.adoc @@ -183,7 +183,18 @@ *** xref:authentication-authorization/property-based-access-control.adoc[] *** xref:authentication-authorization/privileges-writes.adoc[] *** xref:authentication-authorization/database-administration.adoc[] -*** xref:authentication-authorization/dbms-administration.adoc[] +*** xref:authentication-authorization/dbms-administration/index.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-admin-role.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-setting-privileges.adoc[] + *** xref:authentication-authorization/load-privileges.adoc[] *** xref:authentication-authorization/limitations.adoc[] *** xref:authentication-authorization/manage-execute-permissions.adoc[] diff --git a/modules/ROOT/images/privileges_grant_and_deny_syntax_dbms_privileges.svg b/modules/ROOT/images/privileges-grant-and-deny-syntax-dbms-privileges.svg similarity index 100% rename from modules/ROOT/images/privileges_grant_and_deny_syntax_dbms_privileges.svg rename to modules/ROOT/images/privileges-grant-and-deny-syntax-dbms-privileges.svg diff --git a/modules/ROOT/images/privileges_hierarchy_dbms.svg b/modules/ROOT/images/privileges-hierarchy-dbms.svg similarity index 100% rename from modules/ROOT/images/privileges_hierarchy_dbms.svg rename to modules/ROOT/images/privileges-hierarchy-dbms.svg diff --git a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc index 8011f94d9..c912bba14 100644 --- a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc @@ -830,7 +830,7 @@ These include the rights to perform the following classes of tasks: ** Manage link:{neo4j-docs-base-uri}/cypher-manual/5/indexes/search-performance-indexes/overview/[indexes] and link:{neo4j-docs-base-uri}/cypher-manual/5/constraints/[constraints]. ** Allow the creation of labels, relationship types, or property names. ** Manage transactions. -* Manage xref:authentication-authorization/dbms-administration.adoc[DBMS privileges] to control the rights to perform actions on the entire system: +* Manage xref:authentication-authorization/dbms-administration/index.adoc[DBMS privileges] to control the rights to perform actions on the entire system: ** Manage xref:database-administration/index.adoc[multiple databases]. ** Manage xref:authentication-authorization/manage-users.adoc[users] and xref:authentication-authorization/manage-roles.adoc[roles]. ** Change configuration parameters. diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration.adoc deleted file mode 100644 index 5799666b6..000000000 --- a/modules/ROOT/pages/authentication-authorization/dbms-administration.adoc +++ /dev/null @@ -1,2139 +0,0 @@ -:description: How to use Cypher to manage Neo4j DBMS administrative privileges. -:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated -//// -[source, cypher, role=test-setup] ----- -CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; -CREATE ROLE roleAdder IF NOT EXISTS; -CREATE ROLE roleNameModifier IF NOT EXISTS; -CREATE ROLE roleDropper IF NOT EXISTS; -CREATE ROLE roleAssigner IF NOT EXISTS; -CREATE ROLE roleRemover IF NOT EXISTS; -CREATE ROLE roleShower IF NOT EXISTS; -CREATE ROLE roleManager IF NOT EXISTS; -CREATE ROLE userAdder IF NOT EXISTS; -CREATE ROLE userNameModifier IF NOT EXISTS; -CREATE ROLE userModifier IF NOT EXISTS; -CREATE ROLE passwordModifier IF NOT EXISTS; -CREATE ROLE statusModifier IF NOT EXISTS; -CREATE ROLE userDropper IF NOT EXISTS; -CREATE ROLE userShower IF NOT EXISTS; -CREATE ROLE userManager IF NOT EXISTS; -CREATE ROLE userImpersonator IF NOT EXISTS; -CREATE ROLE databaseAdder IF NOT EXISTS; -CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; -CREATE ROLE databaseDropper IF NOT EXISTS; -CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; -CREATE ROLE databaseModifier IF NOT EXISTS; -CREATE ROLE accessModifier IF NOT EXISTS; -CREATE ROLE compositeDatabaseManager IF NOT EXISTS; -CREATE ROLE databaseManager IF NOT EXISTS; -CREATE ROLE aliasAdder IF NOT EXISTS; -CREATE ROLE aliasDropper IF NOT EXISTS; -CREATE ROLE aliasModifier IF NOT EXISTS; -CREATE ROLE aliasLister IF NOT EXISTS; -CREATE ROLE aliasManager IF NOT EXISTS; -CREATE ROLE privilegeShower IF NOT EXISTS; -CREATE ROLE privilegeAssigner IF NOT EXISTS; -CREATE ROLE privilegeRemover IF NOT EXISTS; -CREATE ROLE privilegeManager IF NOT EXISTS; -CREATE ROLE procedureExecutor IF NOT EXISTS; -CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; -CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; -CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; -CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; -CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; -CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; -CREATE ROLE adminProcedureExecutor IF NOT EXISTS; -CREATE ROLE functionExecutor IF NOT EXISTS; -CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; -CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; -CREATE ROLE globbing1 IF NOT EXISTS; -CREATE ROLE globbing2 IF NOT EXISTS; -CREATE ROLE globbing3 IF NOT EXISTS; -CREATE ROLE globbing4 IF NOT EXISTS; -CREATE ROLE globbing5 IF NOT EXISTS; -CREATE ROLE globbing6 IF NOT EXISTS; -CREATE ROLE dbmsManager IF NOT EXISTS; -CREATE ROLE configurationViewer IF NOT EXISTS; -CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; ----- -//// - -[[access-control-dbms-administration]] -= DBMS privileges - -All DBMS privileges are relevant system-wide. -Like user management, they do not belong to one specific database or graph. -For more details on the differences between graphs, databases, and the DBMS, refer to link:{neo4j-docs-base-uri}/cypher-manual/5/introduction/cypher-neo4j/[Cypher Manual -> Cypher and Neo4j]. - -image::privileges_grant_and_deny_syntax_dbms_privileges.svg[title="Syntax of GRANT and DENY DBMS Privileges"] - -image::privileges_hierarchy_dbms.svg[title="DBMS privileges hierarchy"] - -The xref:authentication-authorization/built-in-roles.adoc#access-control-built-in-roles-admin[`admin` role] has a number of built-in privileges. -These include: - -* Create, delete, and modify databases and aliases. -* Change configuration parameters. -* Manage transactions. -* Manage users and roles. -* Manage sub-graph privileges. -* Manage procedure security. -* Load data. - -To enable a user to perform these tasks, you can grant them the `admin` role, but it is also possible to make a custom role with a subset of these privileges. -All privileges are also assignable using Cypher commands. -For more details, see the following sections: - -* <> -* <> -* <> -* <> -* <> -* <> -* xref:authentication-authorization/database-administration.adoc#access-control-database-administration-transaction[Transaction management] -* <> -* xref:authentication-authorization/load-privileges.adoc[Load privileges] - -[[access-control-dbms-administration-custom]] -== Using a custom role to manage DBMS privileges - -In order to have an administrator role with a subset of privileges that includes all DBMS privileges, but not all database privileges, you can copy the `admin` role and revoke or deny the unwanted privileges. -A second option is to build a custom administrator from scratch by granting the wanted privileges instead. - -As an example, an administrator role can be created to only manage users and roles by using the second option: - -. First, create the new role: -+ -[source, cypher, role=noplay] ----- -CREATE ROLE usermanager ----- -. Then grant the privilege to manage users: -+ -[source, cypher, role=noplay] ----- -GRANT USER MANAGEMENT ON DBMS TO usermanager ----- -. And to manage roles: -+ -[source, cypher, role=noplay] ----- -GRANT ROLE MANAGEMENT ON DBMS TO usermanager ----- - -The resulting role has privileges that only allow user and role management. -To list all privileges for the role `usermanager` as commands, run this query: - -[source, cypher, role=noplay] ----- -SHOW ROLE usermanager PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ROLE MANAGEMENT ON DBMS TO `usermanager`" -|"GRANT USER MANAGEMENT ON DBMS TO `usermanager`" -a|Rows: 2 -|=== - -Note that this role does not allow all DBMS capabilities. -For example, the role is missing privileges for management, creation and drop of databases as well as execution of `admin` procedures. -To create a more powerful administrator, you can grant a different set of privileges. - -In the following example, a new administrator role is created to perform almost all DBMS capabilities, excluding database management. -However, the role still has some limited database capabilities, such as managing transactions: - -. Again, start by creating a new role: -+ -[source, cypher, role=noplay] ----- -CREATE ROLE customAdministrator ----- -. Then grant the privilege for all DBMS capabilities: -+ -[source, cypher, role=noplay] ----- -GRANT ALL DBMS PRIVILEGES ON DBMS TO customAdministrator ----- -. And explicitly deny the privilege to manage databases: -+ -[source, cypher, role=noplay] ----- -DENY DATABASE MANAGEMENT ON DBMS TO customAdministrator ----- -. Next, grant the transaction management privilege: -+ -[source, cypher, role=noplay] ----- -GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO customAdministrator ----- - -The resulting role has privileges that include all DBMS privileges except creating, dropping, and modifying databases, as well as managing transactions. -Use the following query to list all privileges for the role `customAdministrator` as commands: - -[source, cypher, role=noplay] ----- -SHOW ROLE customAdministrator PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY DATABASE MANAGEMENT ON DBMS TO `customAdministrator`" -|"GRANT ALL DBMS PRIVILEGES ON DBMS TO `customAdministrator`" -|"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `customAdministrator`" -a|Rows: 3 -|=== - - -[[access-control-dbms-administration-role-management]] -== The DBMS `ROLE MANAGEMENT` privileges - -The DBMS privileges for role management are assignable using Cypher administrative commands. -They can be granted, denied, and revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== - -.Role management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] CREATE ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to create new roles. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] RENAME ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to change the name of roles. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] DROP ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to delete roles. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ASSIGN ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to assign roles to users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] REMOVE ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to remove roles from users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW ROLE - ON DBMS - TO role[, ...] -| Enables the specified roles to list roles. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ROLE MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to create, delete, assign, remove, and list roles. - -|=== - -The ability to add roles can be granted via the `CREATE ROLE` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT CREATE ROLE ON DBMS TO roleAdder ----- - -The resulting role has privileges that only allow adding roles. -List all privileges for the role `roleAdder` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleAdder PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT CREATE ROLE ON DBMS TO `roleAdder`" -a|Rows: 1 -|=== - -The ability to rename roles can be granted via the `RENAME ROLE` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT RENAME ROLE ON DBMS TO roleNameModifier ----- - -The resulting role has privileges that only allow renaming roles. -List all privileges for the role `roleNameModifier` using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleNameModifier PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT RENAME ROLE ON DBMS TO `roleNameModifier`" -a|Rows: 1 -|=== - -The ability to delete roles can be granted via the `DROP ROLE` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT DROP ROLE ON DBMS TO roleDropper ----- - -The resulting role has privileges that only allow deleting roles. -List all privileges for the role `roleDropper` by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleDropper PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DROP ROLE ON DBMS TO `roleDropper`" -a|Rows: 1 -|=== - -The ability to assign roles to users can be granted via the `ASSIGN ROLE` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT ASSIGN ROLE ON DBMS TO roleAssigner ----- - -The resulting role has privileges that only allow assigning/granting roles. -List all privileges for the role `roleAssigner` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleAssigner PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ASSIGN ROLE ON DBMS TO `roleAssigner`" -a|Rows: 1 -|=== - -The ability to remove roles from users can be granted via the `REMOVE ROLE` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT REMOVE ROLE ON DBMS TO roleRemover ----- - -The resulting role has privileges that only allow removing/revoking roles. -List all privileges for the role `roleRemover` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleRemover PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT REMOVE ROLE ON DBMS TO `roleRemover`" -a|Rows: 1 -|=== - -The ability to show roles can be granted via the `SHOW ROLE` privilege. -A role with this privilege is allowed to execute the `SHOW ROLES` and `SHOW POPULATED ROLES` administration commands. -For the `SHOW ROLES WITH USERS` and `SHOW POPULATED ROLES WITH USERS` administration commands, both this privilege and the `SHOW USER` privilege are required. -The following query shows an example of how to grant the `SHOW ROLE` privilege: - -In order to use `SHOW ROLES WITH USERS` and `SHOW POPULATED ROLES WITH USERS` administration commands, both the `SHOW ROLE` and the `SHOW USER` privileges are required. -See an example of how to grant the `SHOW ROLE` privilege: - -[source, cypher, role=noplay] ----- -GRANT SHOW ROLE ON DBMS TO roleShower ----- - -The resulting role has privileges that only allow showing roles. -List all privileges for the role `roleShower` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleShower PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW ROLE ON DBMS TO `roleShower`" -a|Rows: 1 -|=== - -The privileges to create, rename, delete, assign, remove, and list roles can be granted via the `ROLE MANAGEMENT` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT ROLE MANAGEMENT ON DBMS TO roleManager ----- - -The resulting role has all privileges to manage roles. -List all privileges for the role `roleManager` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE roleManager PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ROLE MANAGEMENT ON DBMS TO `roleManager`" -a|Rows: 1 -|=== - - -[[access-control-dbms-administration-user-management]] -== The DBMS `USER MANAGEMENT` privileges - -The DBMS privileges for user management can be assigned using Cypher administrative commands. -They can be granted, denied, and revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== - -.User management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] CREATE USER - ON DBMS - TO role[, ...] -| Enables the specified roles to create new users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] RENAME USER - ON DBMS - TO role[, ...] -| Enables the specified roles to change the name of users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ALTER USER - ON DBMS - TO role[, ...] -| Enables the specified roles to modify users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SET PASSWORD[S] - ON DBMS - TO role[, ...] -| Enables the specified roles to modify users' passwords and whether those passwords must be changed upon first login. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SET AUTH - ON DBMS - TO role[, ...] -| label:new[Introduced in 5.24] Enables the specified roles to `SET` or `REMOVE` users' xref:authentication-authorization/auth-providers.adoc[auth providers]. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SET USER HOME DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to modify users' home database. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SET USER STATUS - ON DBMS - TO role[, ...] -| Enables the specified roles to modify the account status of users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] DROP USER - ON DBMS - TO role[, ...] -| Enables the specified roles to delete users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW USER - ON DBMS - TO role[, ...] -| Enables the specified roles to list users. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] USER MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to create, delete, modify, and list users. - -|=== - -The ability to add users can be granted via the `CREATE USER` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT CREATE USER ON DBMS TO userAdder ----- - -The resulting role has privileges that only allow adding users. -List all privileges for the role `userAdder` as commands by using this query: - -[source, cypher, role=noplay] ----- -SHOW ROLE userAdder PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT CREATE USER ON DBMS TO `userAdder`" -a|Rows: 1 -|=== - -The ability to rename users can be granted via the `RENAME USER` privilege. -The following query shows an example of this: - -[source, cypher, role=noplay] ----- -GRANT RENAME USER ON DBMS TO userNameModifier ----- - -The resulting role has privileges that only allow renaming users: - -[source, cypher, role=noplay] ----- -SHOW ROLE userNameModifier PRIVILEGES AS COMMANDS ----- - -Lists all privileges for role `userNameModifier`: - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT RENAME USER ON DBMS TO `userNameModifier`" -a|Rows: 1 -|=== - -The ability to modify users can be granted via the `ALTER USER` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT ALTER USER ON DBMS TO userModifier ----- - -The resulting role has privileges that only allow modifying users. -List all privileges for the role `userModifier` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE userModifier PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALTER USER ON DBMS TO `userModifier`" -a|Rows: 1 -|=== - -A user that is granted the `ALTER USER` privilege is allowed to run the `ALTER USER` administration command with one or several of the `SET PASSWORD`, `SET PASSWORD CHANGE [NOT] REQUIRED`, `SET AUTH`, `REMOVE AUTH` and `SET STATUS` parts: - -[source, cypher, role=noplay] ----- -ALTER USER jake SET PASSWORD 'verysecret' SET STATUS SUSPENDED ----- - -The ability to modify users' passwords and whether those passwords must be changed upon first login can be granted via the `SET PASSWORDS` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT SET PASSWORDS ON DBMS TO passwordModifier ----- - -The resulting role has privileges that only allow modifying users' passwords and whether those passwords must be changed upon first login. -List all privileges for the role `passwordModifier` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE passwordModifier PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SET PASSWORD ON DBMS TO `passwordModifier`" -a|Rows: 1 -|=== - -A user that is granted the `SET PASSWORDS` privilege is allowed to run the `ALTER USER` administration command with one or both of the `SET PASSWORD` and `SET PASSWORD CHANGE [NOT] REQUIRED` parts: - -[source, cypher, role=noplay] ----- -ALTER USER jake SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED ----- - -label:new[Introduced in 5.24] A user that is granted the `SET AUTH` privilege is allowed to run the `ALTER USER` administration command with one or both of the `SET AUTH` and `REMOVE AUTH` parts: - -[source, cypher, role=noplay] ----- -ALTER USER jake REMOVE AUTH 'native SET AUTH 'oidc-okta' { SET id 'jakesUniqueOktaUserId' } ----- - - -The ability to modify the account status of users can be granted via the `SET USER STATUS` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT SET USER STATUS ON DBMS TO statusModifier ----- - -The resulting role has privileges that only allow modifying the account status of users. -List all privileges for the role `statusModifier` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE statusModifier PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SET USER STATUS ON DBMS TO `statusModifier`" -a|Rows: 1 -|=== - -A user that is granted the `SET USER STATUS` privilege is allowed to run the `ALTER USER` administration command with only the `SET STATUS` part: - -[source, cypher, role=noplay] ----- -ALTER USER jake SET STATUS ACTIVE ----- - -In order to be able to modify the home database of users, grant the `SET USER HOME DATABASE` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT SET USER HOME DATABASE ON DBMS TO statusModifier ----- - -The resulting role has privileges that only allow modifying the home database of users. -List all privileges for the role `statusModifier` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE statusModifier PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SET USER HOME DATABASE ON DBMS TO `statusModifier`" -|"GRANT SET USER STATUS ON DBMS TO `statusModifier`" -a|Rows: 2 -|=== - -A user that is granted the `SET USER HOME DATABASE` privilege is allowed to run the `ALTER USER` administration command with only the `SET HOME DATABASE` or `REMOVE HOME DATABASE` part: - -[source, cypher, role=noplay] ----- -ALTER USER jake SET HOME DATABASE otherDb ----- - -[source, cypher, role=noplay] ----- -ALTER USER jake REMOVE HOME DATABASE ----- - -[NOTE] -==== -Note that the combination of the `SET PASSWORDS`, `SET AUTH`, `SET USER STATUS`, and the `SET USER HOME DATABASE` privilege actions is equivalent to the `ALTER USER` privilege action. -==== - -The ability to delete users can be granted via the `DROP USER` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT DROP USER ON DBMS TO userDropper ----- - -The resulting role has privileges that only allow deleting users. -List all privileges for the role `userDropper` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE userDropper PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DROP USER ON DBMS TO `userDropper`" -a|Rows: 1 -|=== - -The ability to show users can be granted via the `SHOW USER` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT SHOW USER ON DBMS TO userShower ----- - -The resulting role has privileges that only allow showing users. -List all privileges for the role `userShower` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE userShower PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW USER ON DBMS TO `userShower`" -a|Rows: 1 -|=== - -The privileges to create, rename, modify, delete, and list users can be granted via the `USER MANAGEMENT` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT USER MANAGEMENT ON DBMS TO userManager ----- - -The resulting role has all privileges to manage users. -List all privileges for the role `userManager` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE userManager PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW USER ON DBMS TO `userManager`" -a|Rows: 1 -|=== - -[[access-control-dbms-administration-impersonation]] -== The DBMS `IMPERSONATE` privileges - -The DBMS privileges for impersonation can be assigned through Cypher administrative commands. -They can be granted, denied, and revoked like other privileges. - -Impersonation is the ability of a user to assume another user's roles (and therefore privileges), with the restriction of not being able to execute updating `admin` commands as the impersonated user (i.e. they would still be able to use `SHOW` commands). - -The ability to impersonate users can be granted via the `IMPERSONATE` privilege. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== - -.Impersonation privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] IMPERSONATE [(*)] - ON DBMS - TO role[, ...] -| Enables the specified roles to impersonate any user. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] IMPERSONATE (user[, ...]) - ON DBMS - TO role[, ...] -| Enables the specified roles to impersonate the specified users. - -|=== - -The following query shows an example of this. -Note that `userImpersonator` must be an existing role in order to make this query work: - -.Query -[source, cypher, role=noplay] ----- -GRANT IMPERSONATE (*) ON DBMS TO userImpersonator ----- - -The resulting role has privileges that allow impersonating all users: - -.Query -[source, cypher, role=noplay] ----- -SHOW ROLE userImpersonator PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -| command -| "GRANT IMPERSONATE (*) ON DBMS TO `userImpersonator`" -a|Rows: 1 -|=== - -It is also possible to deny and revoke that privilege. -See an example which shows of how the `userImpersonator` user would be able to impersonate all users, except `alice`: - -.Query -[source, cypher, role=noplay] ----- -DENY IMPERSONATE (alice) ON DBMS TO userImpersonator ----- - -To grant (or revoke) the permissions to impersonate a specific user or a subset of users, you can first list them with this query: - -.Query -[source, cypher, role=noplay] ----- -GRANT IMPERSONATE (alice, bob) ON DBMS TO userImpersonator ----- - - -[[access-control-dbms-administration-database-management]] -== The DBMS `DATABASE MANAGEMENT` privileges - -The DBMS privileges for database management can be assigned by using Cypher administrative commands. -They can be granted, denied and revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== - -.Database management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] CREATE DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to create new standard databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] DROP DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to delete standard databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ALTER DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to modify standard databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SET DATABASE ACCESS - ON DBMS - TO role[, ...] -| Enables the specified roles to modify access to standard databases. - -| [source, syntax, role=noheader] -GRANT CREATE COMPOSITE DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to create new composite databases. - -| [source, syntax, role=noheader] -GRANT DROP COMPOSITE DATABASE - ON DBMS - TO role[, ...] -| Enables the specified roles to delete composite databases. - -| [source, syntax, role=noheader] -GRANT COMPOSITE DATABASE MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to create and delete composite databases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] DATABASE MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to create, delete, and modify databases. - -|=== - - -The ability to create standard databases can be granted via the `CREATE DATABASE` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT CREATE DATABASE ON DBMS TO databaseAdder ----- - -The resulting role has privileges that only allow creating standard databases. -List all privileges for the role `databaseAdder` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE databaseAdder PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT CREATE DATABASE ON DBMS TO `databaseAdder`" -a|Rows: 1 -|=== - -The ability to create composite databases can be granted via the `CREATE COMPOSITE DATABASE` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT CREATE COMPOSITE DATABASE ON DBMS TO compositeDatabaseAdder ----- - -The resulting role has privileges that only allow creating composite databases. -List all privileges for the role `compositeDatabaseAdder` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE compositeDatabaseAdder PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT CREATE COMPOSITE DATABASE ON DBMS TO `compositeDatabaseAdder`" -a|Rows: 1 -|=== - -The ability to delete standard databases can be granted via the `DROP DATABASE` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT DROP DATABASE ON DBMS TO databaseDropper ----- - -The resulting role has privileges that only allow deleting standard databases. -List all privileges for the role `databaseDropper` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE databaseDropper PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DROP DATABASE ON DBMS TO `databaseDropper`" -a|Rows: 1 -|=== - -The ability to delete composite databases can be granted via the `DROP COMPOSITE DATABASE` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT DROP COMPOSITE DATABASE ON DBMS TO compositeDatabaseDropper ----- - -The resulting role has privileges that only allow deleting composite databases. -List all privileges for the role `compositeDatabaseDropper` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE compositeDatabaseDropper PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DROP COMPOSITE DATABASE ON DBMS TO `compositeDatabaseDropper`" -a|Rows: 1 -|=== - -The ability to modify standard databases can be granted via the `ALTER DATABASE` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT ALTER DATABASE ON DBMS TO databaseModifier ----- - -The resulting role has privileges that only allow modifying standard databases. -List all privileges for the role `databaseModifier` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE databaseModifier PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALTER DATABASE ON DBMS TO `databaseModifier`" -a|Rows: 1 -|=== - -The ability to modify access to standard databases can be granted via the `SET DATABASE ACCESS` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT SET DATABASE ACCESS ON DBMS TO accessModifier ----- - -The resulting role has privileges that only allow modifying access to standard databases. -List all privileges for the role `accessModifier` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE accessModifier PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SET DATABASE ACCESS ON DBMS TO `accessModifier`" -a|Rows: 1 -|=== - -The ability to create and delete composite databases can be granted via the `COMPOSITE DATABASE MANAGEMENT` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO compositeDatabaseManager ----- - -The resulting role has all privileges to manage composite databases. -List all privileges for the role `compositeDatabaseManager` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE compositeDatabaseManager PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO `compositeDatabaseManager`" -a|Rows: 1 -|=== - -The ability to create, delete, and modify databases can be granted via the `DATABASE MANAGEMENT` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT DATABASE MANAGEMENT ON DBMS TO databaseManager ----- - -The resulting role has all privileges to manage standard and composite databases. -List all privileges for the role `databaseManager` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE databaseManager PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DATABASE MANAGEMENT ON DBMS TO `databaseManager`" -a|Rows: 1 -|=== - -[[access-control-dbms-administration-alias-management]] -== The DBMS `ALIAS MANAGEMENT` privileges - -The DBMS privileges for alias management can be assigned by using Cypher administrative commands and can be applied to both local and remote aliases. -They can be granted, denied and revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== - -.Alias management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] CREATE ALIAS -ON DBMS -TO role[, ...] -| Enables the specified roles to create new aliases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] DROP ALIAS -ON DBMS -TO role[, ...] -| Enables the specified roles to delete aliases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ALTER ALIAS -ON DBMS -TO role[, ...] -| Enables the specified roles to modify aliases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW ALIAS -ON DBMS -TO role[, ...] -| Enables the specified roles to list aliases. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ALIAS MANAGEMENT -ON DBMS -TO role[, ...] -| Enables the specified roles to list, create, delete, and modify aliases. - -|=== - -The ability to create aliases can be granted via the `CREATE ALIAS` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT CREATE ALIAS ON DBMS TO aliasAdder ----- - -The resulting role has privileges that only allow creating aliases. -List all privileges for the role `aliasAdder` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE aliasAdder PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT CREATE ALIAS ON DBMS TO `aliasAdder`" -a|Rows: 1 -|=== - -The ability to delete aliases can be granted via the `DROP ALIAS` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT DROP ALIAS ON DBMS TO aliasDropper ----- - -The resulting role has privileges that only allow deleting aliases. -See all privileges for the role `aliasDropper` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE aliasDropper PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT DROP ALIAS ON DBMS TO `aliasDropper`" -a|Rows: 1 -|=== - -The ability to modify aliases can be granted via the `ALTER ALIAS` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT ALTER ALIAS ON DBMS TO aliasModifier ----- - -The resulting role has privileges that only allow modifying aliases. -List all privileges for the role `aliasModifier` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE aliasModifier PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALTER ALIAS ON DBMS TO `aliasModifier`" -a|Rows: 1 -|=== - -The ability to list aliases can be granted via the `SHOW ALIAS` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT SHOW ALIAS ON DBMS TO aliasLister ----- - -The resulting role has privileges that only allow modifying aliases. -List all privileges for the role `aliasLister` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE aliasLister PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW ALIAS ON DBMS TO `aliasLister`" -a|Rows: 1 -|=== - -The privileges to list, create, delete, and modify aliases can be granted via the `ALIAS MANAGEMENT` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT ALIAS MANAGEMENT ON DBMS TO aliasManager ----- - -The resulting role has all privileges to manage aliases. -List all privileges for the role `aliasManager` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE aliasManager PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALIAS MANAGEMENT ON DBMS TO `aliasManager`" -a|Rows: 1 -|=== - -[[access-control-dbms-administration-server-management]] -== The DBMS `SERVER MANAGEMENT` privileges - -The DBMS privileges for server management can be assigned using Cypher administrative commands. -They can be granted, denied, and revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. -==== - -.Server management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SERVER MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to show, enable, rename, alter, reallocate, deallocate, and drop servers. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW SERVERS - ON DBMS - TO role[, ...] -| Enables the specified roles to show servers. -|=== - - -[[access-control-dbms-administration-privilege-management]] -== The DBMS `PRIVILEGE MANAGEMENT` privileges - -The DBMS privileges for privilege management can be assigned by using Cypher administrative commands. -They can be granted, denied and revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== - -.Privilege management privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command | Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW PRIVILEGE - ON DBMS - TO role[, ...] -| Enables the specified roles to list privileges. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] ASSIGN PRIVILEGE - ON DBMS - TO role[, ...] -| Enables the specified roles to assign privileges using the `GRANT` and `DENY` commands. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] REMOVE PRIVILEGE - ON DBMS - TO role[, ...] -| Enables the specified roles to remove privileges using the `REVOKE` command. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] PRIVILEGE MANAGEMENT - ON DBMS - TO role[, ...] -| Enables the specified roles to list, assign, and remove privileges. -|=== - -The ability to list privileges can be granted via the `SHOW PRIVILEGE` privilege. - -A user with this privilege is allowed to execute the `SHOW PRIVILEGES` and `SHOW ROLE roleName PRIVILEGES` administration commands. -To execute the `SHOW USER username PRIVILEGES` administration command, both this privilege and the `SHOW USER` privilege are required. -The following query shows an example of how to grant the `SHOW PRIVILEGE` privilege: - -[source, cypher, role=noplay] ----- -GRANT SHOW PRIVILEGE ON DBMS TO privilegeShower ----- - -The resulting role has privileges that only allow showing privileges. -List all privileges for the role `privilegeShower` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE privilegeShower PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW PRIVILEGE ON DBMS TO `privilegeShower`" -a|Rows: 1 -|=== - -[NOTE] -==== -Note that no specific privileges are required for showing the current user's privileges through the `SHOW USER _username_ PRIVILEGES` or `SHOW USER PRIVILEGES` commands. - -In addition, note that if a non-native auth provider like LDAP is in use, `SHOW USER PRIVILEGES` will only work with a limited capacity by making it only possible for a user to show their own privileges. -Other users' privileges cannot be listed when using a non-native auth provider. -==== - -The ability to assign privileges to roles can be granted via the `ASSIGN PRIVILEGE` privilege. -A user with this privilege is allowed to execute `GRANT` and `DENY` administration commands. -See an example of how to grant this privilege: - -[source, cypher, role=noplay] ----- -GRANT ASSIGN PRIVILEGE ON DBMS TO privilegeAssigner ----- - -The resulting role has privileges that only allow assigning privileges. -List all privileges for the role `privilegeAssigner` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE privilegeAssigner PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ASSIGN PRIVILEGE ON DBMS TO `privilegeAssigner`" -a|Rows: 1 -|=== - -The ability to remove privileges from roles can be granted via the `REMOVE PRIVILEGE` privilege. - -A user with this privilege is allowed to execute `REVOKE` administration commands. -See an example of how to grant this privilege: - -[source, cypher, role=noplay] ----- -GRANT REMOVE PRIVILEGE ON DBMS TO privilegeRemover ----- - -The resulting role has privileges that only allow removing privileges. -List all privileges for the role `privilegeRemover` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE privilegeRemover PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT REMOVE PRIVILEGE ON DBMS TO `privilegeRemover`" -a|Rows: 1 -|=== - -The privileges to list, assign, and remove privileges can be granted via the `PRIVILEGE MANAGEMENT` privilege. -See an example: - -[source, cypher, role=noplay] ----- -GRANT PRIVILEGE MANAGEMENT ON DBMS TO privilegeManager ----- - -The resulting role has all privileges to manage privileges. -List all privileges for the role `privilegeManager` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE privilegeManager PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT PRIVILEGE MANAGEMENT ON DBMS TO `privilegeManager`" -a|Rows: 1 -|=== - - -[[access-control-dbms-administration-execute]] -== The DBMS `EXECUTE` privileges - -The DBMS privileges for procedure and user-defined function execution can be assigned by using Cypher administrative commands. -They can be granted, denied and revoked like other privileges. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== - -.Execute privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command -| Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] EXECUTE PROCEDURE[S] name-globbing[, ...] - ON DBMS - TO role[, ...] -| Enables the specified roles to execute the given procedures. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] EXECUTE BOOSTED PROCEDURE[S] name-globbing[, ...] - ON DBMS - TO role[, ...] -| Enables the specified roles to use elevated privileges when executing the given procedures. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] EXECUTE ADMIN[ISTRATOR] PROCEDURES - ON DBMS - TO role[, ...] -| Enables the specified roles to execute procedures annotated with `@Admin`. The procedures are executed with elevated privileges. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] EXECUTE [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] - ON DBMS - TO role[, ...] -| Enables the specified roles to execute the given user-defined functions. - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] - ON DBMS - TO role[, ...] -| Enables the specified roles to use elevated privileges when executing the given user-defined functions. -|=== - -[[access-control-execute-procedure]] -=== The `EXECUTE PROCEDURE` privilege - -The ability to execute a procedure can be granted via the `EXECUTE PROCEDURE` privilege. -A role with this privilege is allowed to execute the procedures matched by the <>. -The following query shows an example of how to grant this privilege: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO procedureExecutor ----- - -Users with the role `procedureExecutor` can then run any procedure in the `db.schema` namespace. -The procedure is run using the user's own privileges. - -The resulting role has privileges that only allow executing procedures in the `db.schema` namespace. -List all privileges for the role `procedureExecutor` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE procedureExecutor PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO `procedureExecutor`" -a|Rows: 1 -|=== - -In order to allow the execution of all but only a few procedures, you can grant `EXECUTE PROCEDURES *` and deny the unwanted procedures. -For example, the following queries allow the execution of all procedures, except those starting with `dbms.cluster`: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE * ON DBMS TO deniedProcedureExecutor ----- - -[source, cypher, role=noplay] ----- -DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO deniedProcedureExecutor ----- - -The resulting role has privileges that only allow executing all procedures except those starting with `dbms.cluster`. -List all privileges for the role `deniedProcedureExecutor` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedProcedureExecutor PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO `deniedProcedureExecutor`" -|"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedProcedureExecutor`" -a|Rows: 2 -|=== - - -The `dbms.cluster.checkConnectivity`, `dbms.cluster.cordonServer`, `dbms.cluster.protocols`, `dbms.cluster.readReplicaToggle`, `dbms.cluster.routing.getRoutingTable`, `dbms.cluster.secondaryReplicationDisable`, `dbms.cluster.setAutomaticallyEnableFreeServers`, and `dbms.cluster.uncordonServer` procedures are blocked, as well as any others starting with `dbms.cluster`. - - -[[access-control-execute-boosted-procedure]] -=== The `EXECUTE BOOSTED PROCEDURE` privilege - -The ability to use elevated privileges when executing a procedure can be granted via the `EXECUTE BOOSTED PROCEDURE` privilege. -A user with this privilege will not be restricted to their other privileges when executing the procedures matched by the <>. -The `EXECUTE BOOSTED PROCEDURE` privilege only affects the elevation, and not the execution of the procedure. -Therefore, it is needed to grant `EXECUTE PROCEDURE` privilege for the procedures as well. - - -[NOTE] -==== -Since Neo4j 5.0, both `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` are needed to execute a procedure with elevated privileges. -This differs from Neo4j 4.x, when only the `EXECUTE BOOSTED PROCEDURE` is required. -==== - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE * ON DBMS TO boostedProcedureExecutor; -GRANT EXECUTE BOOSTED PROCEDURE db.labels, db.relationshipTypes ON DBMS TO boostedProcedureExecutor ----- - -Users with the role `boostedProcedureExecutor` can thus run the `db.labels` and the `db.relationshipTypes` procedures with full privileges, seeing everything in the graph and not just the labels and types that the user has `TRAVERSE` privilege on. -Without the `EXECUTE PROCEDURE`, no procedures could be executed at all. - -The resulting role has privileges that allow executing the procedures `db.labels` and `db.relationshipTypes` with elevated privileges, and all other procedures with the user's own privileges: - -[source, cypher, role=noplay] ----- -SHOW ROLE boostedProcedureExecutor PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT EXECUTE PROCEDURE * ON DBMS TO `boostedProcedureExecutor`" -|"GRANT EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `boostedProcedureExecutor`" -|"GRANT EXECUTE BOOSTED PROCEDURE db.relationshipTypes ON DBMS TO `boostedProcedureExecutor`" -a|Rows: 3 -|=== - -As with grant, denying `EXECUTE BOOSTED PROCEDURE` on its own only affects the elevation and not the execution of the procedure. -This can be seen in the following examples: - -.Grant `EXECUTE PROCEDURE` and deny `EXECUTE BOOSTED PROCEDURE` -[example] -==== -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor1 ----- - -[source, cypher, role=noplay] ----- -DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor1 ----- - -The resulting role has privileges that allow the execution of all procedures using the user's own privileges. -It also prevents the `db.labels` procedure from being elevated. -Still, the denied `EXECUTE BOOSTED PROCEDURE` does not block execution of `db.labels`. - -To list all privileges for role `deniedBoostedProcedureExecutor1` as commands, use the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedBoostedProcedureExecutor1 PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor1`" -|"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor1`" -a|Rows: 2 -|=== -==== - -.Grant `EXECUTE BOOSTED PROCEDURE` and deny `EXECUTE PROCEDURE` -[example] -==== -[source, cypher, role=noplay] ----- -GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor2 ----- - -[source, cypher, role=noplay] ----- -DENY EXECUTE PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor2 ----- - -The resulting role has privileges that allow elevating the privileges for all procedures, but cannot execute any due to missing or denied `EXECUTE PROCEDURE` privileges. -List all privileges for the role `deniedBoostedProcedureExecutor2` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedBoostedProcedureExecutor2 PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY EXECUTE PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor2`" -|"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor2`" -a|Rows: 2 -|=== -==== - -.Grant `EXECUTE BOOSTED PROCEDURE` and deny `EXECUTE BOOSTED PROCEDURE` -[example] -==== -[source, cypher, role=noplay] ----- -GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor3 ----- - -[source, cypher, role=noplay] ----- -DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor3 ----- - -The resulting role has privileges that allow elevating the privileges for all procedures except `db.labels`, however no procedures can be executed due to missing `EXECUTE PROCEDURE` privilege. -List all privileges for the role `deniedBoostedProcedureExecutor3` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedBoostedProcedureExecutor3 PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor3`" -|"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor3`" -a|Rows: 2 -|=== -==== - -.How would the privileges from examples 1 to 3 affect the output of a procedure? -[example] -==== -Assume there is a procedure called `myProc`. - -This procedure gives the result `A` and `B` for a user with `EXECUTE PROCEDURE` privilege and `A`, `B` and `C` for a user with `EXECUTE BOOSTED PROCEDURE` privilege. - -Now, adapt the privileges from examples 1 to 3 to be applied to this procedure and show what is returned. -With the privileges from example 1, granted `EXECUTE PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A` and `B`. - -With the privileges from example 2, granted `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE PROCEDURE myProc`, execution of the `myProc` procedure is not allowed. - -With the privileges from example 3, granted `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, execution of the `myProc` procedure is not allowed. - -For comparison, when granted: - -* `EXECUTE PROCEDURE myProc`: the `myProc` procedure returns the result `A` and `B`. -* `EXECUTE BOOSTED PROCEDURE myProc`: execution of the `myProc` procedure is not allowed. -* `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE myProc`: the `myProc` procedure returns the result `A`, `B`, and `C`. -==== - - -[[access-control-admin-procedure]] -=== The `EXECUTE ADMIN PROCEDURE` privilege - -The ability to execute admin procedures (annotated with `@Admin`) can be granted via the `EXECUTE ADMIN PROCEDURES` privilege. -This privilege is equivalent with granting the <> and <> privileges on each of the admin procedures. -Any newly added `admin` procedure is automatically included in this privilege. -The following query shows an example of how to grant this privilege: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO adminProcedureExecutor ----- - -Users with the role `adminProcedureExecutor` can then run any `admin` procedure with elevated privileges. -The resulting role has privileges that allow the execution of all admin procedures. - -List all privileges for the role `adminProcedureExecutor` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE adminProcedureExecutor PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO `adminProcedureExecutor`" -a|Rows: 1 -|=== - -In order to compare this with the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges, revisit the `myProc` procedure, but this time as an `admin` procedure, which will give the result `A`, `B` and `C` when allowed to execute. - -By starting with a user only granted the `EXECUTE PROCEDURE myProc` or the `EXECUTE BOOSTED PROCEDURE myProc` privilege, execution of the `myProc` procedure is not allowed. - -However, for a user granted the `EXECUTE ADMIN PROCEDURES` or both `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A`, `B` and `C`. - -Any denied `EXECUTE` privilege results in the procedure not being allowed to be executed. -In this case, it does not matter whether `EXECUTE PROCEDURE`, `EXECUTE BOOSTED PROCEDURE` or `EXECUTE ADMIN PROCEDURES` is being denied. - -[[access-control-execute-user-defined-function]] -=== The `EXECUTE USER DEFINED FUNCTION` privilege - -//EXECUTE [USER [DEFINED]] FUNCTION[S] -The ability to execute a user-defined function (UDF) can be granted via the `EXECUTE USER DEFINED FUNCTION` privilege. -A role with this privilege is allowed to execute the UDFs matched by the <>. - -[IMPORTANT] -==== -The `EXECUTE USER DEFINED FUNCTION` privilege does not apply to built-in functions, which are always executable. -==== - -.Execute user-defined function -====== -The following query shows an example of how to grant this privilege: - -[source,cypher,role=noplay] ----- -GRANT EXECUTE USER DEFINED FUNCTION apoc.coll.* ON DBMS TO functionExecutor ----- - -Or in short form: - -[source,cypher,role=noplay] ----- -GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO functionExecutor ----- - -Users with the role `functionExecutor` can thus run any UDF in the `apoc.coll` namespace. -The function here is run using the user's own privileges. - -The resulting role has privileges that only allow executing UDFs in the `apoc.coll` namespace. -List all privileges for the role `functionExecutor` as commands by using the following query: - -[source,cypher,role=noplay] ----- -SHOW ROLE functionExecutor PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO `functionExecutor`" -a|Rows: 1 -|=== -====== - -To allow the execution of all but a few UDFs, you can grant `+EXECUTE USER DEFINED FUNCTIONS *+` and deny the unwanted functions. - -.Execute user-defined functions -====== -The following queries allow the execution of all UDFs except those starting with `apoc.any.prop`: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO deniedFunctionExecutor ----- - -[source, cypher, role=noplay] ----- -DENY EXECUTE USER DEFINED FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor ----- - -Or in short form: - -[source, cypher, role=noplay] ----- -GRANT EXECUTE FUNCTIONS * ON DBMS TO deniedFunctionExecutor ----- - -[source, cypher, role=noplay] ----- -DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor ----- - -The resulting role has privileges that only allow the execution of all procedures except those starting with `apoc.any.prop`. -List all privileges for the role `deniedFunctionExecutor` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedFunctionExecutor PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO `deniedFunctionExecutor`" -|"GRANT EXECUTE FUNCTION * ON DBMS TO `deniedFunctionExecutor`" -a|Rows: 2 -|=== - -The `apoc.any.property` and `apoc.any.properties` are blocked, as well as any other procedures starting with `apoc.any.prop`. -====== - -[[access-control-execute-boosted-user-defined-function]] -=== The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege - -//EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] -The ability to use elevated privileges when executing a user-defined function (UDF) can be granted via the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege. -A user with this privilege will not be restricted to their other privileges when executing the UDFs matched by the <>. -The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege only affects the elevation and not the execution of the function. -Therefore, it is needed to grant `EXECUTE USER DEFINED FUNCTION` privilege for the functions as well. - - -[NOTE] -==== -Since Neo4j 5.0, both `EXECUTE USER DEFINED FUNCTION` and `EXECUTE BOOSTED USER DEFINED FUNCTION` are needed to execute a function with elevated privileges. -This differs from Neo4j 4.x, when only the `EXECUTE BOOSTED USER DEFINED FUNCTION` is required. -==== - -[IMPORTANT] -==== -The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege does not apply to built-in functions, as they have no concept of elevated privileges. -==== - -.Execute boosted user-defined function -====== -The following query shows an example of how to grant the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege: - -[source,cypher,role=noplay] ----- -GRANT EXECUTE USER DEFINED FUNCTION * ON DBMS TO boostedFunctionExecutor -GRANT EXECUTE BOOSTED USER DEFINED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor ----- - -Or in short form: - -[source,cypher,role=noplay] ----- -GRANT EXECUTE FUNCTION * ON DBMS TO boostedFunctionExecutor -GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor ----- - -Users with the role `boostedFunctionExecutor` can thus run `apoc.any.properties` with full privileges and see every property on the node/relationship, not just the properties that the user has `READ` privilege on. -Without the `EXECUTE USER DEFINED FUNCTION` no UDFs could be executed at all. - -The resulting role has privileges that allow executing the UDF `apoc.any.properties` with elevated privileges, and all other UDFs with the users' own privileges. -List all privileges for the role `boostedFunctionExecutor` as commands by using the following query: - -[source,cypher,role=noplay] ----- -SHOW ROLE boostedFunctionExecutor PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer",width="100%",cols="m"] -|=== -|command -|"GRANT EXECUTE FUNCTION * ON DBMS TO `boostedFunctionExecutor`" -|"GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO `boostedFunctionExecutor`" -a|Rows: 2 -|=== -====== - - -[role=label--new-5.6] -[[access-control-dbms-administration-setting]] -== The DBMS `SETTING` privileges - -The ability to show configuration settings can be granted via the `SHOW SETTING` privilege. -A role with this privilege is allowed to query the configuration settings matched by the <>. - - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== - -.Setting privileges command syntax -[options="header", width="100%", cols="3a,2"] -|=== -| Command -| Description - -| [source, syntax, role=noheader] -GRANT [IMMUTABLE] SHOW SETTING[S] name-globbing[, ...] - ON DBMS - TO role[, ...] -| Enables the specified roles to query given configuration settings. -|=== - -The following query shows an example of how to grant this privilege: - -[source, cypher, role=noplay] ----- -GRANT SHOW SETTING server.bolt.* ON DBMS TO configurationViewer ----- - -Users with the role `configurationViewer` can then query any setting in the `server.bolt` namespace. - -The updated role `configurationViewer` has privileges that only allow querying settings in the `server.bolt` namespace. -List all privileges for the role `configurationViewer` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE configurationViewer PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT SHOW SETTING server.bolt.* ON DBMS TO `configurationViewer`" -a|Rows: 1 -|=== - -To deny a specific setting from a role, first grant `SHOW SETTINGS *`, and then deny the unwanted setting. -For example, the following queries allow the querying of all settings, except those starting with `dbms.security`: - -[source, cypher, role=noplay] ----- -GRANT SHOW SETTINGS * ON DBMS TO deniedConfigurationViewer ----- - -[source, cypher, role=noplay] ----- -DENY SHOW SETTING dbms.security* ON DBMS TO deniedConfigurationViewer ----- - -The resulting role has privileges that allow querying all settings except those starting with `dbms.security`. -List all privileges for the role `deniedConfigurationViewer` as commands by using the following query: - -[source, cypher, role=noplay] ----- -SHOW ROLE deniedConfigurationViewer PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY SHOW SETTING dbms.security* ON DBMS TO `deniedConfigurationViewer`" -|"GRANT SHOW SETTING * ON DBMS TO `deniedConfigurationViewer`" -a|Rows: 2 -|=== - -As the query result shows, access to any setting starting with `dbms.security` are blocked, but the rest can still be queried. - - -[[access-control-dbms-administration-all]] -== Granting `ALL DBMS PRIVILEGES` - -The right to perform the following privileges can be achieved with a single command: - -* Create, drop, assign, remove, and show roles. -* Create, alter, drop, show, and impersonate users. -* Create, alter, and drop databases and aliases. -* Enable, alter, rename, reallocate, deallocate, and drop servers -* Show, assign, and remove privileges. -* Execute all procedures with elevated privileges. -* Execute all user-defined functions with elevated privileges. -* Show all configuration settings. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== - -[source, syntax, role=noheader] ----- -GRANT [IMMUTABLE] ALL [[DBMS] PRIVILEGES] - ON DBMS - TO role[, ...] ----- - -For example, to grant the role `dbmsManager` the abilities above, use the following query: - -[source, cypher, role=noplay] ----- -GRANT ALL DBMS PRIVILEGES ON DBMS TO dbmsManager ----- - -The privileges granted can be seen using the `SHOW PRIVILEGES` command: - -[source, cypher, role=noplay] ----- -SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALL DBMS PRIVILEGES ON DBMS TO `dbmsManager`" -a|Rows: 1 -|=== - -[[access-control-name-globbing]] -== Name-globbing for procedures, user-defined functions, and settings - -The name-globbing for procedures, user-defined functions, and setting names is a simplified version of globbing for filename expansions. -It only allows two wildcard characters: `+*+` and `?`, which are used for multiple and single-character matches. -In this case, `+*+` means 0 or more characters, and `?` matches exactly one character. - -[NOTE] -==== -The name-globbing is subject to the link:{neo4j-docs-base-uri}/cypher-manual/5/syntax/naming/[Cypher Manual -> Naming rules and recommendations], with the exception that it may include dots, stars, and question marks without the need for escaping using backticks. - -Each part of the name-globbing separated by dots may be individually quoted. -For example, `++mine.`procedureWith%`++` is allowed, but not `++mine.procedure`With%`++`. -Also, note that wildcard characters behave as wildcards even when quoted. -For example, using `++`*`++` is equivalent to using `+*+`, and thus allows executing all functions or procedures and not only the procedure or function named `+*+`. -==== - -Given the following list of procedures: - -* `mine.public.exampleProcedure` -* `mine.public.exampleProcedure1` -* `mine.public.exampleProcedure2` -* `mine.public.with#Special§Characters` -* `mine.private.exampleProcedure` -* `mine.private.exampleProcedure1` -* `mine.private.exampleProcedure2` -* `mine.private.with#Special§Characters` -* `your.exampleProcedure` - -The following examples demonstrate how name-globbing patterns can be used in controlling access to procedures. -Note that the same rules apply to user-defined functions and settings. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1 ----- - -Users with the role `globbing1` can run all the procedures. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2 ----- - -Users with the role `globbing2` can run procedures `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but no other procedures. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3 ----- - -Users with the role `globbing3` can run procedures `mine.public.exampleProcedure1`, `mine.private.exampleProcedure1`, and `mine.private.exampleProcedure2`, but no other procedures. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4 ----- - -Users with the role `globbing4` can run procedures `your.exampleProcedure`, `mine.public.exampleProcedure`, and `mine.private.exampleProcedure`, but no other procedures. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5 ----- - -Users with the role `globbing5` can run procedures `mine.public.exampleProcedure`, `mine.public.exampleProcedure1` and `mine.public.exampleProcedure42`, but no other procedures. - -[source, cypher, role=noplay] ----- -GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6 ----- - -Users with the role `globbing6` can run procedures `mine.public.with#Special§Characters`, and `mine.private.with#Special§Characters`, but no other procedures. - -[NOTE] -==== -The name-globbing may be fully or partially quoted. -Both `+*+` and `+?+` are interpreted as wildcards in both cases. -==== - diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-admin-role.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-admin-role.adoc new file mode 100644 index 000000000..cb6abfd1d --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-admin-role.adoc @@ -0,0 +1,261 @@ +:description: Details the privileges associated with the administrator role for managing the DBMS. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated += Administrator role privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +You can manage DBMS privileges using either the built-in `admin` role or by creating a custom role with the specific privileges you need. + +== Using the built-in `admin` role to manage DBMS privileges + +The xref:authentication-authorization/built-in-roles.adoc#access-control-built-in-roles-admin[`admin` role] role is a built-in superuser role that has all privileges on the DBMS and can perform all administrative tasks. + +This includes the following tasks and their relevant privileges: + +* Create, delete, and modify xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[databases] and xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[aliases]. +* Change configuration parameters. +* xref:authentication-authorization/database-administration.adoc#access-control-database-administration-transaction[Manage transactions]. +* Manage xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[users] and xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[roles]. +* Manage xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[privilege management]. +* Manage xref:authentication-authorization/privileges-reads.adoc[read] and xref:authentication-authorization/privileges-writes.adoc[write] sub-graph privileges. +* Manage xref:authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc[impersonation privileges]. +* Manage xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[procedure security]. +* Manage xref:authentication-authorization/load-privileges.adoc[load data security]. + +To enable a user to perform these tasks, you can grant them the `admin` role, but it is also possible to make a custom role with a subset of these privileges. +All privileges are also assignable using Cypher commands. + + +[[access-control-dbms-administration-custom]] +== Using a custom role to manage DBMS privileges + +You can create a custom role to manage DBMS privileges by granting the privileges you want to the role. +Alternatively, you can copy the `admin` role and revoke or deny the unwanted privileges. +The following examples show how to create a custom role with a subset of the privileges that the `admin` role using both methods. + +=== Create a custom administrator role from scratch + +Create an administrator role that can only manage users and roles by creating a new role and granting the `USER MANAGEMENT` and `ROLE MANAGEMENT` privileges. + +. Create the new role: ++ +[source, cypher, role=noplay] +---- +CREATE ROLE userAndRoleAdministrator; +---- +. Grant the privilege to manage users: ++ +[source, cypher, role=noplay] +---- +GRANT USER MANAGEMENT ON DBMS TO userAndRoleAdministrator; +---- +. Grant the privilege to manage roles: ++ +[source, cypher, role=noplay] +---- +GRANT ROLE MANAGEMENT ON DBMS TO userAndRoleAdministrator; +---- ++ +As a result, the `userAndRoleAdministrator` role has privileges that only allow user and role management. +. To list all privileges for the role `userAndRoleAdministrator` as commands, use the following query: ++ +[source, cypher, role=noplay] +---- +SHOW ROLE userAndRoleAdministrator PRIVILEGES AS COMMANDS; +---- ++ +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ROLE MANAGEMENT ON DBMS TO `userAndRoleAdministrator`" +|"GRANT USER MANAGEMENT ON DBMS TO `userAndRoleAdministrator`" +a|Rows: 2 +|=== + +[NOTE] +==== +This role does not allow all DBMS capabilities. +For example, the role is missing privileges for managing, creating, and dropping databases, as well as executing `admin` procedures. +To create a more powerful administrator, you can grant a different set of privileges. +==== + +=== Create a more powerful custom administrator role from scratch + +You can also create a custom administrator role with limited capabilities. +This can be done by creating a new role and granting all `DBMS` privileges, then denying the ones you do not want the role to have, and then granting additional privileges you want to include. +For example, you can create a custom administrator role `customAdministrator` that has all DBMS privileges except for creating, dropping, and modifying databases, and also has the privilege for managing transactions. + +. Create a new role: ++ +[source, cypher, role=noplay] +---- +CREATE ROLE customAdministrator; +---- +. Grant the privilege for all DBMS capabilities: ++ +[source, cypher, role=noplay] +---- +GRANT ALL DBMS PRIVILEGES ON DBMS TO customAdministrator; +---- +. Explicitly deny the privilege to manage databases: ++ +[source, cypher, role=noplay] +---- +DENY DATABASE MANAGEMENT ON DBMS TO customAdministrator; +---- +. Grant the transaction management privilege: ++ +[source, cypher, role=noplay] +---- +GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO customAdministrator; +---- ++ +As a result, the `customAdministrator` role has privileges that include managing transactions and all DBMS privileges except creating, dropping, and modifying databases. +. To list all privileges for the role `customAdministrator` as commands, use the following query: ++ +[source, cypher, role=noplay] +---- +SHOW ROLE customAdministrator PRIVILEGES AS COMMANDS; +---- ++ +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY DATABASE MANAGEMENT ON DBMS TO `customAdministrator`" +|"GRANT ALL DBMS PRIVILEGES ON DBMS TO `customAdministrator`" +|"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `customAdministrator`" +a|Rows: 3 +|=== + +=== Create a custom administrator role by copying the `admin` role + +You can also create a custom administrator role by copying the `admin` role and then revoking or denying the privileges you do not want. +For example, you can create a new role called `newAdministrator` that has all the privileges of the `admin` role, and then revoke the ability to read/write/load data, manage constraints, indexes, name, and remove ability to access all databases, except the `system` database. + +. Create a new role by copying the `admin` role: ++ +[source, cypher, role=noplay] +---- +CREATE ROLE newAdministrator AS COPY OF admin; +---- + +. Revoke the ability to read/write/load data: ++ +[source, cypher, role=noplay] +---- +REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM newAdministrator; +REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM newAdministrator; +REVOKE GRANT WRITE ON GRAPH * FROM newAdministrator; +REVOKE GRANT LOAD ON ALL DATA FROM newAdministrator; +---- + +. Revoke the ability to manage index/constraint/name: ++ +[source, cypher, role=noplay] +---- +REVOKE GRANT CONSTRAINT MANAGEMENT ON DATABASE * FROM newAdministrator; +REVOKE GRANT INDEX MANAGEMENT ON DATABASE * FROM newAdministrator; +REVOKE GRANT NAME MANAGEMENT ON DATABASE * FROM newAdministrator; +REVOKE GRANT SHOW CONSTRAINT ON DATABASE * FROM newAdministrator; +REVOKE GRANT SHOW INDEX ON DATABASE * FROM newAdministrator; +---- + +. Revoke the ability to access all databases: ++ +[source, cypher, role=noplay] +---- +REVOKE GRANT ACCESS ON DATABASE * FROM newAdministrator; +---- +. Grant the ability to access the `system` database: ++ +[source, cypher, role=noplay] +---- +GRANT ACCESS ON DATABASE system TO newAdministrator; +---- + +. To list all privileges for the role `newAdministrator` as commands, use the following query: ++ +[source, cypher, role=noplay] +---- +SHOW ROLE newAdministrator PRIVILEGES AS COMMANDS; +---- ++ +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +| "GRANT ACCESS ON DATABASE `system` TO `newAdministrator`" +| "GRANT ALL DBMS PRIVILEGES ON DBMS TO `newAdministrator`" +| "GRANT START ON DATABASE * TO `newAdministrator`" +| "GRANT STOP ON DATABASE * TO `newAdministrator`" +| "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `newAdministrator`" +a|Rows: 5 +|=== + diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc new file mode 100644 index 000000000..7d507f3da --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc @@ -0,0 +1,246 @@ +:description: Details the DBMS privileges for alias management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-alias-management-privileges]] += The DBMS `ALIAS MANAGEMENT` privileges +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for alias management can be granted, denied, or revoked like other privileges. +This applies to both local and remote aliases. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Alias management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to create new aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to delete aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALTER ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to modify aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to list aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALIAS MANAGEMENT +ON DBMS +TO role[, ...] +| Enables the specified roles to list, create, delete, and modify aliases. + +|=== + +== Grant privilege to create aliases + +You can grant the privilege to create aliases using the `CREATE ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE ALIAS ON DBMS TO aliasAdder; +---- + +As a result, the `aliasAdder` role has privileges that only allow creating aliases. +To list all privileges for the role `aliasAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE ALIAS ON DBMS TO `aliasAdder`" +a|Rows: 1 +|=== + +== Grant privilege to delete aliases + +You can grant the privilege to delete aliases using the `DROP ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP ALIAS ON DBMS TO aliasDropper; +---- + +As a result, the `aliasDropper` role has privileges that only allow deleting aliases. +See all privileges for the role `aliasDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP ALIAS ON DBMS TO `aliasDropper`" +a|Rows: 1 +|=== + +== Grant privilege to modify aliases + +You can grant the privilege to modify aliases using the `ALTER ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALTER ALIAS ON DBMS TO aliasModifier; +---- + +As a result, the `aliasModifier` role has privileges that only allow modifying aliases. +To list all privileges for the role `aliasModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALTER ALIAS ON DBMS TO `aliasModifier`" +a|Rows: 1 +|=== + + +== Grant privilege to list aliases + +You can grant the privilege to list aliases using the `SHOW ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW ALIAS ON DBMS TO aliasViewer; +---- + +As a result, the `aliasViewer` role has privileges that only allow modifying aliases. +To list all privileges for the role `aliasViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW ALIAS ON DBMS TO `aliasViewer`" +a|Rows: 1 +|=== + +== Grant privilege to manage aliases + +You can grant the privilege to create, delete, modify, and list aliases using the `ALIAS MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALIAS MANAGEMENT ON DBMS TO aliasManager; +---- + +As a result, the `aliasManager` role has all privileges to manage aliases. +To list all privileges for the role `aliasManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALIAS MANAGEMENT ON DBMS TO `aliasManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc new file mode 100644 index 000000000..f68f360f5 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc @@ -0,0 +1,341 @@ +:description: Details the DBMS privileges for database management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-database-management-privileges]] += The DBMS `DATABASE MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for database management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Database management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to create new standard databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to delete standard databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALTER DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to modify standard databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET DATABASE ACCESS + ON DBMS + TO role[, ...] +| Enables the specified roles to modify access to standard databases. + +| [source, syntax, role=noheader] +GRANT CREATE COMPOSITE DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to create new composite databases. + +| [source, syntax, role=noheader] +GRANT DROP COMPOSITE DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to delete composite databases. + +| [source, syntax, role=noheader] +GRANT COMPOSITE DATABASE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create and delete composite databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DATABASE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create, delete, and modify databases. + +|=== + +== Grant privilege to create standard databases + +You can grant the privilege to create standard databases using the `CREATE DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE DATABASE ON DBMS TO databaseAdder +---- + +As a result, the `databaseAdder` role has privileges that only allow creating standard databases. +To list all privileges for the role `databaseAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE DATABASE ON DBMS TO `databaseAdder`" +a|Rows: 1 +|=== + +== Grant privilege to create composite databases + +You can grant the privilege to create composite databases using the `CREATE COMPOSITE DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE COMPOSITE DATABASE ON DBMS TO compositeDatabaseAdder +---- + +As a result, the `compositeDatabaseAdder` role has privileges that only allow creating composite databases. +To list all privileges for the role `compositeDatabaseAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE compositeDatabaseAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE COMPOSITE DATABASE ON DBMS TO `compositeDatabaseAdder`" +a|Rows: 1 +|=== + +== Grant privilege to delete standard databases + +You can grant the privilege to delete standard databases using the `DROP DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP DATABASE ON DBMS TO databaseDropper +---- + +As a result, the `databaseDropper` role has privileges that only allow deleting standard databases. +To list all privileges for the role `databaseDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP DATABASE ON DBMS TO `databaseDropper`" +a|Rows: 1 +|=== + +== Grant privilege to delete composite databases + +You can grant the privilege to delete composite databases using the `DROP COMPOSITE DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP COMPOSITE DATABASE ON DBMS TO compositeDatabaseDropper +---- + +As a result, the `compositeDatabaseDropper` role has privileges that only allow deleting composite databases. +To list all privileges for the role `compositeDatabaseDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE compositeDatabaseDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP COMPOSITE DATABASE ON DBMS TO `compositeDatabaseDropper`" +a|Rows: 1 +|=== + +== Grant privilege to modify standard databases + +You can grant the privilege to modify standard databases using the `ALTER DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALTER DATABASE ON DBMS TO databaseModifier; +---- + +As a result, the `databaseModifier` role has privileges that only allow modifying standard databases. +To list all privileges for the role `databaseModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALTER DATABASE ON DBMS TO `databaseModifier`" +a|Rows: 1 +|=== + +== Grant privilege to modify access to standard databases + +You can grant the privilege to modify access to standard databases using the `SET DATABASE ACCESS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET DATABASE ACCESS ON DBMS TO accessModifier +---- + +As a result, the `accessModifier` role has privileges that only allow modifying access to standard databases. +To list all privileges for the role `accessModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE accessModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET DATABASE ACCESS ON DBMS TO `accessModifier`" +a|Rows: 1 +|=== + +== Grant privilege to manage composite databases + +You can grant the privilege to create, delete, and modify composite databases using the `COMPOSITE DATABASE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO compositeDatabaseManager; +---- + +As a result, the `compositeDatabaseManager` role has all privileges to manage composite databases. +To list all privileges for the role `compositeDatabaseManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE compositeDatabaseManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO `compositeDatabaseManager`" +a|Rows: 1 +|=== + +== Grant privilege to manage standard and composite databases + +You can grant the privilege to create, delete, and modify standard and composite databases using the `DATABASE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DATABASE MANAGEMENT ON DBMS TO databaseManager; +---- + +As a result, the `databaseManager` role has all privileges to manage standard and composite databases. +To list all privileges for the role `databaseManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DATABASE MANAGEMENT ON DBMS TO `databaseManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-execute-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-execute-privileges.adoc new file mode 100644 index 000000000..b4df65379 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-execute-privileges.adoc @@ -0,0 +1,544 @@ +:description: Details the DBMS privileges for procedure and user-defined function execution. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-execute-privileges]] += The DBMS `EXECUTE` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for procedure and user-defined function execution can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Execute privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command +| Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE PROCEDURE[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to execute the given procedures. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE BOOSTED PROCEDURE[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to use elevated privileges when executing the given procedures. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE ADMIN[ISTRATOR] PROCEDURES + ON DBMS + TO role[, ...] +| Enables the specified roles to execute procedures annotated with `@Admin`. The procedures are executed with elevated privileges. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to execute the given user-defined functions. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to use elevated privileges when executing the given user-defined functions. +|=== + +[[access-control-execute-procedure]] +== Grant privilege to execute procedures + +You can grant the privilege to execute procedures using the `EXECUTE PROCEDURE` privilege. + +A role with this privilege is allowed to execute the procedures matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. + +=== Grant privilege to execute some procedures + +The following query allow the execution of procedures starting with `db.schema`: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO procedureExecutor; +---- + +Users with the role `procedureExecutor` can run any procedure in the `db.schema` namespace. +The procedures are executed using the user's own privileges. + +To list all privileges for the role `procedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE procedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO `procedureExecutor`" +a|Rows: 1 +|=== + +=== Grant privilege to execute all but some procedures + +You can grant the privilege to execute all except a few procedures using `EXECUTE PROCEDURES *` and deny the unwanted procedures. +For example, the following queries allow the execution of all procedures, except those starting with `dbms.cluster`: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO deniedProcedureExecutor; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO deniedProcedureExecutor; +---- + +Users with the role `deniedProcedureExecutor` can run any procedure except those starting with `dbms.cluster`. +The procedures are executed using the user's own privileges. + +To list all privileges for the role `deniedProcedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedProcedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO `deniedProcedureExecutor`" +|"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedProcedureExecutor`" +a|Rows: 2 +|=== + + +The `dbms.cluster.checkConnectivity`, `dbms.cluster.cordonServer`, `dbms.cluster.protocols`, `dbms.cluster.readReplicaToggle`, `dbms.cluster.routing.getRoutingTable`, `dbms.cluster.secondaryReplicationDisable`, `dbms.cluster.setAutomaticallyEnableFreeServers`, and `dbms.cluster.uncordonServer` procedures are blocked, as well as any others starting with `dbms.cluster`. + + +[[access-control-execute-boosted-procedure]] +== Grant privilege to execute procedures with elevated privileges + +You can grant the privilege to execute procedures with elevated privileges using the `EXECUTE BOOSTED PROCEDURE` privilege. + +A user with this privilege will not be restricted to their other privileges when executing the procedures matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. +The `EXECUTE BOOSTED PROCEDURE` privilege only affects the elevation, and not the execution of the procedure. +Therefore, it is needed to grant `EXECUTE PROCEDURE` privilege for the procedures as well. +Both `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` are needed to execute a procedure with elevated privileges. + +=== Grant privilege to execute some procedures with elevated privileges + +You can grant the privilege to execute some procedures with elevated privileges using `EXECUTE BOOSTED PROCEDURE *`. + +For example, the following query allow the execution of the procedures `db.labels` and `db.relationshipTypes` with elevated privileges, and all other procedures with the user's own privileges: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO boostedProcedureExecutor; +GRANT EXECUTE BOOSTED PROCEDURE db.labels, db.relationshipTypes ON DBMS TO boostedProcedureExecutor +---- + +Users with the role `boostedProcedureExecutor` can thus run the `db.labels` and the `db.relationshipTypes` procedures with full privileges, seeing everything in the graph and not just the labels and types that the user has `TRAVERSE` privilege on. +Without the `EXECUTE PROCEDURE`, no procedures could be executed at all. + +To list all privileges for the role `boostedProcedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE boostedProcedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE PROCEDURE * ON DBMS TO `boostedProcedureExecutor`" +|"GRANT EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `boostedProcedureExecutor`" +|"GRANT EXECUTE BOOSTED PROCEDURE db.relationshipTypes ON DBMS TO `boostedProcedureExecutor`" +a|Rows: 3 +|=== + +[[grant-execute-procedure-deny-elevation]] +=== Combination of granting execution and denying privilege elevation + +As with grant, denying `EXECUTE BOOSTED PROCEDURE` on its own only affects the elevation and not the execution of the procedure. + +For example: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor1; +DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor1; +---- + +As a result, the `deniedBoostedProcedureExecutor1` role has privileges that allow the execution of all procedures using the user’s own privileges. +They also prevent the `db.labels` procedure from being elevated. +Still, the denied `EXECUTE BOOSTED PROCEDURE` does not block execution of `db.labels`. + +To list all privileges for role `deniedBoostedProcedureExecutor1` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedBoostedProcedureExecutor1 PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor1`" +|"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor1`" +a|Rows: 2 +|=== + +[[grant-privilege-elevation-deny-execution]] +=== Combination of granting privilege elevation and denying execution + +You can also grant the privilege to execute procedures with elevated privileges and deny the execution of specific procedures. + +For example: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor2; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor2; +---- + +As a result, the `deniedBoostedProcedureExecutor2` role has privileges that allow elevating the privileges for all procedures, but cannot execute any due to missing or denied `EXECUTE PROCEDURE` privileges. + +To list all privileges for the role `deniedBoostedProcedureExecutor2` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedBoostedProcedureExecutor2 PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor2`" +|"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor2`" +a|Rows: 2 +|=== + +[[grant-deny-privilege-elevation]] +=== Combination of granting and denying privilege elevation + +You can also grant the privilege to execute procedures with elevated privileges and deny the elevation for specific procedures. + +For example, the following queries allow has privileges that allow elevating the privileges for all procedures except `db.labels`. +However, no procedures can be executed due to a missing `EXECUTE PROCEDURE` privilege. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor3; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor3; +---- + +As a result, the `deniedBoostedProcedureExecutor3` role has privileges that allow elevating the privileges for all procedures except `db.labels`. +However, no procedures can be executed due to missing `EXECUTE PROCEDURE` privilege. + +To list all privileges for the role `deniedBoostedProcedureExecutor3` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedBoostedProcedureExecutor3 PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor3`" +|"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor3`" +a|Rows: 2 +|=== + +=== Control procedure output with privileges + +You can control the output of procedures based on the privileges granted or denied to a role using the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges. +For example, assume there is a procedure called `myProc`. + +This procedure gives the result `A` and `B` for a user with only the `EXECUTE PROCEDURE` privilege and `A`, `B` and `C` for a user with both the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges. + +Now, adapt the privileges from sections <> (example 1), <> (example 2), and <> (example 3) to be applied to this procedure and show what is returned. + +With the privileges from example 1, granted `EXECUTE PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A` and `B`. + +With the privileges from example 2, granted `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE PROCEDURE myProc`, execution of the `myProc` procedure is not allowed. + +With the privileges from example 3, granted `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, execution of the `myProc` procedure is not allowed. + +For comparison, when granted: + +* `EXECUTE PROCEDURE myProc`: the `myProc` procedure returns the result `A` and `B`. +* `EXECUTE BOOSTED PROCEDURE myProc`: execution of the `myProc` procedure is not allowed. +* `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE myProc`: the `myProc` procedure returns the result `A`, `B`, and `C`. + + +[[access-control-admin-procedure]] +== Grant privilege to execute admin procedures + +Admin procedures (annotated with `@Admin`) are special in that they require elevated privileges to be executed at all. +This means that to execute an admin procedure you need both the <> and <> privileges for that procedure. + +For a user to be allowed to execute all admin procedures, they can either be granted the two privileges for each of the admin procedures (which would need to be updated each time a new admin procedure is added), all procedures (which would then affect all non-admin procedures as well) or the `EXECUTE ADMIN PROCEDURES` privilege. + +The `EXECUTE ADMIN PROCEDURES` privilege is equivalent to granting the <> and <> privileges on each of the admin procedures. +This also have the additional advantage that any newly added `admin` procedure is automatically included in this privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO adminProcedureExecutor; +---- + +Users with the role `adminProcedureExecutor` can run any `admin` procedure with elevated privileges. +As a result, the `adminProcedureExecutor` role has privileges that allow the execution of all admin procedures. +To list all privileges for the role `adminProcedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE adminProcedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO `adminProcedureExecutor`" +a|Rows: 1 +|=== + +In order to compare this with the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges, revisit the `myProc` procedure, but this time as an `admin` procedure, which will give the result `A`, `B` and `C` when allowed to execute. + +By starting with a user only granted the `EXECUTE PROCEDURE myProc` or the `EXECUTE BOOSTED PROCEDURE myProc` privilege, execution of the `myProc` procedure is not allowed. + +However, for a user granted the `EXECUTE ADMIN PROCEDURES` or both `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A`, `B` and `C`. + +Any denied `EXECUTE` privilege results in the procedure not being allowed to be executed. +In this case, it does not matter whether `EXECUTE PROCEDURE`, `EXECUTE BOOSTED PROCEDURE` or `EXECUTE ADMIN PROCEDURES` is being denied. + +[[access-control-execute-user-defined-function]] +== Grant privilege to execute user-defined functions + +//EXECUTE [USER [DEFINED]] FUNCTION[S] +You can grant the privilege to execute user-defined functions (UDFs) using the `EXECUTE USER DEFINED FUNCTION` privilege. +A role with this privilege is allowed to execute the UDFs matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. + +[IMPORTANT] +==== +The `EXECUTE USER DEFINED FUNCTION` privilege does not apply to built-in functions, which are always executable. +==== + +=== Grant privilege to execute some user-defined functions + +The following query shows an example of how to grant the `EXECUTE USER DEFINED FUNCTION` privilege: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE USER DEFINED FUNCTION apoc.coll.* ON DBMS TO functionExecutor; +---- + +Or in short form: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO functionExecutor; +---- + +Users with the role `functionExecutor` can thus run any UDF in the `apoc.coll` namespace. +The functions are executed using the user's own privileges. + +As a result, the `functionExecutor` role has privileges that only allow executing UDFs in the `apoc.coll` namespace. +To list all privileges for the role `functionExecutor` as commands, use the following query: + +[source,cypher,role=noplay] +---- +SHOW ROLE functionExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO `functionExecutor`" +a|Rows: 1 +|=== + +=== Grant privilege to execute all but some user-defined functions + +To allow the execution of all but a few UDFs, you can grant `+EXECUTE USER DEFINED FUNCTIONS *+` and deny the unwanted UDFs. +For example, the following queries allow the execution of all UDFs except those starting with `apoc.any.prop`: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO deniedFunctionExecutor; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE USER DEFINED FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor; +---- + +Or in short form: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE FUNCTIONS * ON DBMS TO deniedFunctionExecutor; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor; +---- + +As a result, the `deniedFunctionExecutor` role has privileges that only allow the execution of all UDFs except those starting with `apoc.any.prop`. +The functions are executed using the user's own privileges. +To list all privileges for the role `deniedFunctionExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedFunctionExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO `deniedFunctionExecutor`" +|"GRANT EXECUTE FUNCTION * ON DBMS TO `deniedFunctionExecutor`" +a|Rows: 2 +|=== + +The `apoc.any.property` and `apoc.any.properties` are blocked, as well as any other UDFs starting with `apoc.any.prop`. + +[[access-control-execute-boosted-user-defined-function]] +== Grant privilege to execute user-defined functions with elevated privileges + +//EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] +You can grant the privilege to execute user-defined functions (UDFs) with elevated privileges using the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege. + +A user with this privilege will not be restricted to their other privileges when executing the UDFs matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. +The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege only affects the elevation and not the execution of the function. +Therefore, it is needed to grant `EXECUTE USER DEFINED FUNCTION` privilege for the UDFs as well. +Both `EXECUTE USER DEFINED FUNCTION` and `EXECUTE BOOSTED USER DEFINED FUNCTION` are needed to execute a function with elevated privileges. + +[IMPORTANT] +==== +The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege does not apply to built-in functions, as they have no concept of elevated privileges. +==== + +=== Grant privilege to execute some user-defined functions with elevated privileges + +The following query shows an example of how to grant the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE USER DEFINED FUNCTION * ON DBMS TO boostedFunctionExecutor; +GRANT EXECUTE BOOSTED USER DEFINED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor; +---- + +Or in short form: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE FUNCTION * ON DBMS TO boostedFunctionExecutor; +GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor; +---- + +Users with the role `boostedFunctionExecutor` can thus run `apoc.any.properties` with full privileges and see every property on the node/relationship, not just the properties that the user has `READ` privilege on. +Without the `EXECUTE USER DEFINED FUNCTION`, you cannot execute any UDFs at all. + +As a result, the `boostedFunctionExecutor` role has privileges that allow executing the UDF `apoc.any.properties` with elevated privileges, and all other UDFs with the users' own privileges. +To list all privileges for the role `boostedFunctionExecutor` as commands, use the following query: + +[source,cypher,role=noplay] +---- +SHOW ROLE boostedFunctionExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer",width="100%",cols="m"] +|=== +|command +|"GRANT EXECUTE FUNCTION * ON DBMS TO `boostedFunctionExecutor`" +|"GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO `boostedFunctionExecutor`" +a|Rows: 2 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc new file mode 100644 index 000000000..4b2922e85 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc @@ -0,0 +1,167 @@ +:description: Details the DBMS privileges for impersonation. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-impersonate-privileges]] += The DBMS `IMPERSONATE` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for impersonation can be granted, denied, or revoked like other privileges. + +Impersonation is the ability of a user to assume another user's roles (and therefore privileges), with the restriction of not being able to execute updating `admin` commands as the impersonated user (i.e. they would still be able to use `SHOW` commands). + +You can use the `IMPERSONATE` privilege to allow a user to impersonate another user. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Impersonation privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] IMPERSONATE [(*)] + ON DBMS + TO role[, ...] +| Enables the specified roles to impersonate any user. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] IMPERSONATE (user[, ...]) + ON DBMS + TO role[, ...] +| Enables the specified roles to impersonate the specified users. + +|=== + +== Grant privilege to impersonate all users + +You can grant the privilege to impersonate all users using the `IMPERSONATE (*)` privilege. + +For example: + +.Query +[source, cypher, role=noplay] +---- +GRANT IMPERSONATE (*) ON DBMS TO allUserImpersonator +---- + +As a result, the `allUserImpersonator` role has privileges that allow impersonating all users. +To list all privileges for the role `allUserImpersonator` as commands, use the following query: + +.Query +[source, cypher, role=noplay] +---- +SHOW ROLE allUserImpersonator PRIVILEGES AS COMMANDS; +---- +.Result +[options="header,footer", width="100%", cols="m"] +|=== +| command +| "GRANT IMPERSONATE (*) ON DBMS TO `allUserImpersonator`" +a|Rows: 1 +|=== + +== Grant privilege to impersonate specific users + +You can also grant the privilege to impersonate specific users or a subset of users. + +For example: + +.Query +[source, cypher, role=noplay] +---- +GRANT IMPERSONATE (alice, bob) ON DBMS TO userImpersonator; +---- + +As a result, the `userImpersonator` role has privileges that allow impersonating only `alice` and `bob`. +Then, you deny the privilege to impersonate `alice`: + +.Query +[source, cypher, role=noplay] +---- +DENY IMPERSONATE (alice) ON DBMS TO userImpersonator; +---- + +As a result, the `userImpersonator` user would be able to impersonate only `bob`. + +To list all privileges for the role `userImpersonator` as commands, use the following query: + +.Query +[source, cypher, role=noplay] +---- +SHOW ROLE userImpersonator PRIVILEGES AS COMMANDS; +---- +.Result +[options="header,footer", width="100%", cols="m"] +|=== +| command +| "DENY IMPERSONATE (alice) ON DBMS TO `userImpersonator`" +| "GRANT IMPERSONATE (alice) ON DBMS TO `userImpersonator`" +| "GRANT IMPERSONATE (bob) ON DBMS TO `userImpersonator`" +a|Rows: 3 +|=== diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc new file mode 100644 index 000000000..d0f12109e --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc @@ -0,0 +1,224 @@ +:description: Details the DBMS privileges for privilege management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-privilege-management-privileges]] += The DBMS `PRIVILEGE MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for privilege management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Privilege management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW PRIVILEGE + ON DBMS + TO role[, ...] +| Enables the specified roles to list privileges. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ASSIGN PRIVILEGE + ON DBMS + TO role[, ...] +| Enables the specified roles to assign privileges using the `GRANT` and `DENY` commands. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] REMOVE PRIVILEGE + ON DBMS + TO role[, ...] +| Enables the specified roles to remove privileges using the `REVOKE` command. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] PRIVILEGE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to list, assign, and remove privileges. +|=== + +== Grant privilege to list privileges + +You can grant the `SHOW PRIVILEGE` privilege to allow a user to list privileges using the `SHOW PRIVILEGE`, `SHOW ROLE roleName PRIVILEGES`, and `SHOW USER username PRIVILEGES` administration commands. +The `SHOW USER username PRIVILEGES` command also requires the `SHOW USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW PRIVILEGE ON DBMS TO privilegeViewer; +---- + +As a result, the `privilegeViewer` role has privileges that only allow showing privileges. +To list all privileges for the role `privilegeViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW PRIVILEGE ON DBMS TO `privilegeViewer`" +a|Rows: 1 +|=== + +[NOTE] +==== +No specific privileges are required for showing the current user's privileges through the `SHOW USER _username_ PRIVILEGES` or `SHOW USER PRIVILEGES` commands. + +If a non-native auth provider like LDAP is in use, `SHOW USER PRIVILEGES` will only work with a limited capacity by making it only possible for a user to show their own privileges. +Other users' privileges cannot be listed when using a non-native auth provider. +==== + +== Grant privilege to assign privileges + +You can grant the privilege to assign privileges using the `ASSIGN PRIVILEGE` privilege. + +A user with this privilege is allowed to execute `GRANT` and `DENY` administration commands. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ASSIGN PRIVILEGE ON DBMS TO privilegeAssigner; +---- + +As a result, the `privilegeAssigner` role has privileges that only allow assigning privileges. +To list all privileges for the role `privilegeAssigner` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeAssigner PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ASSIGN PRIVILEGE ON DBMS TO `privilegeAssigner`" +a|Rows: 1 +|=== + +== Grant privilege to remove privileges + +You can grant the privilege to remove privileges from roles using the `REMOVE PRIVILEGE` privilege. + +A user with this privilege is allowed to execute `REVOKE` administration commands. + +For example: + +[source, cypher, role=noplay] +---- +GRANT REMOVE PRIVILEGE ON DBMS TO privilegeRemover; +---- + +As a result, the `privilegeRemover` role has privileges that only allow removing privileges. +To list all privileges for the role `privilegeRemover` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeRemover PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT REMOVE PRIVILEGE ON DBMS TO `privilegeRemover`" +a|Rows: 1 +|=== + +== Grant privilege to manage privileges + +You can grant the privilege to list, assign, and remove privileges using the `PRIVILEGE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT PRIVILEGE MANAGEMENT ON DBMS TO privilegeManager; +---- + +As a result, the `privilegeManager` role has all privileges to manage privileges. +To list all privileges for the role `privilegeManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT PRIVILEGE MANAGEMENT ON DBMS TO `privilegeManager`" +a|Rows: 1 +|=== diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc new file mode 100644 index 000000000..7dc60475d --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc @@ -0,0 +1,316 @@ +:description: Details the DBMS privileges for role management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-role-management-privileges]] += The DBMS `ROLE MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for role management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Role management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to create new roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] RENAME ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to change the name of roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to delete roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ASSIGN ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to assign roles to users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] REMOVE ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to remove roles from users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to list roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ROLE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create, delete, assign, remove, and list roles. + +|=== + +== Grant privilege to create roles + +You can grant the privilege to add roles using the `CREATE ROLE` command. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE ROLE ON DBMS TO roleAdder; +---- + +As a result, the `roleAdder` role has privileges that only allow adding roles. +To list all privileges for the role `roleAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE ROLE ON DBMS TO `roleAdder`" +a|Rows: 1 +|=== + +== Grant privilege to rename roles + +You can grant the privilege to rename roles using the `RENAME ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT RENAME ROLE ON DBMS TO roleNameModifier; +---- + +As a result, the `roleNameModifier` role has privileges that only allow renaming roles. +To list all privileges for the role `roleNameModifier`, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleNameModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT RENAME ROLE ON DBMS TO `roleNameModifier`" +a|Rows: 1 +|=== + +== Grant privilege to delete roles + +You can grant the privilege to delete roles using the `DROP ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP ROLE ON DBMS TO roleDropper; +---- + +As a result, the `roleDropper` role has privileges that only allow deleting roles. +To list all privileges for the role `roleDropper`, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP ROLE ON DBMS TO `roleDropper`" +a|Rows: 1 +|=== + +== Grant privilege to assign roles + +You can grant the privilege to assign roles to users using the `ASSIGN ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ASSIGN ROLE ON DBMS TO roleAssigner; +---- + +As a result, the `roleAssigner` role has privileges that only allow assigning/granting roles. +To list all privileges for the role `roleAssigner` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleAssigner PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ASSIGN ROLE ON DBMS TO `roleAssigner`" +a|Rows: 1 +|=== + +== Grant privilege to remove roles + +You can grant the privilege to remove roles from users using the `REMOVE ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT REMOVE ROLE ON DBMS TO roleRemover; +---- + +As a result, the `roleRemover` role has privileges that only allow removing/revoking roles. +To list all privileges for the role `roleRemover` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleRemover PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT REMOVE ROLE ON DBMS TO `roleRemover`" +a|Rows: 1 +|=== + +== Grant privilege to show roles + +You can grant the privilege to show roles using the `SHOW ROLE` privilege. +A role with this privilege is allowed to execute the `SHOW ROLES` and `SHOW POPULATED ROLES` administration commands. + +[NOTE] +==== +In order to use `SHOW ROLES WITH USERS` and `SHOW POPULATED ROLES WITH USERS` administration commands, both the `SHOW ROLE` and the `SHOW USER` privileges are required. +==== + +The following query shows an example of how to grant the `SHOW ROLE` privilege: + +[source, cypher, role=noplay] +---- +GRANT SHOW ROLE ON DBMS TO roleViewer; +---- + +As a result, the `roleViewer` role has privileges that only allow showing roles. +To list all privileges for the role `roleViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW ROLE ON DBMS TO `roleViewer`" +a|Rows: 1 +|=== + +== Grant privilege to manage roles + +You can grant the privilege to create, rename, delete, assign, remove, and list roles using the `ROLE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ROLE MANAGEMENT ON DBMS TO roleManager; +---- + +As a result, the `roleManager` role has all privileges to manage roles. +To list all privileges for the role `roleManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ROLE MANAGEMENT ON DBMS TO `roleManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc new file mode 100644 index 000000000..1a6c3aea2 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc @@ -0,0 +1,149 @@ +:description: Details the DBMS privileges for server management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-server-management-privileges]] += The DBMS `SERVER MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for server management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Server management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SERVER MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to show, enable, rename, alter, reallocate, deallocate, and drop servers. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW SERVERS + ON DBMS + TO role[, ...] +| Enables the specified roles to show servers. +|=== + +== Grant privilege to manage servers + +You can grant the privilege to show, enable, rename, alter, reallocate, deallocate, and drop servers using the `SERVER MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SERVER MANAGEMENT ON DBMS TO serverManager; +---- + +As a result, the `serverManager` role has all privileges to manage servers. +To list all privileges for the role `serverManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE serverManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SERVER MANAGEMENT ON DBMS TO `serverManager`" +a|Rows: 1 +|=== + + +== Grant privilege to show servers + +You can grant the privilege to show servers using the `SHOW SERVERS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW SERVERS ON DBMS TO serverViewer; +---- + +As a result, the `serverViewer` role has privileges that only allow showing servers. +To list all privileges for the role `serverViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE serverViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW SERVERS ON DBMS TO `serverViewer`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-setting-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-setting-privileges.adoc new file mode 100644 index 000000000..a98f84545 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-setting-privileges.adoc @@ -0,0 +1,154 @@ +:description: Details the DBMS privileges for viewing configuration settings. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-setting-privileges]] += The DBMS `SETTING` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +You can grant the privilege to show configuration settings using the `SHOW SETTING` privilege. +A role with this privilege is allowed to list the configuration settings matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Setting privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command +| Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW SETTING[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to list given configuration settings. +|=== + +== Grant privilege to show all settings + +You can grant the privilege to show all settings using `SHOW SETTING \*` or all settings in a namespace using `SHOW SETTING namespace.*`. +The following query shows an example of how to grant `SHOW SETTING` privilege to view all settings in the `server.bolt` namespace: + +[source, cypher, role=noplay] +---- +GRANT SHOW SETTING server.bolt.* ON DBMS TO configurationViewer; +---- + +Users with the role `configurationViewer` can then view any setting in the `server.bolt` namespace. + +As a result, the `configurationViewer` role has privileges that only allow listing settings in the `server.bolt` namespace. +To list all privileges for the role `configurationViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE configurationViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW SETTING server.bolt.* ON DBMS TO `configurationViewer`" +a|Rows: 1 +|=== + +== Grant privilege to show all but some settings + +You can grant the privilege to show all but a few settings using `SHOW SETTINGS *` and deny the unwanted settings. + +For example, the following queries allow you to view all settings, except those starting with `dbms.security`: + +[source, cypher, role=noplay] +---- +GRANT SHOW SETTINGS * ON DBMS TO deniedConfigurationViewer; +---- + +[source, cypher, role=noplay] +---- +DENY SHOW SETTING dbms.security* ON DBMS TO deniedConfigurationViewer; +---- + +As a result, the `deniedConfigurationViewer` role has privileges that allow listing all settings except those starting with `dbms.security`. +To list all privileges for the role `deniedConfigurationViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedConfigurationViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY SHOW SETTING dbms.security* ON DBMS TO `deniedConfigurationViewer`" +|"GRANT SHOW SETTING * ON DBMS TO `deniedConfigurationViewer`" +a|Rows: 2 +|=== + +As the query result shows, viewing settings starting with `dbms.security` is blocked, but the rest can still be listed. \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc new file mode 100644 index 000000000..b73bcbdc1 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc @@ -0,0 +1,443 @@ +:description: Details the DBMS privileges for user management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-user-management-privileges]] += The DBMS `USER MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for user management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.User management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE USER + ON DBMS + TO role[, ...] +| Enables the specified roles to create new users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] RENAME USER + ON DBMS + TO role[, ...] +| Enables the specified roles to change the name of users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALTER USER + ON DBMS + TO role[, ...] +| Enables the specified roles to modify users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET PASSWORD[S] + ON DBMS + TO role[, ...] +| Enables the specified roles to modify users' passwords and whether those passwords must be changed upon first login. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET AUTH + ON DBMS + TO role[, ...] +| Enables the specified roles to `SET` or `REMOVE` users' xref:authentication-authorization/auth-providers.adoc[auth providers]. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET USER HOME DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to modify users' home database. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET USER STATUS + ON DBMS + TO role[, ...] +| Enables the specified roles to modify the account status of users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP USER + ON DBMS + TO role[, ...] +| Enables the specified roles to delete users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW USER + ON DBMS + TO role[, ...] +| Enables the specified roles to list users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] USER MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create, delete, modify, and list users. + +|=== + +[[grant-create-user-privilege]] +== Grant privilege to create users + +You can grant the privilege to add users using the `CREATE USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE USER ON DBMS TO userAdder +---- + +As a result, the `userAdder` role has privileges that only allow adding users. +To list all privileges for the role `userAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE USER ON DBMS TO `userAdder`" +a|Rows: 1 +|=== + +== Grant privilege to rename users + +You can grant the privilege to rename users using the `RENAME USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT RENAME USER ON DBMS TO userNameModifier +---- + +As a result, the `userNameModifier` role has privileges that only allow renaming users. +To list all privileges for the role `userNameModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userNameModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT RENAME USER ON DBMS TO `userNameModifier`" +a|Rows: 1 +|=== + +== Grant privilege to modify users + +You can grant the privilege to modify users using the `ALTER USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALTER USER ON DBMS TO userModifier +---- + +As a result, the `userModifier` role has privileges that only allow modifying users. +To list all privileges for the role `userModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALTER USER ON DBMS TO `userModifier`" +a|Rows: 1 +|=== + + +The `ALTER USER` privilege allows the user to run the `ALTER USER` administration command with one or several of the `SET PASSWORD`, `SET PASSWORD CHANGE [NOT] REQUIRED`, `SET AUTH`, `REMOVE AUTH`, `SET STATUS`, `SET HOME DATABASE`, and `REMOVE HOME DATABASE` parts. + +For example: + +[source, cypher, role=noplay] +---- +ALTER USER jake SET PASSWORD 'verysecret' SET STATUS SUSPENDED +---- + +[NOTE] +==== +Note that the combination of the `SET PASSWORDS`, `SET AUTH`, `SET USER STATUS`, and `SET USER HOME DATABASE` privileges is equivalent to the `ALTER USER` privilege. +==== + +== Grant privilege to modify users' passwords + +You can grant the privilege to modify users' passwords and whether those passwords must be changed upon first login using the `SET PASSWORDS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET PASSWORDS ON DBMS TO passwordModifier +---- + +As a result, the `passwordModifier` role has privileges that only allow modifying users' passwords and whether those passwords must be changed upon first login. +To list all privileges for the role `passwordModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE passwordModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET PASSWORD ON DBMS TO `passwordModifier`" +a|Rows: 1 +|=== + +The `SET PASSWORDS` privilege allows the user to run the `ALTER USER` administration command with one or both of the `SET PASSWORD` and `SET PASSWORD CHANGE [NOT] REQUIRED` parts. + +[source, cypher, role=noplay] +---- +ALTER USER jake SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED +---- + +== Grant privilege to modify users' auth information + +You can grant the privilege to modify users' auth information using the `SET AUTH` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET AUTH ON DBMS TO authModifier +---- +As a result, the `authModifier` role has privileges that only allow modifying users' auth information. + +The `SET AUTH` privilege allows the user to run the `ALTER USER` administration command with one or both of the `SET +AUTH` and `REMOVE AUTH` parts. + +For example: + +[source, cypher, role=noplay] +---- +ALTER USER jake REMOVE AUTH 'native' SET AUTH 'oidc-okta' { SET id 'jakesUniqueOktaUserId' } +---- + +== Grant privilege to modify the account status of users + +You can grant the privilege to modify the account status of users using the `SET USER STATUS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET USER STATUS ON DBMS TO statusModifier +---- + +As a result, the `statusModifier` role has privileges that only allow modifying the account status of users. +To list all privileges for the role `statusModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE statusModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET USER STATUS ON DBMS TO `statusModifier`" +a|Rows: 1 +|=== + +The `SET USER STATUS` privilege allows the user to run the `ALTER USER` administration command with only the `SET STATUS` part: + +[source, cypher, role=noplay] +---- +ALTER USER jake SET STATUS ACTIVE +---- + +== Grant privilege to modify the home database of users + +You can grant the privilege to modify the home database of users using the `SET USER HOME DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET USER HOME DATABASE ON DBMS TO homeDbModifier +---- + +As a result, the `homeDbModifier` role has privileges that only allow modifying the home database of users. +To list all privileges for the role `homeDbModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE homeDbModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET USER HOME DATABASE ON DBMS TO `homeDbModifier`" +|"GRANT SET USER STATUS ON DBMS TO `homeDbModifier`" +a|Rows: 2 +|=== + +The `SET USER HOME DATABASE` privilege allows the user to run the `ALTER USER` administration command with only the `SET HOME DATABASE` or `REMOVE HOME DATABASE` part: + +[source, cypher, role=noplay] +---- +ALTER USER jake SET HOME DATABASE otherDb +---- + +[source, cypher, role=noplay] +---- +ALTER USER jake REMOVE HOME DATABASE +---- + +[[grant-delete-user-privilege]] +== Grant privilege to delete users + +You can grant the privilege to delete users using the `DROP USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP USER ON DBMS TO userDropper +---- + +As a result, the `userDropper` role has privileges that only allow deleting users. +To list all privileges for the role `userDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP USER ON DBMS TO `userDropper`" +a|Rows: 1 +|=== + + +== Grant privilege to show users + +You can grant the privilege to show users using the `SHOW USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW USER ON DBMS TO userViewer +---- + +As a result, the `userViewer` role has privileges that only allow showing users. +To list all privileges for the role `userViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW USER ON DBMS TO `userViewer`" +a|Rows: 1 +|=== + +== Grant privilege to manage users + +You can grant the privilege to create, rename, modify, delete, and list users using the `USER MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT USER MANAGEMENT ON DBMS TO userManager +---- + +As a result, the `userManager` role has all privileges to manage users. +To list all privileges for the role `userManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW USER ON DBMS TO `userManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/index.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/index.adoc new file mode 100644 index 000000000..a2755c8f2 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/index.adoc @@ -0,0 +1,214 @@ +:description: How to use Cypher to manage Neo4j DBMS administrative privileges. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +:imagesdir: modules/ROOT/images +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +[[access-control-dbms-administration]] += DBMS privileges + +All DBMS privileges are relevant system-wide. +Like user management, they do not belong to one specific database or graph. +For more details on the differences between graphs, databases, and the DBMS, refer to link:{neo4j-docs-base-uri}/cypher-manual/current/introduction/cypher-neo4j/[Cypher Manual -> Cypher and Neo4j]. + +image::privileges-grant-and-deny-syntax-dbms-privileges.svg[width="800", title="Syntax of `GRANT` and `DENY` DBMS privileges"] + +image::privileges-hierarchy-dbms.svg[width="800", title="DBMS privileges hierarchy", role=popup] + +[NOTE] +==== +You can only grant, deny, or revoke privileges to or from existing roles. +==== + +[[access-control-dbms-administration-all]] +== Granting `ALL DBMS PRIVILEGES` + +You can grant the `ALL DBMS PRIVILEGES` privilege to a role. + +The `ALL DBMS PRIVILEGES` privilege is equivalent to granting the following privileges: + +* Create, drop, assign, remove, and show roles. +* Create, alter, drop, show, and impersonate users. +* Create, alter, drop, and show databases and aliases. +* Enable, alter, rename, reallocate, deallocate, drop, and show servers. +* Show, assign, and remove privileges. +* Execute all procedures with elevated privileges. +* Execute all user-defined functions with elevated privileges. +* Show all configuration settings. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +[source, syntax, role=noheader] +---- +GRANT [IMMUTABLE] ALL [[DBMS] PRIVILEGES] + ON DBMS + TO role[, ...] +---- + +For example, to grant the role `dbmsManager` all DBMS abilities, use the following query: + +[source, cypher, role=noplay] +---- +GRANT ALL DBMS PRIVILEGES ON DBMS TO dbmsManager; +---- + +To list all privileges for the role `dbmsManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALL DBMS PRIVILEGES ON DBMS TO `dbmsManager`" +a|Rows: 1 +|=== + +[[access-control-name-globbing]] +== Name-globbing for procedures, user-defined functions, and settings + +The name-globbing for procedures, user-defined functions, and setting names is a simplified version of globbing for filename expansions. +It only allows two wildcard characters: `+*+` and `?`, which are used for multiple and single-character matches. +In this case, `+*+` means 0 or more characters, and `?` matches exactly one character. + +[NOTE] +==== +The name-globbing is subject to the link:{neo4j-docs-base-uri}/cypher-manual/current/syntax/naming/[Cypher Manual -> Naming rules and recommendations], with the exception that it may include dots, stars, and question marks without the need for escaping using backticks. + +Each part of the name-globbing separated by dots may be individually quoted. +For example, `++mine.`procedureWith%`++` is allowed, but not `++mine.procedure`With%`++`. +Also, note that wildcard characters behave as wildcards even when quoted. +For example, using `++`*`++` is equivalent to using `+*+`, and thus allows executing all functions or procedures and not only the procedure or function named `+*+`. +==== + +Given the following list of procedures: + +* `mine.public.exampleProcedure` +* `mine.public.exampleProcedure1` +* `mine.public.exampleProcedure2` +* `mine.public.with#Special§Characters` +* `mine.private.exampleProcedure` +* `mine.private.exampleProcedure1` +* `mine.private.exampleProcedure2` +* `mine.private.with#Special§Characters` +* `your.exampleProcedure` + +The following examples demonstrate how name-globbing patterns can be used in controlling access to procedures. +Note that the same rules apply to user-defined functions and settings. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1; +---- + +Users with the role `globbing1` can run all the procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2; +---- + +Users with the role `globbing2` can run procedures `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3; +---- + +Users with the role `globbing3` can run procedures `mine.public.exampleProcedure1`, `mine.private.exampleProcedure1`, and `mine.private.exampleProcedure2`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4; +---- + +Users with the role `globbing4` can run procedures `your.exampleProcedure`, `mine.public.exampleProcedure`, and `mine.private.exampleProcedure`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5; +---- + +Users with the role `globbing5` can run procedures `mine.public.exampleProcedure`, `mine.public.exampleProcedure1` and `mine.public.exampleProcedure42`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6; +---- + +Users with the role `globbing6` can run procedures `mine.public.with#Special§Characters`, and `mine.private.with#Special§Characters`, but no other procedures. + +[NOTE] +==== +The name-globbing may be fully or partially quoted. +Both `+*+` and `+?+` are interpreted as wildcards in both cases. +==== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc b/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc index 20b37a3a4..8503091df 100644 --- a/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc +++ b/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc @@ -4,7 +4,7 @@ :description: This section explains how to use Cypher to manage immutable roles and privileges. -Immutable privileges are useful for restricting the actions of users who can themselves administer xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[privileges]. +Immutable privileges are useful for restricting the actions of users who can themselves administer xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[privileges]. Starting with Neo4j 5.26, Neo4j also introduces immutable roles. Immutable roles are useful for providing _system roles_, which appear as permanent parts of the DBMS. @@ -38,8 +38,8 @@ The following examples demonstrate how to use Cypher to manage immutable roles a === Restricting the actions of users who can manage privileges -To prevent all users (including those with `PRIVILEGE MANAGEMENT` privileges) from performing *database management*, attach an immutable privilege to the `PUBLIC` role. -The `PUBLIC` role implicitly and irrevocably applies to all users. +To prevent all users (including those with `PRIVILEGE MANAGEMENT` privileges) from performing *database management*, attach an immutable privilege to the `PUBLIC` role. +The `PUBLIC` role implicitly and irrevocably applies to all users. . Ensure that you have completed steps 1 and 2 from <>. . Run the following command to deny the `IMMUTABLE DATABASE MANAGEMENT` privilege to the `PUBLIC` role: @@ -83,7 +83,7 @@ The result shows that all users are restricted from adding or removing privilege === Creating permanent roles that cannot be changed -You can use immutable roles to create permanent built-in system roles that cannot be modified even by users who have xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[`ROLE MANAGEMENT` privileges]. +You can use immutable roles to create permanent built-in system roles that cannot be modified even by users who have xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[`ROLE MANAGEMENT` privileges]. For example, you want to create an `analyst` role that cannot be dropped, renamed, or have any of its privileges changed (even by users with the `ROLE MANAGEMENT` and `PRIVILEGE MANAGEMENT` privileges). diff --git a/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc b/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc index f21e47852..b561dc4c1 100644 --- a/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc +++ b/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc @@ -22,12 +22,12 @@ Please refer to link:{neo4j-docs-base-uri}/java-reference/{page-version}/extendi [[auth-manage-procedure-permissions]] == Manage procedure permissions -Procedure permissions can be managed using the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-execute[native execute privileges]. +Procedure permissions can be managed using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[native execute privileges]. These control whether the user is allowed to execute a procedure and which set of privileges apply during the execution. -A procedure may be run using the xref:authentication-authorization/dbms-administration.adoc#access-control-execute-procedure[`EXECUTE PROCEDURE` privilege]. +A procedure may be run using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-procedure[`EXECUTE PROCEDURE` privilege]. -This allows the user to execute procedures that match the xref:authentication-authorization/dbms-administration.adoc#access-control-name-globbing[globbed procedures]. +This allows the user to execute procedures that match the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[globbed procedures]. .Grant privilege to execute a procedure ==== @@ -48,7 +48,7 @@ GRANT TRAVERSE ON GRAPH * RELATIONSHIP R1 TO role When calling the `db.schema.visualization` procedure, the user will only see the `A` and `B` nodes and `R1` relationships, even though there might exist other nodes and relationships. ==== -A procedure may also be executed with elevated privileges using the xref:authentication-authorization/dbms-administration.adoc#access-control-execute-boosted-procedure[`EXECUTE BOOSTED PROCEDURE` privilege]. +A procedure may also be executed with elevated privileges using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-boosted-procedure[`EXECUTE BOOSTED PROCEDURE` privilege]. [NOTE] -- @@ -74,12 +74,12 @@ When calling the `db.schema.visualization` procedure, the user will see all node [[auth-manage-function-permissions]] == Manage user-defined function permissions -User-defined function permissions can be managed using the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-execute[native execute privileges]. +User-defined function permissions can be managed using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[native execute privileges]. These control if the user is both allowed to execute a user-defined function and which set of privileges apply during the execution. -A user-defined function may be executed using the xref:authentication-authorization/dbms-administration.adoc#access-control-execute-user-defined-function[`EXECUTE USER DEFINED FUNCTION` privilege]. +A user-defined function may be executed using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-user-defined-function[`EXECUTE USER DEFINED FUNCTION` privilege]. -This allows the user to execute user-defined functions that match the xref:authentication-authorization/dbms-administration.adoc#access-control-name-globbing[globbed user-defined function]. +This allows the user to execute user-defined functions that match the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[globbed user-defined function]. .Grant privilege to execute a user-defined function ==== @@ -100,7 +100,7 @@ When calling the user-defined function `MATCH (a:A) RETURN apoc.any.properties(a ==== A user-defined function may also be executed with elevated privileges using the -xref:authentication-authorization/dbms-administration.adoc#access-control-execute-boosted-user-defined-function[`EXECUTE BOOSTED USER DEFINED FUNCTION` privilege]. +xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-boosted-user-defined-function[`EXECUTE BOOSTED USER DEFINED FUNCTION` privilege]. [NOTE] -- diff --git a/modules/ROOT/pages/authentication-authorization/manage-roles.adoc b/modules/ROOT/pages/authentication-authorization/manage-roles.adoc index 2d0226f04..ebfa27327 100644 --- a/modules/ROOT/pages/authentication-authorization/manage-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/manage-roles.adoc @@ -62,7 +62,7 @@ GRANT SHOW ROLE ---- -See xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +See xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -97,14 +97,14 @@ a| GRANT SHOW ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. [source, privilege, role="noheader"] ---- GRANT SHOW USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -140,7 +140,7 @@ a| GRANT SHOW PRIVILEGE ---- -See xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[DBMS PRIVILEGE MANAGEMENT privileges]. +See xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[DBMS PRIVILEGE MANAGEMENT privileges]. |=== @@ -172,7 +172,7 @@ a| GRANT CREATE ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -206,7 +206,7 @@ GRANT CREATE ROLE GRANT DROP ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -237,7 +237,7 @@ a| GRANT RENAME ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -268,7 +268,7 @@ a| GRANT DROP ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -299,7 +299,7 @@ a| GRANT ASSIGN ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -330,7 +330,7 @@ a| GRANT REMOVE ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -590,7 +590,7 @@ Immutable roles are those that cannot be modified in the usual way. This means they cannot be created, renamed, dropped, or have privileges granted to or revoked from them under normal operating conditions. See xref:authentication-authorization/immutable-roles-privileges.adoc[Immutable roles and privileges] for details of when and how the `IMMUTABLE` keyword may be used. -They are useful in cases where you need a permanent built-in system role that cannot be modified even by users who have xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[`ROLE MANAGEMENT` privileges] but yet can be granted to and revoked from users in the same way as an ordinary role. +They are useful in cases where you need a permanent built-in system role that cannot be modified even by users who have xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[`ROLE MANAGEMENT` privileges] but yet can be granted to and revoked from users in the same way as an ordinary role. [[access-control-rename-roles]] @@ -746,7 +746,7 @@ SHOW USERS Common errors, such as attempts to grant roles to users who have already been granted those roles, will lead to notifications. Some of these notifications may be replaced with errors in a future major version of Neo4j. -See link:{neo4j-docs-base-uri}/status-codes/{page-version}/notifications/all-notifications[Status Codes -> Notification codes] for details on notifications. +See link:https://neo4j.com/docs/status-codes/current/notifications/all-notifications/[Status Codes for Errors & Notifications -> List of notification codes] for details on notifications. [[access-control-revoke-roles]] == Revoking roles from users diff --git a/modules/ROOT/pages/authentication-authorization/manage-users.adoc b/modules/ROOT/pages/authentication-authorization/manage-users.adoc index b673fccdb..3918d5dc2 100644 --- a/modules/ROOT/pages/authentication-authorization/manage-users.adoc +++ b/modules/ROOT/pages/authentication-authorization/manage-users.adoc @@ -92,7 +92,7 @@ a| GRANT SHOW USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -127,14 +127,14 @@ a| GRANT SHOW PRIVILEGE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[DBMS PRIVILEGE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[DBMS PRIVILEGE MANAGEMENT privileges]. [source, privilege, role="noheader"] ---- GRANT SHOW USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -185,7 +185,7 @@ a| GRANT CREATE USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc#grant-create-user-privilege[Grant privilege to create users]. |=== @@ -235,7 +235,7 @@ a| GRANT CREATE USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc#grant-create-user-privilege[Grant privilege to create users]. [source, privilege, role="noheader"] @@ -243,7 +243,7 @@ For more information, see xref:authentication-authorization/dbms-administration. GRANT DROP USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc#grant-delete-user-privilege[Grant privilege to delete users]. |=== @@ -272,7 +272,7 @@ a| GRANT RENAME USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -338,7 +338,7 @@ GRANT SET USER HOME DATABASE GRANT SET AUTH ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -394,7 +394,7 @@ a| GRANT DROP USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc#grant-delete-user-privilege[Grant privilege to delete users]. |=== diff --git a/modules/ROOT/pages/clustering/server-syntax.adoc b/modules/ROOT/pages/clustering/server-syntax.adoc index a3f7d6eac..0f5cb553d 100644 --- a/modules/ROOT/pages/clustering/server-syntax.adoc +++ b/modules/ROOT/pages/clustering/server-syntax.adoc @@ -37,7 +37,7 @@ For more information see xref:clustering/servers.adoc#server-enabled-state[Enabl | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -65,7 +65,7 @@ For more information see xref:clustering/servers.adoc#_listing_servers[Listing s | Required privilege a| `GRANT SHOW SERVERS` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -90,7 +90,7 @@ For more information see xref:clustering/servers.adoc#alter-server-options[Alter | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== === Rename a server @@ -114,7 +114,7 @@ For more information see xref:clustering/servers.adoc#_renaming_a_server[Renamin | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -139,7 +139,7 @@ For more information see xref:clustering/servers.adoc#_dropping_a_server[Droppin | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -166,7 +166,7 @@ Note that is a cluster-level command, not a server-level command. | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -191,5 +191,5 @@ For more information see xref:clustering/servers.adoc#_deallocating_databases_fr | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== diff --git a/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc b/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc index 3be4dfc10..eab5f0114 100644 --- a/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc +++ b/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc @@ -24,7 +24,7 @@ CREATE DATABASE `perennial-flowers`; Available database aliases in composite databases can be seen using `SHOW ALIASES FOR DATABASE`. The name of the composite database a particular database alias appears in the returned `composite` column. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. .Query [source, cypher] diff --git a/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc b/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc index 33d6b7130..2fa29fb1b 100644 --- a/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc +++ b/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc @@ -22,7 +22,7 @@ Remote database aliases require configuration to safely connect to the remote ta It is not possible to impersonate a user on the remote database or to execute an administration command on the remote database via a remote database alias. Database aliases can be created and managed using a set of Cypher administration commands executed against the `system` database. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. When connected to the DBMS over Bolt, administration commands are automatically routed to the `system` database. [NOTE] @@ -56,8 +56,11 @@ DRIVER { ---- //// -Available database aliases can be seen using `SHOW ALIASES FOR DATABASE`. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +You can list all available database aliases using the `SHOW ALIASES FOR DATABASE` command. +The command returns a table of all database aliases, whether they belong to a composite database or not. + +If you need more details, you can append the command with `YIELD *`. +The `YIELD *` clause returns the full set of columns. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. `SHOW ALIASES FOR DATABASE` will produce a table of database aliases with the following columns: @@ -237,7 +240,7 @@ Database aliases can be created using `CREATE ALIAS`. The command supports the creation of both local and remote database aliases. For more information on local and remote database aliases as part of a composite database, see xref::database-administration/aliases/manage-aliases-composite-databases.adoc#create-composite-database-alias[Create database aliases in composite databases]. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. [NOTE] ==== @@ -474,9 +477,10 @@ SHOW ALIAS `remote-northwind-2021` FOR DATABASE YIELD name, properties [[alias-management-alter-database-alias]] == Alter database aliases - -Database aliases can be altered using `ALTER ALIAS` to change its database target, properties, URL, user credentials, or driver settings. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +You can alter both local and remote database aliases using the `ALTER ALIAS` command. +For all aliases, the command allows you to change the target database and properties of the database alias. +For remote aliases, the command also allows you to change the URL, user credentials, or driver settings of the database alias. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. Only the clauses used will be altered. [NOTE] @@ -596,8 +600,8 @@ ALTER ALIAS `no-alias` IF EXISTS SET DATABASE TARGET `northwind-graph-2021` [[alias-management-drop-database-alias]] == Delete database aliases -Both local and remote database aliases can be deleted using the `DROP ALIAS` command. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +You can delete both local and remote database aliases using the `DROP ALIAS` command. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. === Delete local database aliases diff --git a/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc b/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc index b5d9cb451..bba1b4740 100644 --- a/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc +++ b/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc @@ -33,12 +33,13 @@ In the example above, _Bob_ is the administrator responsible for deciding which Meanwhile, _Alice_ is the administrator that assigns who has access to the privileges set by _Bob_. In the example, _Alice_ will assign that access to _Carol_. -See lxref:authentication-authorization/dbms-administration.adoc[DBMS privileges] for more information. +See xref:authentication-authorization/dbms-administration/index.adoc[DBMS privileges] for more information. ==== _Carol_ can use her own regular credentials to access the remote database `Db1` in DBMS after _Alice_ assigns this privilege to her user profile. This configuration will also allow _Carol_ to access `Db2` in **DBMS B**. -If the administrators decide this should not be the case, then _Bob_ must define the appropriate privileges (see xref:authentication-authorization/index.adoc[Authentication and authorization] for further information). +If the administrators decide this should not be the case, then _Bob_ must define the appropriate privileges. +See xref:authentication-authorization/index.adoc[Authentication and authorization] for further information. == Configure a remote DBMS (_Bob_) @@ -161,9 +162,9 @@ For example, the following command can be used to create a remote database alias CREATE ALIAS `remote-neo4j` FOR DATABASE `neo4j` AT "neo4j+s://location:7687" USER alice PASSWORD 'secretpassword' ---- -In order to do so, either lxref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-database-management[database management] -or lxref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[alias management] privileges are required. -The permission to create an alias can be granted like this: +In order to do so, either xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[database management] +or xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[alias management] privileges are required. +The permission to create an alias can be granted using the following command: [source, Cypher] ---- @@ -208,7 +209,7 @@ USE `remote-neo4j` MATCH (n) RETURN * * Connecting to a remote database alias as a home database. This needs to be set by Administrator A. -See more about lxref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[User Management]. +See more about xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[User Management]. [source, Cypher] ---- diff --git a/modules/ROOT/pages/database-administration/composite-databases/delete-composite-databases.adoc b/modules/ROOT/pages/database-administration/composite-databases/delete-composite-databases.adoc index 60b50b553..3f82f25c2 100644 --- a/modules/ROOT/pages/database-administration/composite-databases/delete-composite-databases.adoc +++ b/modules/ROOT/pages/database-administration/composite-databases/delete-composite-databases.adoc @@ -34,7 +34,7 @@ This operation does not deletes the actual target databases of the constituent d The `CASCADE ALIASES` option is useful when you want to delete a composite database and its constituent database aliases in one step. Using `CASCADE ALIASES` requires the `DROP ALIAS` privilege. -For more information about this privilege, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[ALIAS MANAGEMENT privileges]. +For more information about this privilege, see xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[ALIAS MANAGEMENT privileges]. .Drop a composite database and its consitutent alias ==== diff --git a/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc b/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc index 7eef2427f..affb60806 100644 --- a/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc +++ b/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc @@ -92,7 +92,7 @@ The option `DESTROY DATA` explicitly requests the default behavior of the comman [NOTE] ==== -The dumps produced by `DUMP DATA` are equivalent to those produced by xref:backup-restore/offline-backup.adoc[`neo4j-admin database dump`]. +The dumps produced by `DUMP DATA` are equivalent to those produced by xref:backup-restore/offline-backup.adoc[`neo4j-admin database dump`]. You can also restore them using the xref:backup-restore/restore-dump.adoc[`neo4j-admin database load`] command. ==== @@ -121,7 +121,7 @@ This command does not affect the remote database aliases targeting the database They will simply no longer resolve their targets as if they were created targeting a non-existing database. Using `CASCADE ALIASES` requires the `DROP ALIAS` privilege. -For more information about the privilege, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[ALIAS MANAGEMENT privileges]. +For more information about the privilege, see xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[ALIAS MANAGEMENT privileges]. .Drop a database and the local database alias targeting it ==== diff --git a/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc b/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc index 56caec868..94e5913f5 100644 --- a/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc +++ b/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc @@ -33,7 +33,7 @@ Input arguments are the database name and list of the seeding and topology optio [cols="2a,4",frame="topbot",options="header"] |=== |Option -|Description +|Description |seedingServers |A list of possible seeding servers. @@ -65,7 +65,7 @@ To restore CDC functionality, follow the guide on how link:https://neo4j.com/doc Before recreating a database, any eventual quarantined states need to be addressed. For more information, see xref:database-administration/standard-databases/errors.adoc#quarantine[Standard databases -> Error handling]. -You need xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-database-management[the `CREATE DATABASE` and `DROP DATABASE` privileges] to run the recreate procedure. +You need xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[the `CREATE DATABASE` and `DROP DATABASE` privileges] to run the recreate procedure. Additionally, in a cluster deployment, you have the option to modify <> during the recreation process. However, note that the store format, access, and enrichment cannot be altered during recreation. diff --git a/modules/ROOT/pages/procedures.adoc b/modules/ROOT/pages/procedures.adoc index 77339c30e..5302ed855 100644 --- a/modules/ROOT/pages/procedures.adoc +++ b/modules/ROOT/pages/procedures.adoc @@ -55,7 +55,7 @@ Some procedures can only be run by users with `Admin` privileges. Specifically, either the `EXECUTE ADMIN PROCEDURES` privilege or both the `EXECUTE PROCEDURES` and `EXECUTE BOOSTED PROCEDURES` privileges. These procedures are labeled with label:admin-only[]. -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-execute[the `EXECUTE` privileges section]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[the `EXECUTE` privileges]. ==== == Authentication and authorization