diff --git a/modules/ROOT/content-nav.adoc b/modules/ROOT/content-nav.adoc index 8cb5304c7..4972c4b94 100644 --- a/modules/ROOT/content-nav.adoc +++ b/modules/ROOT/content-nav.adoc @@ -182,8 +182,18 @@ *** xref:authentication-authorization/privileges-reads.adoc[] *** xref:authentication-authorization/property-based-access-control.adoc[] *** xref:authentication-authorization/privileges-writes.adoc[] -*** xref:authentication-authorization/database-administration.adoc[] -*** xref:authentication-authorization/dbms-administration.adoc[] +*** xref:authentication-authorization/dbms-administration/index.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-admin-role.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[] +**** xref:authentication-authorization/dbms-administration/dbms-setting-privileges.adoc[] + *** xref:authentication-authorization/load-privileges.adoc[] *** xref:authentication-authorization/limitations.adoc[] *** xref:authentication-authorization/manage-execute-permissions.adoc[] diff --git a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc index 8011f94d9..c912bba14 100644 --- a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc @@ -830,7 +830,7 @@ These include the rights to perform the following classes of tasks: ** Manage link:{neo4j-docs-base-uri}/cypher-manual/5/indexes/search-performance-indexes/overview/[indexes] and link:{neo4j-docs-base-uri}/cypher-manual/5/constraints/[constraints]. ** Allow the creation of labels, relationship types, or property names. ** Manage transactions. -* Manage xref:authentication-authorization/dbms-administration.adoc[DBMS privileges] to control the rights to perform actions on the entire system: +* Manage xref:authentication-authorization/dbms-administration/index.adoc[DBMS privileges] to control the rights to perform actions on the entire system: ** Manage xref:database-administration/index.adoc[multiple databases]. ** Manage xref:authentication-authorization/manage-users.adoc[users] and xref:authentication-authorization/manage-roles.adoc[roles]. ** Change configuration parameters. diff --git a/modules/ROOT/pages/authentication-authorization/database-administration.adoc b/modules/ROOT/pages/authentication-authorization/database-administration.adoc deleted file mode 100644 index 62888c9ab..000000000 --- a/modules/ROOT/pages/authentication-authorization/database-administration.adoc +++ /dev/null @@ -1,985 +0,0 @@ -:description: How to use Cypher to manage Neo4j database administrative privileges. -:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated - -//// -[source, cypher, role=test-setup] ----- -CREATE ROLE regularUsers; -CREATE ROLE databaseAdminUsers; -CREATE DATABASE `remote-db`; -CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; ----- -//// - - -[[access-control-database-administration]] -= Database privileges - -Administrators can use the following Cypher commands to manage Neo4j database administrative rights. - -The components of the database privilege commands are: - -* _command_: -** `GRANT` – gives privileges to roles. -** `DENY` – denies privileges to roles. -** `REVOKE` – removes granted or denied privileges from roles. - -* _mutability_: -** `IMMUTABLE` - When used in conjunction with `GRANT` or `DENY`, specifies that a privilege cannot subsequently be removed unless auth is disabled. -Contrastingly, when `IMMUTABLE` is specified in conjunction with a `REVOKE` command, it will act as a filter and only remove matching _immutable_ privileges. -See also xref:authentication-authorization/immutable-roles-privileges.adoc[]. - -* _database-privilege_ -** `ACCESS` - allows access to a specific database or remote database alias. -** `START` - allows the specified database to be started. -** `STOP` - allows the specified database to be stopped. -** `CREATE INDEX` - allows indexes to be created on the specified database. -** `DROP INDEX` - allows indexes to be deleted on the specified database. -** `SHOW INDEX` - allows indexes to be listed on the specified database. -** `INDEX [MANAGEMENT]` - allows indexes to be created, deleted, and listed on the specified database. -** `CREATE CONSTRAINT` - allows constraints to be created on the specified database. -** `DROP CONSTRAINT` - allows constraints to be deleted on the specified database. -** `SHOW CONSTRAINT` - allows constraints to be listed on the specified database. -** `CONSTRAINT [MANAGEMENT]` - allows constraints to be created, deleted, and listed on the specified database. -** `CREATE NEW [NODE] LABEL` - allows new node labels to be created. -** `CREATE NEW [RELATIONSHIP] TYPE` - allows new relationship types to be created. -** `CREATE NEW [PROPERTY] NAME` - allows property names to be created, so that nodes and relationships can have properties assigned with these names. -** `NAME [MANAGEMENT]` - allows all of the name management capabilities: node labels, relationship types, and property names. -** `ALL [[DATABASE] PRIVILEGES]` - allows access, index, constraint, and name management for the specified database or remote database alias. -** `SHOW TRANSACTION` - allows listing transactions and queries for the specified users on the specified database. -** `TERMINATE TRANSACTION` - allows ending transactions and queries for the specified users on the specified database. -** `TRANSACTION [MANAGEMENT]` - allows listing and ending transactions and queries for the specified users on the specified database. - -* _name_ -** The database to associate the privilege with. -+ -[NOTE] -==== -If you delete a database and create a new one with the same name, the new one will NOT have the same privileges previously assigned to the deleted one. -==== -** The _name_ component can be `+*+`, which means all databases. -Databases created after this command execution will also be associated with these privileges. -** The `DATABASE[S] _name_` part of the command can be replaced by `HOME DATABASE`. -This refers to the home database configured for a user or, if that user does not have a home database configured, the default database. -If the user's home database changes for any reason after this command execution, the new one will be associated with these privileges. -This can be quite powerful as it allows permissions to be switched from one database to another simply by changing a user's home database. - -* _role[, ...]_ -** The role or roles to associate the privilege with, comma-separated. - -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== - -.General grant +ON DATABASE+ privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT ... ON ... TO ...+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] database-privilege ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } TO role[, ...] ----- - -| Description -| Grants a privilege to one or multiple roles. - -|=== - - -.General deny +ON DATABASE+ privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +DENY ... ON ... TO ...+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -DENY [IMMUTABLE] database-privilege ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } TO role[, ...] ----- - -| Description -| Denies a privilege to one or multiple roles. - -|=== - - -.General revoke +ON DATABASE+ privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +REVOKE GRANT ... ON ... FROM ...+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -REVOKE [IMMUTABLE] GRANT database-privilege ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } FROM role[, ...] ----- - -| Description -| Revoke a granted privilege from one or multiple roles. - -|=== - - -.General revoke +ON DATABASE+ privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +REVOKE DENY ... ON ... FROM ...+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -REVOKE [IMMUTABLE] DENY database-privilege ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } FROM role[, ...] ----- - -| Description -| Revokes a denied privilege from one or multiple roles. - -|=== - - -.General revoke +ON DATABASE+ privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +REVOKE ... ON ... FROM ...+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -REVOKE [IMMUTABLE] database-privilege ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } FROM role[, ...] ----- - -| Description -| Revokes a granted or denied privilege from one or multiple roles. - -|=== - - -[NOTE] -==== -`DENY` does *not* erase a granted privilege. -Use `REVOKE` if you want to remove a privilege. -==== - -Common errors, such as misspellings or attempts to revoke privileges that have not been granted or denied, will lead to notifications. -Some of these notifications may be replaced with errors in a future major version of Neo4j. -See link:{neo4j-docs-base-uri}/status-codes/{page-version}/notifications/all-notifications[Status Codes for Errors & Notifications -> Server notifications] for details on notifications. - -The hierarchy between the different database privileges is shown in the image below. - -image::privileges_hierarchy_database.svg[title="Database privileges hierarchy"] - - - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT ACCESS+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] ACCESS - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -a| -Grants the specified roles the privilege to access: - -* The home database. -* Specific database(s) or remote database alias(es). -* All databases and remote database aliases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT { START \| STOP }+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] { START \| STOP } - ON { HOME DATABASE \| DATABASE[S] {* \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles the privilege to start or stop the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT { CREATE \| DROP \| SHOW } INDEX+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] { CREATE \| DROP \| SHOW } INDEX[ES] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles the privilege to create, delete, or show indexes on the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT INDEX+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] INDEX[ES] [MANAGEMENT] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles the privilege to manage indexes on the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT { CREATE \| DROP \| SHOW } CONSTRAINT+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] { CREATE \| DROP \| SHOW } CONSTRAINT[S] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles the privilege to create, delete, or show constraints on the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT CONSTRAINT+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] CONSTRAINT[S] [MANAGEMENT] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles the privilege to manage constraints on the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT CREATE NEW LABEL+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] CREATE NEW [NODE] LABEL[S] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles the privilege to create new node labels in the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT CREATE NEW TYPE+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] CREATE NEW [RELATIONSHIP] TYPE[S] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles the privilege to create new relationship types in the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT CREATE NEW NAME+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] CREATE NEW [PROPERTY] NAME[S] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles the privilege to create new property names in the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT NAME+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] NAME [MANAGEMENT] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles the privilege to manage new labels, relationship types, and property names in the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT ALL+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] ALL [[DATABASE] PRIVILEGES] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles all privileges for the home, a specific, or all databases and remote database aliases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT { SHOW \| TERMINATE } TRANSACTION+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] { SHOW \| TERMINATE } TRANSACTION[S] [( { * \| user[, ...] } )] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles the privilege to list and end the transactions and queries of all users or a particular user(s) in the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT TRANSACTION+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] TRANSACTION [MANAGEMENT] [( { * \| user[, ...] } )] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Grants the specified roles the privilege to manage the transactions and queries of all users or a particular user(s) in the home database, specific database(s), or all databases. - -|=== - - -image::privileges_grant_and_deny_syntax_database_privileges.svg[title="Syntax of GRANT and DENY Database Privileges"] - - -[[access-control-database-administration-access]] -== The database `ACCESS` privilege - -The `ACCESS` privilege enables users to connect to a database or a remote database alias. -With `ACCESS` you can run calculations, for example, `+RETURN 2 * 5 AS answer+` or call functions `RETURN timestamp() AS time`. - -[source, syntax, role="noheader"] ----- -GRANT [IMMUTABLE] ACCESS - ON { HOME DATABASE | DATABASE[S] { * | name[, ...] } } - TO role[, ...] ----- - -For example, to grant the role `regularUsers` the ability to access the database `neo4j`, use: - -[source, cypher, role=noplay] ----- -GRANT ACCESS ON DATABASE neo4j TO regularUsers ----- - -The `ACCESS` privilege can also be denied: - -[source, syntax, role="noheader"] ----- -DENY [IMMUTABLE] ACCESS - ON { HOME DATABASE | DATABASE[S] { * | name[, ...] } } - TO role[, ...] ----- - -For example, to deny the role `regularUsers` the ability to access to the remote database alias `remote-db`, use: - -[source, cypher, role=noplay] ----- -DENY ACCESS ON DATABASE `remote-db` TO regularUsers ----- - -The privileges granted can be seen using the `SHOW PRIVILEGES` command: - -[source, cypher, role=noplay] ----- -SHOW ROLE regularUsers PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY ACCESS ON DATABASE `remote-db` TO `regularUsers`" -|"GRANT ACCESS ON DATABASE `neo4j` TO `regularUsers`" -a|Rows: 2 -|=== - - -[[access-control-database-administration-startstop]] -== The database `START`/`STOP` privileges - -The `START` privilege can be used to enable the ability to start a database: - -[source, syntax, role="noheader"] ----- -GRANT [IMMUTABLE] START - ON { HOME DATABASE | DATABASE[S] { * | name[, ...] } } - TO role[, ...] ----- - -For example, to grant the role `regularUsers` the ability to start the database `neo4j`, use: - -[source, cypher, role=noplay] ----- -GRANT START ON DATABASE neo4j TO regularUsers ----- - -The `START` privilege can also be denied: - -[source, syntax, role="noheader"] ----- -DENY [IMMUTABLE] START - ON { HOME DATABASE | DATABASE[S] { * | name[, ...] } } - TO role[, ...] ----- - -For example, to deny the role `regularUsers` the ability to start to the database `neo4j`, use: - -[source, cypher, role=noplay] ----- -DENY START ON DATABASE system TO regularUsers ----- - -The `STOP` privilege can be used to enable the ability to stop a database: - -[source, syntax, role="noheader"] ----- -GRANT [IMMUTABLE] STOP - ON { HOME DATABASE | DATABASE[S] { * | name[, ...] } } - TO role[, ...] ----- - -For example, to grant the role `regularUsers` the ability to stop the database `neo4j`, use: - -[source, cypher, role=noplay] ----- -GRANT STOP ON DATABASE neo4j TO regularUsers ----- - -The `STOP` privilege can also be denied: - -[source, syntax, role="noheader"] ----- -DENY [IMMUTABLE] STOP - ON { HOME DATABASE | DATABASE[S] { * | name[, ...] } } - TO role[, ...] ----- - -For example, to deny the role `regularUsers` the ability to stop the database `neo4j`, use: - -[source, cypher, role=noplay] ----- -DENY STOP ON DATABASE system TO regularUsers ----- - -The privileges granted can be seen using the `SHOW PRIVILEGES` command: - -[source, cypher, role=noplay] ----- -SHOW ROLE regularUsers PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"DENY ACCESS ON DATABASE `remote-db` TO `regularUsers`" -|"DENY START ON DATABASE `system` TO `regularUsers`" -|"DENY STOP ON DATABASE `system` TO `regularUsers`" -|"GRANT ACCESS ON DATABASE `neo4j` TO `regularUsers`" -|"GRANT START ON DATABASE `neo4j` TO `regularUsers`" -|"GRANT STOP ON DATABASE `neo4j` TO `regularUsers`" -a|Rows: 6 -|=== - -[NOTE] -==== -Note that `START` and `STOP` privileges are not included in the xref:authentication-authorization/database-administration.adoc#access-control-database-administration-all[`ALL DATABASE PRIVILEGES`]. -==== - - -[[access-control-database-administration-index]] -== The `INDEX MANAGEMENT` privileges - -Indexes can be created, deleted, or listed with the `CREATE INDEX`, `DROP INDEX`, and `SHOW INDEXES` commands. -The privilege to do this can be granted with `GRANT CREATE INDEX`, `GRANT DROP INDEX`, and `GRANT SHOW INDEX` commands. -The privilege to do all three can be granted with `GRANT INDEX MANAGEMENT` command. - - - - -.Index management privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT { CREATE \| DROP \| SHOW } INDEX+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] { CREATE \| DROP \| SHOW } INDEX[ES] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Enables the specified roles to create, delete, or show indexes in the home database, specific database(s), or all databases. - -|=== - - - -.Index management privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT INDEX+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] INDEX[ES] [MANAGEMENT] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Enables the specified roles to manage indexes in the home database, specific database(s), or all databases. - -|=== - - -For example, to grant the role `regularUsers` the ability to create indexes on the database `neo4j`, use: - -[source, cypher, role=noplay] ----- -GRANT CREATE INDEX ON DATABASE neo4j TO regularUsers ----- - - -[[access-control-database-administration-constraints]] -== The `CONSTRAINT MANAGEMENT` privileges - -Constraints can be created, deleted, or listed with the `CREATE CONSTRAINT`, `DROP CONSTRAINT` and `SHOW CONSTRAINTS` commands. -The privilege to do this can be granted with `GRANT CREATE CONSTRAINT`, `GRANT DROP CONSTRAINT`, `GRANT SHOW CONSTRAINT` commands. -The privilege to do all three can be granted with `GRANT CONSTRAINT MANAGEMENT` command. - - -.Constraint management privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT { CREATE \| DROP \| SHOW } CONSTRAINT+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] { CREATE \| DROP \| SHOW } CONSTRAINT[S] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Enables the specified roles to create, delete, or show constraints on the home database, specific database(s), or all databases. - -|=== - - -.Constraint management privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT CONSTRAINT+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] CONSTRAINT[S] [MANAGEMENT] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Enable the specified roles to manage constraints on the home database, specific database(s), or all databases. - -|=== - - -For example, to grant the role `regularUsers` the ability to create constraints on the database `neo4j`, use: - -[source, cypher, role=noplay] ----- -GRANT CREATE CONSTRAINT ON DATABASE neo4j TO regularUsers ----- - - -[[access-control-database-administration-tokens]] -== The `NAME MANAGEMENT` privileges - -The right to create new labels, relationship types, and property names is different from the right to create nodes, relationships, and properties. -The latter is managed using database `WRITE` privileges, while the former is managed using specific `+GRANT/DENY CREATE NEW ...+` commands for each type. - - -.Node label management privileges syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT CREATE NEW LABEL+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] CREATE NEW [NODE] LABEL[S] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Enables the specified roles to create new node labels in the home database, specific database(s), or all databases. - -|=== - - -.Relationship type management privileges syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT CREATE NEW TYPE+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] CREATE NEW [RELATIONSHIP] TYPE[S] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Enables the specified roles to create new relationship types in the home database, specific database(s), or all databases. - -|=== - - -.Property name management privileges syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT CREATE NEW NAME+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] CREATE NEW [PROPERTY] NAME[S] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Enables the specified roles to create new property names in the home database, specific database(s), or all databases. - -|=== - - -.Node label, relationship type, and property name privileges management syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT NAME+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] NAME [MANAGEMENT] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Enables the specified roles to create new labels, relationship types, and property names in the home database, specific database(s), or all databases. - -|=== - -[NOTE] -==== -The `SHOW PRIVILEGES` commands return the `NAME MANAGEMENT` privilege as the action `token`, when not using `AS COMMANDS`. -==== - -For example, to grant the role `regularUsers` the ability to create new properties on nodes or relationships on the database `neo4j`, use: - -[source, cypher, role=noplay] ----- -GRANT CREATE NEW PROPERTY NAME ON DATABASE neo4j TO regularUsers ----- - - -[[access-control-database-administration-all]] -== Granting `ALL DATABASE PRIVILEGES` - -The right to access a database, create and drop indexes and constraints and create new labels, relationship types or property names can be achieved with a single command: - -[source, syntax, role="noheader"] ----- -GRANT [IMMUTABLE] ALL [[DATABASE] PRIVILEGES] - ON { HOME DATABASE | DATABASE[S] { * | name[, ...] } } - TO role[, ...] ----- - -[NOTE] -==== -Note that the privileges for starting and stopping all databases, and transaction management, are not included in the `ALL DATABASE PRIVILEGES` grant. -These privileges are associated with administrators while other database privileges are of use to domain and application developers. -==== - -For example, granting the abilities above on the database `neo4j` to the role `databaseAdminUsers` is done using the following query. - -[source, cypher, role=noplay] ----- -GRANT ALL DATABASE PRIVILEGES ON DATABASE neo4j TO databaseAdminUsers ----- - -The privileges granted can be seen using the `SHOW PRIVILEGES` command: - -[source, cypher, role=noplay] ----- -SHOW ROLE databaseAdminUsers PRIVILEGES AS COMMANDS ----- - -.Result -[options="header,footer", width="100%", cols="m"] -|=== -|command -|"GRANT ALL DATABASE PRIVILEGES ON DATABASE `neo4j` TO `databaseAdminUsers`" -a|Rows: 1 -|=== - - -[[access-control-database-administration-transaction]] -== Granting `TRANSACTION MANAGEMENT` privileges - -The right to run the commands `SHOW TRANSACTIONS`, `TERMINATE TRANSACTIONS`, and the deprecated procedures `dbms.listTransactions`, `dbms.listQueries`, `dbms.killQuery`, `dbms.killQueries`, `dbms.killTransaction` and `dbms.killTransactions` is now managed through the `SHOW TRANSACTION` and `TERMINATE TRANSACTION` privileges. - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT SHOW TRANSACTION+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] SHOW TRANSACTION[S] [( { * \| user[, ...] } )] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Enables the specified roles to list transactions and queries for user(s) or all users in the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT TERMINATE TRANSACTION+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] TERMINATE TRANSACTION[S] [( { * \| user[, ...] } )] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Enables the specified roles to end running transactions and queries for user(s) or all users in the home database, specific database(s), or all databases. - -|=== - - -.Database privilege syntax -[cols="<15s,<85"] -|=== - -| Command -m| +GRANT TRANSACTION+ - -| Syntax -a| -[source, syntax, role="noheader", indent=0] ----- -GRANT [IMMUTABLE] TRANSACTION [MANAGEMENT] [( { * \| user[, ...] } )] - ON { HOME DATABASE \| DATABASE[S] { * \| name[, ...] } } - TO role[, ...] ----- - -| Description -| Enables the specified roles to manage transactions and queries for user(s) or all users in the home database, specific database(s), or all databases. - -|=== - - -[NOTE] -==== -Note that the `TRANSACTION MANAGEMENT` privileges are not included in the xref:authentication-authorization/database-administration.adoc#access-control-database-administration-all[`ALL DATABASE PRIVILEGES`]. -==== - -For example, to grant the role `regularUsers` the ability to list transactions for user `jake` on the database `neo4j`, use: - -[source, cypher, role=noplay] ----- -GRANT SHOW TRANSACTION (jake) ON DATABASE neo4j TO regularUsers ----- diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-admin-role.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-admin-role.adoc new file mode 100644 index 000000000..cb6abfd1d --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-admin-role.adoc @@ -0,0 +1,261 @@ +:description: Details the privileges associated with the administrator role for managing the DBMS. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated += Administrator role privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +You can manage DBMS privileges using either the built-in `admin` role or by creating a custom role with the specific privileges you need. + +== Using the built-in `admin` role to manage DBMS privileges + +The xref:authentication-authorization/built-in-roles.adoc#access-control-built-in-roles-admin[`admin` role] role is a built-in superuser role that has all privileges on the DBMS and can perform all administrative tasks. + +This includes the following tasks and their relevant privileges: + +* Create, delete, and modify xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[databases] and xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[aliases]. +* Change configuration parameters. +* xref:authentication-authorization/database-administration.adoc#access-control-database-administration-transaction[Manage transactions]. +* Manage xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[users] and xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[roles]. +* Manage xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[privilege management]. +* Manage xref:authentication-authorization/privileges-reads.adoc[read] and xref:authentication-authorization/privileges-writes.adoc[write] sub-graph privileges. +* Manage xref:authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc[impersonation privileges]. +* Manage xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[procedure security]. +* Manage xref:authentication-authorization/load-privileges.adoc[load data security]. + +To enable a user to perform these tasks, you can grant them the `admin` role, but it is also possible to make a custom role with a subset of these privileges. +All privileges are also assignable using Cypher commands. + + +[[access-control-dbms-administration-custom]] +== Using a custom role to manage DBMS privileges + +You can create a custom role to manage DBMS privileges by granting the privileges you want to the role. +Alternatively, you can copy the `admin` role and revoke or deny the unwanted privileges. +The following examples show how to create a custom role with a subset of the privileges that the `admin` role using both methods. + +=== Create a custom administrator role from scratch + +Create an administrator role that can only manage users and roles by creating a new role and granting the `USER MANAGEMENT` and `ROLE MANAGEMENT` privileges. + +. Create the new role: ++ +[source, cypher, role=noplay] +---- +CREATE ROLE userAndRoleAdministrator; +---- +. Grant the privilege to manage users: ++ +[source, cypher, role=noplay] +---- +GRANT USER MANAGEMENT ON DBMS TO userAndRoleAdministrator; +---- +. Grant the privilege to manage roles: ++ +[source, cypher, role=noplay] +---- +GRANT ROLE MANAGEMENT ON DBMS TO userAndRoleAdministrator; +---- ++ +As a result, the `userAndRoleAdministrator` role has privileges that only allow user and role management. +. To list all privileges for the role `userAndRoleAdministrator` as commands, use the following query: ++ +[source, cypher, role=noplay] +---- +SHOW ROLE userAndRoleAdministrator PRIVILEGES AS COMMANDS; +---- ++ +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ROLE MANAGEMENT ON DBMS TO `userAndRoleAdministrator`" +|"GRANT USER MANAGEMENT ON DBMS TO `userAndRoleAdministrator`" +a|Rows: 2 +|=== + +[NOTE] +==== +This role does not allow all DBMS capabilities. +For example, the role is missing privileges for managing, creating, and dropping databases, as well as executing `admin` procedures. +To create a more powerful administrator, you can grant a different set of privileges. +==== + +=== Create a more powerful custom administrator role from scratch + +You can also create a custom administrator role with limited capabilities. +This can be done by creating a new role and granting all `DBMS` privileges, then denying the ones you do not want the role to have, and then granting additional privileges you want to include. +For example, you can create a custom administrator role `customAdministrator` that has all DBMS privileges except for creating, dropping, and modifying databases, and also has the privilege for managing transactions. + +. Create a new role: ++ +[source, cypher, role=noplay] +---- +CREATE ROLE customAdministrator; +---- +. Grant the privilege for all DBMS capabilities: ++ +[source, cypher, role=noplay] +---- +GRANT ALL DBMS PRIVILEGES ON DBMS TO customAdministrator; +---- +. Explicitly deny the privilege to manage databases: ++ +[source, cypher, role=noplay] +---- +DENY DATABASE MANAGEMENT ON DBMS TO customAdministrator; +---- +. Grant the transaction management privilege: ++ +[source, cypher, role=noplay] +---- +GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO customAdministrator; +---- ++ +As a result, the `customAdministrator` role has privileges that include managing transactions and all DBMS privileges except creating, dropping, and modifying databases. +. To list all privileges for the role `customAdministrator` as commands, use the following query: ++ +[source, cypher, role=noplay] +---- +SHOW ROLE customAdministrator PRIVILEGES AS COMMANDS; +---- ++ +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY DATABASE MANAGEMENT ON DBMS TO `customAdministrator`" +|"GRANT ALL DBMS PRIVILEGES ON DBMS TO `customAdministrator`" +|"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `customAdministrator`" +a|Rows: 3 +|=== + +=== Create a custom administrator role by copying the `admin` role + +You can also create a custom administrator role by copying the `admin` role and then revoking or denying the privileges you do not want. +For example, you can create a new role called `newAdministrator` that has all the privileges of the `admin` role, and then revoke the ability to read/write/load data, manage constraints, indexes, name, and remove ability to access all databases, except the `system` database. + +. Create a new role by copying the `admin` role: ++ +[source, cypher, role=noplay] +---- +CREATE ROLE newAdministrator AS COPY OF admin; +---- + +. Revoke the ability to read/write/load data: ++ +[source, cypher, role=noplay] +---- +REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM newAdministrator; +REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM newAdministrator; +REVOKE GRANT WRITE ON GRAPH * FROM newAdministrator; +REVOKE GRANT LOAD ON ALL DATA FROM newAdministrator; +---- + +. Revoke the ability to manage index/constraint/name: ++ +[source, cypher, role=noplay] +---- +REVOKE GRANT CONSTRAINT MANAGEMENT ON DATABASE * FROM newAdministrator; +REVOKE GRANT INDEX MANAGEMENT ON DATABASE * FROM newAdministrator; +REVOKE GRANT NAME MANAGEMENT ON DATABASE * FROM newAdministrator; +REVOKE GRANT SHOW CONSTRAINT ON DATABASE * FROM newAdministrator; +REVOKE GRANT SHOW INDEX ON DATABASE * FROM newAdministrator; +---- + +. Revoke the ability to access all databases: ++ +[source, cypher, role=noplay] +---- +REVOKE GRANT ACCESS ON DATABASE * FROM newAdministrator; +---- +. Grant the ability to access the `system` database: ++ +[source, cypher, role=noplay] +---- +GRANT ACCESS ON DATABASE system TO newAdministrator; +---- + +. To list all privileges for the role `newAdministrator` as commands, use the following query: ++ +[source, cypher, role=noplay] +---- +SHOW ROLE newAdministrator PRIVILEGES AS COMMANDS; +---- ++ +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +| "GRANT ACCESS ON DATABASE `system` TO `newAdministrator`" +| "GRANT ALL DBMS PRIVILEGES ON DBMS TO `newAdministrator`" +| "GRANT START ON DATABASE * TO `newAdministrator`" +| "GRANT STOP ON DATABASE * TO `newAdministrator`" +| "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `newAdministrator`" +a|Rows: 5 +|=== + diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc new file mode 100644 index 000000000..7d507f3da --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc @@ -0,0 +1,246 @@ +:description: Details the DBMS privileges for alias management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-alias-management-privileges]] += The DBMS `ALIAS MANAGEMENT` privileges +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for alias management can be granted, denied, or revoked like other privileges. +This applies to both local and remote aliases. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Alias management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to create new aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to delete aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALTER ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to modify aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW ALIAS +ON DBMS +TO role[, ...] +| Enables the specified roles to list aliases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALIAS MANAGEMENT +ON DBMS +TO role[, ...] +| Enables the specified roles to list, create, delete, and modify aliases. + +|=== + +== Grant privilege to create aliases + +You can grant the privilege to create aliases using the `CREATE ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE ALIAS ON DBMS TO aliasAdder; +---- + +As a result, the `aliasAdder` role has privileges that only allow creating aliases. +To list all privileges for the role `aliasAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE ALIAS ON DBMS TO `aliasAdder`" +a|Rows: 1 +|=== + +== Grant privilege to delete aliases + +You can grant the privilege to delete aliases using the `DROP ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP ALIAS ON DBMS TO aliasDropper; +---- + +As a result, the `aliasDropper` role has privileges that only allow deleting aliases. +See all privileges for the role `aliasDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP ALIAS ON DBMS TO `aliasDropper`" +a|Rows: 1 +|=== + +== Grant privilege to modify aliases + +You can grant the privilege to modify aliases using the `ALTER ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALTER ALIAS ON DBMS TO aliasModifier; +---- + +As a result, the `aliasModifier` role has privileges that only allow modifying aliases. +To list all privileges for the role `aliasModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALTER ALIAS ON DBMS TO `aliasModifier`" +a|Rows: 1 +|=== + + +== Grant privilege to list aliases + +You can grant the privilege to list aliases using the `SHOW ALIAS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW ALIAS ON DBMS TO aliasViewer; +---- + +As a result, the `aliasViewer` role has privileges that only allow modifying aliases. +To list all privileges for the role `aliasViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW ALIAS ON DBMS TO `aliasViewer`" +a|Rows: 1 +|=== + +== Grant privilege to manage aliases + +You can grant the privilege to create, delete, modify, and list aliases using the `ALIAS MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALIAS MANAGEMENT ON DBMS TO aliasManager; +---- + +As a result, the `aliasManager` role has all privileges to manage aliases. +To list all privileges for the role `aliasManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE aliasManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALIAS MANAGEMENT ON DBMS TO `aliasManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc new file mode 100644 index 000000000..0738abbbb --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc @@ -0,0 +1,443 @@ +:description: Details the DBMS privileges for database management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-database-management-privileges]] += The DBMS `DATABASE MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for database management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Database management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to create new standard databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to delete standard databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALTER DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to modify standard databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET DATABASE ACCESS + ON DBMS + TO role[, ...] +| Enables the specified roles to modify access to standard databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET DATABASE DEFAULT LANGUAGE + ON DBMS + TO role[, ...] +| Enables the specified roles to set the default query language on a standard database. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE COMPOSITE DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to create new composite databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP COMPOSITE DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to delete composite databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALTER COMPOSITE DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to modify composite databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] COMPOSITE DATABASE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create, delete or modify composite databases. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DATABASE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create, delete, and modify databases. + +|=== + +[NOTE] +==== +From Cypher 25 (Neo4j server 2025.08), the `ALTER DATABASE`, `SET DATABASE ACCESS`, `SET DATABASE DEFAULT LANGUAGE`, and `ALTER COMPOSITE DATABASE` privileges can be granted both as database privileges and as DBMS privileges. +The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. +For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. +==== + +== Grant privilege to create standard databases + +You can grant the privilege to create standard databases using the `CREATE DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE DATABASE ON DBMS TO databaseAdder +---- + +As a result, the `databaseAdder` role has privileges that only allow creating standard databases. +To list all privileges for the role `databaseAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE DATABASE ON DBMS TO `databaseAdder`" +a|Rows: 1 +|=== + +== Grant privilege to create composite databases + +You can grant the privilege to create composite databases using the `CREATE COMPOSITE DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE COMPOSITE DATABASE ON DBMS TO compositeDatabaseAdder +---- + +As a result, the `compositeDatabaseAdder` role has privileges that only allow creating composite databases. +To list all privileges for the role `compositeDatabaseAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE compositeDatabaseAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE COMPOSITE DATABASE ON DBMS TO `compositeDatabaseAdder`" +a|Rows: 1 +|=== + +== Grant privilege to delete standard databases + +You can grant the privilege to delete standard databases using the `DROP DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP DATABASE ON DBMS TO databaseDropper +---- + +As a result, the `databaseDropper` role has privileges that only allow deleting standard databases. +To list all privileges for the role `databaseDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP DATABASE ON DBMS TO `databaseDropper`" +a|Rows: 1 +|=== + +== Grant privilege to delete composite databases + +You can grant the privilege to delete composite databases using the `DROP COMPOSITE DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP COMPOSITE DATABASE ON DBMS TO compositeDatabaseDropper +---- + +As a result, the `compositeDatabaseDropper` role has privileges that only allow deleting composite databases. +To list all privileges for the role `compositeDatabaseDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE compositeDatabaseDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP COMPOSITE DATABASE ON DBMS TO `compositeDatabaseDropper`" +a|Rows: 1 +|=== + +== Grant privilege to modify standard databases + +You can grant the privilege to modify standard databases using the `ALTER DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALTER DATABASE ON DBMS TO databaseModifier; +---- + +As a result, the `databaseModifier` role has privileges that only allow modifying standard databases. +To list all privileges for the role `databaseModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALTER DATABASE ON DBMS TO `databaseModifier`" +a|Rows: 1 +|=== + +[NOTE] +==== +From Cypher 25 (Neo4j server 2025.08), the `ALTER DATABASE` privileges can be granted both as database privileges and as DBMS privileges. +The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. +For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. +==== + +== Grant privilege to modify access to standard databases + +You can grant the privilege to modify access to standard databases using the `SET DATABASE ACCESS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET DATABASE ACCESS ON DBMS TO accessModifier +---- + +As a result, the `accessModifier` role has privileges that only allow modifying access to standard databases. +To list all privileges for the role `accessModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE accessModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET DATABASE ACCESS ON DBMS TO `accessModifier`" +a|Rows: 1 +|=== + +[NOTE] +==== +From Cypher 25 (Neo4j server 2025.08), the `SET DATABASE ACCESS` privileges can be granted both as database privileges and as DBMS privileges. +The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. +For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. +==== + +[role=label--new-2025.06] +== Grant privilege to modify the default language of standard databases + +You can grant the privilege to modify the default language of standard databases using the `SET DATABASE DEFAULT LANGUAGE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET DATABASE DEFAULT LANGUAGE ON DBMS TO languageModifier +---- + +As a result, the `languageModifier` role has privileges that only allow modifying default language to standard databases. +To list all privileges for the role `languageModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE languageModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET DATABASE DEFAULT LANGUAGE ON DBMS TO `languageModifier`" +a|Rows: 1 +|=== + +[NOTE] +==== +From Cypher 25 (Neo4j server 2025.08), the `SET DATABASE DEFAULT LANGUAGE` privileges can be granted both as database privileges and as DBMS privileges. +The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. +For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. +==== + +[role=label--new-2025.06] +[[grant-privilege-alter-composite-database]] +== Grant privilege to modify composite databases + +You can grant the privilege to modify composite databases using the `ALTER COMPOSITE DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALTER COMPOSITE DATABASE ON DBMS TO compositeDatabaseModifier; +---- + +As a result, the `compositeDatabaseModifier` role has privileges that only allow modifying composite databases. +To list all privileges for the role `compositeDatabaseModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE compositeDatabaseModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALTER COMPOSITE DATABASE ON DBMS TO `compositeDatabaseModifier`" +a|Rows: 1 +|=== + +[NOTE] +==== +From Cypher 25 (Neo4j server 2025.08), the `ALTER COMPOSITE DATABASE` privileges can be granted both as database privileges and as DBMS privileges. +The DBMS privilege version is equivalent to granting the privilege for all databases, `DATABASE *`. +For more information on the database privilege versions, see xref:authentication-authorization/database-administration.adoc#access-control-database-administration-alter-db[The alter database-related privileges]. +==== + +== Grant privilege to manage composite databases + +You can grant the privilege to create, delete, and modify composite databases using the `COMPOSITE DATABASE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO compositeDatabaseManager; +---- + +As a result, the `compositeDatabaseManager` role has all privileges to manage composite databases. +To list all privileges for the role `compositeDatabaseManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE compositeDatabaseManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT COMPOSITE DATABASE MANAGEMENT ON DBMS TO `compositeDatabaseManager`" +a|Rows: 1 +|=== + +== Grant privilege to manage standard and composite databases + +You can grant the privilege to create, delete, and modify standard and composite databases using the `DATABASE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DATABASE MANAGEMENT ON DBMS TO databaseManager; +---- + +As a result, the `databaseManager` role has all privileges to manage standard and composite databases. +To list all privileges for the role `databaseManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE databaseManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DATABASE MANAGEMENT ON DBMS TO `databaseManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-execute-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-execute-privileges.adoc new file mode 100644 index 000000000..b4df65379 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-execute-privileges.adoc @@ -0,0 +1,544 @@ +:description: Details the DBMS privileges for procedure and user-defined function execution. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-execute-privileges]] += The DBMS `EXECUTE` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for procedure and user-defined function execution can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Execute privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command +| Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE PROCEDURE[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to execute the given procedures. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE BOOSTED PROCEDURE[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to use elevated privileges when executing the given procedures. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE ADMIN[ISTRATOR] PROCEDURES + ON DBMS + TO role[, ...] +| Enables the specified roles to execute procedures annotated with `@Admin`. The procedures are executed with elevated privileges. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to execute the given user-defined functions. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to use elevated privileges when executing the given user-defined functions. +|=== + +[[access-control-execute-procedure]] +== Grant privilege to execute procedures + +You can grant the privilege to execute procedures using the `EXECUTE PROCEDURE` privilege. + +A role with this privilege is allowed to execute the procedures matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. + +=== Grant privilege to execute some procedures + +The following query allow the execution of procedures starting with `db.schema`: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO procedureExecutor; +---- + +Users with the role `procedureExecutor` can run any procedure in the `db.schema` namespace. +The procedures are executed using the user's own privileges. + +To list all privileges for the role `procedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE procedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO `procedureExecutor`" +a|Rows: 1 +|=== + +=== Grant privilege to execute all but some procedures + +You can grant the privilege to execute all except a few procedures using `EXECUTE PROCEDURES *` and deny the unwanted procedures. +For example, the following queries allow the execution of all procedures, except those starting with `dbms.cluster`: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO deniedProcedureExecutor; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO deniedProcedureExecutor; +---- + +Users with the role `deniedProcedureExecutor` can run any procedure except those starting with `dbms.cluster`. +The procedures are executed using the user's own privileges. + +To list all privileges for the role `deniedProcedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedProcedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE PROCEDURE dbms.cluster* ON DBMS TO `deniedProcedureExecutor`" +|"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedProcedureExecutor`" +a|Rows: 2 +|=== + + +The `dbms.cluster.checkConnectivity`, `dbms.cluster.cordonServer`, `dbms.cluster.protocols`, `dbms.cluster.readReplicaToggle`, `dbms.cluster.routing.getRoutingTable`, `dbms.cluster.secondaryReplicationDisable`, `dbms.cluster.setAutomaticallyEnableFreeServers`, and `dbms.cluster.uncordonServer` procedures are blocked, as well as any others starting with `dbms.cluster`. + + +[[access-control-execute-boosted-procedure]] +== Grant privilege to execute procedures with elevated privileges + +You can grant the privilege to execute procedures with elevated privileges using the `EXECUTE BOOSTED PROCEDURE` privilege. + +A user with this privilege will not be restricted to their other privileges when executing the procedures matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. +The `EXECUTE BOOSTED PROCEDURE` privilege only affects the elevation, and not the execution of the procedure. +Therefore, it is needed to grant `EXECUTE PROCEDURE` privilege for the procedures as well. +Both `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` are needed to execute a procedure with elevated privileges. + +=== Grant privilege to execute some procedures with elevated privileges + +You can grant the privilege to execute some procedures with elevated privileges using `EXECUTE BOOSTED PROCEDURE *`. + +For example, the following query allow the execution of the procedures `db.labels` and `db.relationshipTypes` with elevated privileges, and all other procedures with the user's own privileges: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO boostedProcedureExecutor; +GRANT EXECUTE BOOSTED PROCEDURE db.labels, db.relationshipTypes ON DBMS TO boostedProcedureExecutor +---- + +Users with the role `boostedProcedureExecutor` can thus run the `db.labels` and the `db.relationshipTypes` procedures with full privileges, seeing everything in the graph and not just the labels and types that the user has `TRAVERSE` privilege on. +Without the `EXECUTE PROCEDURE`, no procedures could be executed at all. + +To list all privileges for the role `boostedProcedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE boostedProcedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE PROCEDURE * ON DBMS TO `boostedProcedureExecutor`" +|"GRANT EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `boostedProcedureExecutor`" +|"GRANT EXECUTE BOOSTED PROCEDURE db.relationshipTypes ON DBMS TO `boostedProcedureExecutor`" +a|Rows: 3 +|=== + +[[grant-execute-procedure-deny-elevation]] +=== Combination of granting execution and denying privilege elevation + +As with grant, denying `EXECUTE BOOSTED PROCEDURE` on its own only affects the elevation and not the execution of the procedure. + +For example: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor1; +DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor1; +---- + +As a result, the `deniedBoostedProcedureExecutor1` role has privileges that allow the execution of all procedures using the user’s own privileges. +They also prevent the `db.labels` procedure from being elevated. +Still, the denied `EXECUTE BOOSTED PROCEDURE` does not block execution of `db.labels`. + +To list all privileges for role `deniedBoostedProcedureExecutor1` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedBoostedProcedureExecutor1 PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor1`" +|"GRANT EXECUTE PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor1`" +a|Rows: 2 +|=== + +[[grant-privilege-elevation-deny-execution]] +=== Combination of granting privilege elevation and denying execution + +You can also grant the privilege to execute procedures with elevated privileges and deny the execution of specific procedures. + +For example: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor2; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor2; +---- + +As a result, the `deniedBoostedProcedureExecutor2` role has privileges that allow elevating the privileges for all procedures, but cannot execute any due to missing or denied `EXECUTE PROCEDURE` privileges. + +To list all privileges for the role `deniedBoostedProcedureExecutor2` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedBoostedProcedureExecutor2 PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor2`" +|"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor2`" +a|Rows: 2 +|=== + +[[grant-deny-privilege-elevation]] +=== Combination of granting and denying privilege elevation + +You can also grant the privilege to execute procedures with elevated privileges and deny the elevation for specific procedures. + +For example, the following queries allow has privileges that allow elevating the privileges for all procedures except `db.labels`. +However, no procedures can be executed due to a missing `EXECUTE PROCEDURE` privilege. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor3; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor3; +---- + +As a result, the `deniedBoostedProcedureExecutor3` role has privileges that allow elevating the privileges for all procedures except `db.labels`. +However, no procedures can be executed due to missing `EXECUTE PROCEDURE` privilege. + +To list all privileges for the role `deniedBoostedProcedureExecutor3` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedBoostedProcedureExecutor3 PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO `deniedBoostedProcedureExecutor3`" +|"GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO `deniedBoostedProcedureExecutor3`" +a|Rows: 2 +|=== + +=== Control procedure output with privileges + +You can control the output of procedures based on the privileges granted or denied to a role using the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges. +For example, assume there is a procedure called `myProc`. + +This procedure gives the result `A` and `B` for a user with only the `EXECUTE PROCEDURE` privilege and `A`, `B` and `C` for a user with both the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges. + +Now, adapt the privileges from sections <> (example 1), <> (example 2), and <> (example 3) to be applied to this procedure and show what is returned. + +With the privileges from example 1, granted `EXECUTE PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A` and `B`. + +With the privileges from example 2, granted `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE PROCEDURE myProc`, execution of the `myProc` procedure is not allowed. + +With the privileges from example 3, granted `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, execution of the `myProc` procedure is not allowed. + +For comparison, when granted: + +* `EXECUTE PROCEDURE myProc`: the `myProc` procedure returns the result `A` and `B`. +* `EXECUTE BOOSTED PROCEDURE myProc`: execution of the `myProc` procedure is not allowed. +* `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE myProc`: the `myProc` procedure returns the result `A`, `B`, and `C`. + + +[[access-control-admin-procedure]] +== Grant privilege to execute admin procedures + +Admin procedures (annotated with `@Admin`) are special in that they require elevated privileges to be executed at all. +This means that to execute an admin procedure you need both the <> and <> privileges for that procedure. + +For a user to be allowed to execute all admin procedures, they can either be granted the two privileges for each of the admin procedures (which would need to be updated each time a new admin procedure is added), all procedures (which would then affect all non-admin procedures as well) or the `EXECUTE ADMIN PROCEDURES` privilege. + +The `EXECUTE ADMIN PROCEDURES` privilege is equivalent to granting the <> and <> privileges on each of the admin procedures. +This also have the additional advantage that any newly added `admin` procedure is automatically included in this privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO adminProcedureExecutor; +---- + +Users with the role `adminProcedureExecutor` can run any `admin` procedure with elevated privileges. +As a result, the `adminProcedureExecutor` role has privileges that allow the execution of all admin procedures. +To list all privileges for the role `adminProcedureExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE adminProcedureExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO `adminProcedureExecutor`" +a|Rows: 1 +|=== + +In order to compare this with the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges, revisit the `myProc` procedure, but this time as an `admin` procedure, which will give the result `A`, `B` and `C` when allowed to execute. + +By starting with a user only granted the `EXECUTE PROCEDURE myProc` or the `EXECUTE BOOSTED PROCEDURE myProc` privilege, execution of the `myProc` procedure is not allowed. + +However, for a user granted the `EXECUTE ADMIN PROCEDURES` or both `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A`, `B` and `C`. + +Any denied `EXECUTE` privilege results in the procedure not being allowed to be executed. +In this case, it does not matter whether `EXECUTE PROCEDURE`, `EXECUTE BOOSTED PROCEDURE` or `EXECUTE ADMIN PROCEDURES` is being denied. + +[[access-control-execute-user-defined-function]] +== Grant privilege to execute user-defined functions + +//EXECUTE [USER [DEFINED]] FUNCTION[S] +You can grant the privilege to execute user-defined functions (UDFs) using the `EXECUTE USER DEFINED FUNCTION` privilege. +A role with this privilege is allowed to execute the UDFs matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. + +[IMPORTANT] +==== +The `EXECUTE USER DEFINED FUNCTION` privilege does not apply to built-in functions, which are always executable. +==== + +=== Grant privilege to execute some user-defined functions + +The following query shows an example of how to grant the `EXECUTE USER DEFINED FUNCTION` privilege: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE USER DEFINED FUNCTION apoc.coll.* ON DBMS TO functionExecutor; +---- + +Or in short form: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO functionExecutor; +---- + +Users with the role `functionExecutor` can thus run any UDF in the `apoc.coll` namespace. +The functions are executed using the user's own privileges. + +As a result, the `functionExecutor` role has privileges that only allow executing UDFs in the `apoc.coll` namespace. +To list all privileges for the role `functionExecutor` as commands, use the following query: + +[source,cypher,role=noplay] +---- +SHOW ROLE functionExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO `functionExecutor`" +a|Rows: 1 +|=== + +=== Grant privilege to execute all but some user-defined functions + +To allow the execution of all but a few UDFs, you can grant `+EXECUTE USER DEFINED FUNCTIONS *+` and deny the unwanted UDFs. +For example, the following queries allow the execution of all UDFs except those starting with `apoc.any.prop`: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO deniedFunctionExecutor; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE USER DEFINED FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor; +---- + +Or in short form: + +[source, cypher, role=noplay] +---- +GRANT EXECUTE FUNCTIONS * ON DBMS TO deniedFunctionExecutor; +---- + +[source, cypher, role=noplay] +---- +DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor; +---- + +As a result, the `deniedFunctionExecutor` role has privileges that only allow the execution of all UDFs except those starting with `apoc.any.prop`. +The functions are executed using the user's own privileges. +To list all privileges for the role `deniedFunctionExecutor` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedFunctionExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO `deniedFunctionExecutor`" +|"GRANT EXECUTE FUNCTION * ON DBMS TO `deniedFunctionExecutor`" +a|Rows: 2 +|=== + +The `apoc.any.property` and `apoc.any.properties` are blocked, as well as any other UDFs starting with `apoc.any.prop`. + +[[access-control-execute-boosted-user-defined-function]] +== Grant privilege to execute user-defined functions with elevated privileges + +//EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] +You can grant the privilege to execute user-defined functions (UDFs) with elevated privileges using the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege. + +A user with this privilege will not be restricted to their other privileges when executing the UDFs matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. +The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege only affects the elevation and not the execution of the function. +Therefore, it is needed to grant `EXECUTE USER DEFINED FUNCTION` privilege for the UDFs as well. +Both `EXECUTE USER DEFINED FUNCTION` and `EXECUTE BOOSTED USER DEFINED FUNCTION` are needed to execute a function with elevated privileges. + +[IMPORTANT] +==== +The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege does not apply to built-in functions, as they have no concept of elevated privileges. +==== + +=== Grant privilege to execute some user-defined functions with elevated privileges + +The following query shows an example of how to grant the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE USER DEFINED FUNCTION * ON DBMS TO boostedFunctionExecutor; +GRANT EXECUTE BOOSTED USER DEFINED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor; +---- + +Or in short form: + +[source,cypher,role=noplay] +---- +GRANT EXECUTE FUNCTION * ON DBMS TO boostedFunctionExecutor; +GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor; +---- + +Users with the role `boostedFunctionExecutor` can thus run `apoc.any.properties` with full privileges and see every property on the node/relationship, not just the properties that the user has `READ` privilege on. +Without the `EXECUTE USER DEFINED FUNCTION`, you cannot execute any UDFs at all. + +As a result, the `boostedFunctionExecutor` role has privileges that allow executing the UDF `apoc.any.properties` with elevated privileges, and all other UDFs with the users' own privileges. +To list all privileges for the role `boostedFunctionExecutor` as commands, use the following query: + +[source,cypher,role=noplay] +---- +SHOW ROLE boostedFunctionExecutor PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer",width="100%",cols="m"] +|=== +|command +|"GRANT EXECUTE FUNCTION * ON DBMS TO `boostedFunctionExecutor`" +|"GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO `boostedFunctionExecutor`" +a|Rows: 2 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc new file mode 100644 index 000000000..4b2922e85 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-impersonate-privileges.adoc @@ -0,0 +1,167 @@ +:description: Details the DBMS privileges for impersonation. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-impersonate-privileges]] += The DBMS `IMPERSONATE` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for impersonation can be granted, denied, or revoked like other privileges. + +Impersonation is the ability of a user to assume another user's roles (and therefore privileges), with the restriction of not being able to execute updating `admin` commands as the impersonated user (i.e. they would still be able to use `SHOW` commands). + +You can use the `IMPERSONATE` privilege to allow a user to impersonate another user. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Impersonation privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] IMPERSONATE [(*)] + ON DBMS + TO role[, ...] +| Enables the specified roles to impersonate any user. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] IMPERSONATE (user[, ...]) + ON DBMS + TO role[, ...] +| Enables the specified roles to impersonate the specified users. + +|=== + +== Grant privilege to impersonate all users + +You can grant the privilege to impersonate all users using the `IMPERSONATE (*)` privilege. + +For example: + +.Query +[source, cypher, role=noplay] +---- +GRANT IMPERSONATE (*) ON DBMS TO allUserImpersonator +---- + +As a result, the `allUserImpersonator` role has privileges that allow impersonating all users. +To list all privileges for the role `allUserImpersonator` as commands, use the following query: + +.Query +[source, cypher, role=noplay] +---- +SHOW ROLE allUserImpersonator PRIVILEGES AS COMMANDS; +---- +.Result +[options="header,footer", width="100%", cols="m"] +|=== +| command +| "GRANT IMPERSONATE (*) ON DBMS TO `allUserImpersonator`" +a|Rows: 1 +|=== + +== Grant privilege to impersonate specific users + +You can also grant the privilege to impersonate specific users or a subset of users. + +For example: + +.Query +[source, cypher, role=noplay] +---- +GRANT IMPERSONATE (alice, bob) ON DBMS TO userImpersonator; +---- + +As a result, the `userImpersonator` role has privileges that allow impersonating only `alice` and `bob`. +Then, you deny the privilege to impersonate `alice`: + +.Query +[source, cypher, role=noplay] +---- +DENY IMPERSONATE (alice) ON DBMS TO userImpersonator; +---- + +As a result, the `userImpersonator` user would be able to impersonate only `bob`. + +To list all privileges for the role `userImpersonator` as commands, use the following query: + +.Query +[source, cypher, role=noplay] +---- +SHOW ROLE userImpersonator PRIVILEGES AS COMMANDS; +---- +.Result +[options="header,footer", width="100%", cols="m"] +|=== +| command +| "DENY IMPERSONATE (alice) ON DBMS TO `userImpersonator`" +| "GRANT IMPERSONATE (alice) ON DBMS TO `userImpersonator`" +| "GRANT IMPERSONATE (bob) ON DBMS TO `userImpersonator`" +a|Rows: 3 +|=== diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc new file mode 100644 index 000000000..d0f12109e --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc @@ -0,0 +1,224 @@ +:description: Details the DBMS privileges for privilege management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-privilege-management-privileges]] += The DBMS `PRIVILEGE MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for privilege management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Privilege management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW PRIVILEGE + ON DBMS + TO role[, ...] +| Enables the specified roles to list privileges. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ASSIGN PRIVILEGE + ON DBMS + TO role[, ...] +| Enables the specified roles to assign privileges using the `GRANT` and `DENY` commands. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] REMOVE PRIVILEGE + ON DBMS + TO role[, ...] +| Enables the specified roles to remove privileges using the `REVOKE` command. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] PRIVILEGE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to list, assign, and remove privileges. +|=== + +== Grant privilege to list privileges + +You can grant the `SHOW PRIVILEGE` privilege to allow a user to list privileges using the `SHOW PRIVILEGE`, `SHOW ROLE roleName PRIVILEGES`, and `SHOW USER username PRIVILEGES` administration commands. +The `SHOW USER username PRIVILEGES` command also requires the `SHOW USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW PRIVILEGE ON DBMS TO privilegeViewer; +---- + +As a result, the `privilegeViewer` role has privileges that only allow showing privileges. +To list all privileges for the role `privilegeViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW PRIVILEGE ON DBMS TO `privilegeViewer`" +a|Rows: 1 +|=== + +[NOTE] +==== +No specific privileges are required for showing the current user's privileges through the `SHOW USER _username_ PRIVILEGES` or `SHOW USER PRIVILEGES` commands. + +If a non-native auth provider like LDAP is in use, `SHOW USER PRIVILEGES` will only work with a limited capacity by making it only possible for a user to show their own privileges. +Other users' privileges cannot be listed when using a non-native auth provider. +==== + +== Grant privilege to assign privileges + +You can grant the privilege to assign privileges using the `ASSIGN PRIVILEGE` privilege. + +A user with this privilege is allowed to execute `GRANT` and `DENY` administration commands. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ASSIGN PRIVILEGE ON DBMS TO privilegeAssigner; +---- + +As a result, the `privilegeAssigner` role has privileges that only allow assigning privileges. +To list all privileges for the role `privilegeAssigner` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeAssigner PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ASSIGN PRIVILEGE ON DBMS TO `privilegeAssigner`" +a|Rows: 1 +|=== + +== Grant privilege to remove privileges + +You can grant the privilege to remove privileges from roles using the `REMOVE PRIVILEGE` privilege. + +A user with this privilege is allowed to execute `REVOKE` administration commands. + +For example: + +[source, cypher, role=noplay] +---- +GRANT REMOVE PRIVILEGE ON DBMS TO privilegeRemover; +---- + +As a result, the `privilegeRemover` role has privileges that only allow removing privileges. +To list all privileges for the role `privilegeRemover` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeRemover PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT REMOVE PRIVILEGE ON DBMS TO `privilegeRemover`" +a|Rows: 1 +|=== + +== Grant privilege to manage privileges + +You can grant the privilege to list, assign, and remove privileges using the `PRIVILEGE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT PRIVILEGE MANAGEMENT ON DBMS TO privilegeManager; +---- + +As a result, the `privilegeManager` role has all privileges to manage privileges. +To list all privileges for the role `privilegeManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE privilegeManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT PRIVILEGE MANAGEMENT ON DBMS TO `privilegeManager`" +a|Rows: 1 +|=== diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc new file mode 100644 index 000000000..7dc60475d --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc @@ -0,0 +1,316 @@ +:description: Details the DBMS privileges for role management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-role-management-privileges]] += The DBMS `ROLE MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for role management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Role management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to create new roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] RENAME ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to change the name of roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to delete roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ASSIGN ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to assign roles to users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] REMOVE ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to remove roles from users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW ROLE + ON DBMS + TO role[, ...] +| Enables the specified roles to list roles. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ROLE MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create, delete, assign, remove, and list roles. + +|=== + +== Grant privilege to create roles + +You can grant the privilege to add roles using the `CREATE ROLE` command. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE ROLE ON DBMS TO roleAdder; +---- + +As a result, the `roleAdder` role has privileges that only allow adding roles. +To list all privileges for the role `roleAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE ROLE ON DBMS TO `roleAdder`" +a|Rows: 1 +|=== + +== Grant privilege to rename roles + +You can grant the privilege to rename roles using the `RENAME ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT RENAME ROLE ON DBMS TO roleNameModifier; +---- + +As a result, the `roleNameModifier` role has privileges that only allow renaming roles. +To list all privileges for the role `roleNameModifier`, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleNameModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT RENAME ROLE ON DBMS TO `roleNameModifier`" +a|Rows: 1 +|=== + +== Grant privilege to delete roles + +You can grant the privilege to delete roles using the `DROP ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP ROLE ON DBMS TO roleDropper; +---- + +As a result, the `roleDropper` role has privileges that only allow deleting roles. +To list all privileges for the role `roleDropper`, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP ROLE ON DBMS TO `roleDropper`" +a|Rows: 1 +|=== + +== Grant privilege to assign roles + +You can grant the privilege to assign roles to users using the `ASSIGN ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ASSIGN ROLE ON DBMS TO roleAssigner; +---- + +As a result, the `roleAssigner` role has privileges that only allow assigning/granting roles. +To list all privileges for the role `roleAssigner` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleAssigner PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ASSIGN ROLE ON DBMS TO `roleAssigner`" +a|Rows: 1 +|=== + +== Grant privilege to remove roles + +You can grant the privilege to remove roles from users using the `REMOVE ROLE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT REMOVE ROLE ON DBMS TO roleRemover; +---- + +As a result, the `roleRemover` role has privileges that only allow removing/revoking roles. +To list all privileges for the role `roleRemover` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleRemover PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT REMOVE ROLE ON DBMS TO `roleRemover`" +a|Rows: 1 +|=== + +== Grant privilege to show roles + +You can grant the privilege to show roles using the `SHOW ROLE` privilege. +A role with this privilege is allowed to execute the `SHOW ROLES` and `SHOW POPULATED ROLES` administration commands. + +[NOTE] +==== +In order to use `SHOW ROLES WITH USERS` and `SHOW POPULATED ROLES WITH USERS` administration commands, both the `SHOW ROLE` and the `SHOW USER` privileges are required. +==== + +The following query shows an example of how to grant the `SHOW ROLE` privilege: + +[source, cypher, role=noplay] +---- +GRANT SHOW ROLE ON DBMS TO roleViewer; +---- + +As a result, the `roleViewer` role has privileges that only allow showing roles. +To list all privileges for the role `roleViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW ROLE ON DBMS TO `roleViewer`" +a|Rows: 1 +|=== + +== Grant privilege to manage roles + +You can grant the privilege to create, rename, delete, assign, remove, and list roles using the `ROLE MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ROLE MANAGEMENT ON DBMS TO roleManager; +---- + +As a result, the `roleManager` role has all privileges to manage roles. +To list all privileges for the role `roleManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE roleManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ROLE MANAGEMENT ON DBMS TO `roleManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc new file mode 100644 index 000000000..1a6c3aea2 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc @@ -0,0 +1,149 @@ +:description: Details the DBMS privileges for server management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-server-management-privileges]] += The DBMS `SERVER MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for server management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Server management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SERVER MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to show, enable, rename, alter, reallocate, deallocate, and drop servers. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW SERVERS + ON DBMS + TO role[, ...] +| Enables the specified roles to show servers. +|=== + +== Grant privilege to manage servers + +You can grant the privilege to show, enable, rename, alter, reallocate, deallocate, and drop servers using the `SERVER MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SERVER MANAGEMENT ON DBMS TO serverManager; +---- + +As a result, the `serverManager` role has all privileges to manage servers. +To list all privileges for the role `serverManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE serverManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SERVER MANAGEMENT ON DBMS TO `serverManager`" +a|Rows: 1 +|=== + + +== Grant privilege to show servers + +You can grant the privilege to show servers using the `SHOW SERVERS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW SERVERS ON DBMS TO serverViewer; +---- + +As a result, the `serverViewer` role has privileges that only allow showing servers. +To list all privileges for the role `serverViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE serverViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW SERVERS ON DBMS TO `serverViewer`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-setting-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-setting-privileges.adoc new file mode 100644 index 000000000..a98f84545 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-setting-privileges.adoc @@ -0,0 +1,154 @@ +:description: Details the DBMS privileges for viewing configuration settings. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-setting-privileges]] += The DBMS `SETTING` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +You can grant the privilege to show configuration settings using the `SHOW SETTING` privilege. +A role with this privilege is allowed to list the configuration settings matched by the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[name-globbing]. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.Setting privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command +| Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW SETTING[S] name-globbing[, ...] + ON DBMS + TO role[, ...] +| Enables the specified roles to list given configuration settings. +|=== + +== Grant privilege to show all settings + +You can grant the privilege to show all settings using `SHOW SETTING \*` or all settings in a namespace using `SHOW SETTING namespace.*`. +The following query shows an example of how to grant `SHOW SETTING` privilege to view all settings in the `server.bolt` namespace: + +[source, cypher, role=noplay] +---- +GRANT SHOW SETTING server.bolt.* ON DBMS TO configurationViewer; +---- + +Users with the role `configurationViewer` can then view any setting in the `server.bolt` namespace. + +As a result, the `configurationViewer` role has privileges that only allow listing settings in the `server.bolt` namespace. +To list all privileges for the role `configurationViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE configurationViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW SETTING server.bolt.* ON DBMS TO `configurationViewer`" +a|Rows: 1 +|=== + +== Grant privilege to show all but some settings + +You can grant the privilege to show all but a few settings using `SHOW SETTINGS *` and deny the unwanted settings. + +For example, the following queries allow you to view all settings, except those starting with `dbms.security`: + +[source, cypher, role=noplay] +---- +GRANT SHOW SETTINGS * ON DBMS TO deniedConfigurationViewer; +---- + +[source, cypher, role=noplay] +---- +DENY SHOW SETTING dbms.security* ON DBMS TO deniedConfigurationViewer; +---- + +As a result, the `deniedConfigurationViewer` role has privileges that allow listing all settings except those starting with `dbms.security`. +To list all privileges for the role `deniedConfigurationViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE deniedConfigurationViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"DENY SHOW SETTING dbms.security* ON DBMS TO `deniedConfigurationViewer`" +|"GRANT SHOW SETTING * ON DBMS TO `deniedConfigurationViewer`" +a|Rows: 2 +|=== + +As the query result shows, viewing settings starting with `dbms.security` is blocked, but the rest can still be listed. \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc new file mode 100644 index 000000000..b73bcbdc1 --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc @@ -0,0 +1,443 @@ +:description: Details the DBMS privileges for user management. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +[[dbms-user-management-privileges]] += The DBMS `USER MANAGEMENT` privileges + +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +The DBMS privileges for user management can be granted, denied, or revoked like other privileges. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +.User management privileges command syntax +[options="header", width="100%", cols="3a,2"] +|=== +| Command | Description + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] CREATE USER + ON DBMS + TO role[, ...] +| Enables the specified roles to create new users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] RENAME USER + ON DBMS + TO role[, ...] +| Enables the specified roles to change the name of users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] ALTER USER + ON DBMS + TO role[, ...] +| Enables the specified roles to modify users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET PASSWORD[S] + ON DBMS + TO role[, ...] +| Enables the specified roles to modify users' passwords and whether those passwords must be changed upon first login. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET AUTH + ON DBMS + TO role[, ...] +| Enables the specified roles to `SET` or `REMOVE` users' xref:authentication-authorization/auth-providers.adoc[auth providers]. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET USER HOME DATABASE + ON DBMS + TO role[, ...] +| Enables the specified roles to modify users' home database. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SET USER STATUS + ON DBMS + TO role[, ...] +| Enables the specified roles to modify the account status of users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] DROP USER + ON DBMS + TO role[, ...] +| Enables the specified roles to delete users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] SHOW USER + ON DBMS + TO role[, ...] +| Enables the specified roles to list users. + +| [source, syntax, role=noheader] +GRANT [IMMUTABLE] USER MANAGEMENT + ON DBMS + TO role[, ...] +| Enables the specified roles to create, delete, modify, and list users. + +|=== + +[[grant-create-user-privilege]] +== Grant privilege to create users + +You can grant the privilege to add users using the `CREATE USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT CREATE USER ON DBMS TO userAdder +---- + +As a result, the `userAdder` role has privileges that only allow adding users. +To list all privileges for the role `userAdder` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userAdder PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT CREATE USER ON DBMS TO `userAdder`" +a|Rows: 1 +|=== + +== Grant privilege to rename users + +You can grant the privilege to rename users using the `RENAME USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT RENAME USER ON DBMS TO userNameModifier +---- + +As a result, the `userNameModifier` role has privileges that only allow renaming users. +To list all privileges for the role `userNameModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userNameModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT RENAME USER ON DBMS TO `userNameModifier`" +a|Rows: 1 +|=== + +== Grant privilege to modify users + +You can grant the privilege to modify users using the `ALTER USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT ALTER USER ON DBMS TO userModifier +---- + +As a result, the `userModifier` role has privileges that only allow modifying users. +To list all privileges for the role `userModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALTER USER ON DBMS TO `userModifier`" +a|Rows: 1 +|=== + + +The `ALTER USER` privilege allows the user to run the `ALTER USER` administration command with one or several of the `SET PASSWORD`, `SET PASSWORD CHANGE [NOT] REQUIRED`, `SET AUTH`, `REMOVE AUTH`, `SET STATUS`, `SET HOME DATABASE`, and `REMOVE HOME DATABASE` parts. + +For example: + +[source, cypher, role=noplay] +---- +ALTER USER jake SET PASSWORD 'verysecret' SET STATUS SUSPENDED +---- + +[NOTE] +==== +Note that the combination of the `SET PASSWORDS`, `SET AUTH`, `SET USER STATUS`, and `SET USER HOME DATABASE` privileges is equivalent to the `ALTER USER` privilege. +==== + +== Grant privilege to modify users' passwords + +You can grant the privilege to modify users' passwords and whether those passwords must be changed upon first login using the `SET PASSWORDS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET PASSWORDS ON DBMS TO passwordModifier +---- + +As a result, the `passwordModifier` role has privileges that only allow modifying users' passwords and whether those passwords must be changed upon first login. +To list all privileges for the role `passwordModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE passwordModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET PASSWORD ON DBMS TO `passwordModifier`" +a|Rows: 1 +|=== + +The `SET PASSWORDS` privilege allows the user to run the `ALTER USER` administration command with one or both of the `SET PASSWORD` and `SET PASSWORD CHANGE [NOT] REQUIRED` parts. + +[source, cypher, role=noplay] +---- +ALTER USER jake SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED +---- + +== Grant privilege to modify users' auth information + +You can grant the privilege to modify users' auth information using the `SET AUTH` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET AUTH ON DBMS TO authModifier +---- +As a result, the `authModifier` role has privileges that only allow modifying users' auth information. + +The `SET AUTH` privilege allows the user to run the `ALTER USER` administration command with one or both of the `SET +AUTH` and `REMOVE AUTH` parts. + +For example: + +[source, cypher, role=noplay] +---- +ALTER USER jake REMOVE AUTH 'native' SET AUTH 'oidc-okta' { SET id 'jakesUniqueOktaUserId' } +---- + +== Grant privilege to modify the account status of users + +You can grant the privilege to modify the account status of users using the `SET USER STATUS` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET USER STATUS ON DBMS TO statusModifier +---- + +As a result, the `statusModifier` role has privileges that only allow modifying the account status of users. +To list all privileges for the role `statusModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE statusModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET USER STATUS ON DBMS TO `statusModifier`" +a|Rows: 1 +|=== + +The `SET USER STATUS` privilege allows the user to run the `ALTER USER` administration command with only the `SET STATUS` part: + +[source, cypher, role=noplay] +---- +ALTER USER jake SET STATUS ACTIVE +---- + +== Grant privilege to modify the home database of users + +You can grant the privilege to modify the home database of users using the `SET USER HOME DATABASE` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SET USER HOME DATABASE ON DBMS TO homeDbModifier +---- + +As a result, the `homeDbModifier` role has privileges that only allow modifying the home database of users. +To list all privileges for the role `homeDbModifier` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE homeDbModifier PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SET USER HOME DATABASE ON DBMS TO `homeDbModifier`" +|"GRANT SET USER STATUS ON DBMS TO `homeDbModifier`" +a|Rows: 2 +|=== + +The `SET USER HOME DATABASE` privilege allows the user to run the `ALTER USER` administration command with only the `SET HOME DATABASE` or `REMOVE HOME DATABASE` part: + +[source, cypher, role=noplay] +---- +ALTER USER jake SET HOME DATABASE otherDb +---- + +[source, cypher, role=noplay] +---- +ALTER USER jake REMOVE HOME DATABASE +---- + +[[grant-delete-user-privilege]] +== Grant privilege to delete users + +You can grant the privilege to delete users using the `DROP USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT DROP USER ON DBMS TO userDropper +---- + +As a result, the `userDropper` role has privileges that only allow deleting users. +To list all privileges for the role `userDropper` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userDropper PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT DROP USER ON DBMS TO `userDropper`" +a|Rows: 1 +|=== + + +== Grant privilege to show users + +You can grant the privilege to show users using the `SHOW USER` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT SHOW USER ON DBMS TO userViewer +---- + +As a result, the `userViewer` role has privileges that only allow showing users. +To list all privileges for the role `userViewer` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userViewer PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW USER ON DBMS TO `userViewer`" +a|Rows: 1 +|=== + +== Grant privilege to manage users + +You can grant the privilege to create, rename, modify, delete, and list users using the `USER MANAGEMENT` privilege. + +For example: + +[source, cypher, role=noplay] +---- +GRANT USER MANAGEMENT ON DBMS TO userManager +---- + +As a result, the `userManager` role has all privileges to manage users. +To list all privileges for the role `userManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE userManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW USER ON DBMS TO `userManager`" +a|Rows: 1 +|=== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/dbms-administration/index.adoc b/modules/ROOT/pages/authentication-authorization/dbms-administration/index.adoc new file mode 100644 index 000000000..51b4046aa --- /dev/null +++ b/modules/ROOT/pages/authentication-authorization/dbms-administration/index.adoc @@ -0,0 +1,213 @@ +:description: How to use Cypher to manage Neo4j DBMS administrative privileges. +:page-role: enterprise-edition aura-db-business-critical aura-db-dedicated +//// +[source, cypher, role=test-setup] +---- +CREATE USER jake SET PASSWORD 'abcd1234' CHANGE NOT REQUIRED; +CREATE ROLE roleAdder IF NOT EXISTS; +CREATE ROLE roleNameModifier IF NOT EXISTS; +CREATE ROLE roleDropper IF NOT EXISTS; +CREATE ROLE roleAssigner IF NOT EXISTS; +CREATE ROLE roleRemover IF NOT EXISTS; +CREATE ROLE roleViewer IF NOT EXISTS; +CREATE ROLE roleManager IF NOT EXISTS; +CREATE ROLE userAdder IF NOT EXISTS; +CREATE ROLE userNameModifier IF NOT EXISTS; +CREATE ROLE userModifier IF NOT EXISTS; +CREATE ROLE userDropper IF NOT EXISTS; +CREATE ROLE userViewer IF NOT EXISTS; +CREATE ROLE userManager IF NOT EXISTS; +CREATE ROLE userImpersonator IF NOT EXISTS; +CREATE ROLE allUserImpersonator IF NOT EXISTS; +CREATE ROLE authModifier IF NOT EXISTS; +CREATE ROLE passwordModifier IF NOT EXISTS; +CREATE ROLE statusModifier IF NOT EXISTS; +CREATE ROLE homeDbModifier IF NOT EXISTS; +CREATE ROLE databaseAdder IF NOT EXISTS; +CREATE ROLE compositeDatabaseAdder IF NOT EXISTS; +CREATE ROLE databaseDropper IF NOT EXISTS; +CREATE ROLE compositeDatabaseDropper IF NOT EXISTS; +CREATE ROLE databaseModifier IF NOT EXISTS; +CREATE ROLE accessModifier IF NOT EXISTS; +CREATE ROLE languageModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseModifier IF NOT EXISTS; +CREATE ROLE compositeDatabaseManager IF NOT EXISTS; +CREATE ROLE databaseManager IF NOT EXISTS; +CREATE ROLE aliasAdder IF NOT EXISTS; +CREATE ROLE aliasDropper IF NOT EXISTS; +CREATE ROLE aliasModifier IF NOT EXISTS; +CREATE ROLE aliasViewer IF NOT EXISTS; +CREATE ROLE aliasManager IF NOT EXISTS; +CREATE ROLE privilegeViewer IF NOT EXISTS; +CREATE ROLE privilegeAssigner IF NOT EXISTS; +CREATE ROLE privilegeRemover IF NOT EXISTS; +CREATE ROLE privilegeManager IF NOT EXISTS; +CREATE ROLE procedureExecutor IF NOT EXISTS; +CREATE ROLE deniedProcedureExecutor IF NOT EXISTS; +CREATE ROLE boostedProcedureExecutor IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor1 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor2 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor3 IF NOT EXISTS; +CREATE ROLE deniedBoostedProcedureExecutor4 IF NOT EXISTS; +CREATE ROLE adminProcedureExecutor IF NOT EXISTS; +CREATE ROLE functionExecutor IF NOT EXISTS; +CREATE ROLE deniedFunctionExecutor IF NOT EXISTS; +CREATE ROLE boostedFunctionExecutor IF NOT EXISTS; +CREATE ROLE globbing1 IF NOT EXISTS; +CREATE ROLE globbing2 IF NOT EXISTS; +CREATE ROLE globbing3 IF NOT EXISTS; +CREATE ROLE globbing4 IF NOT EXISTS; +CREATE ROLE globbing5 IF NOT EXISTS; +CREATE ROLE globbing6 IF NOT EXISTS; +CREATE ROLE dbmsManager IF NOT EXISTS; +CREATE ROLE configurationViewer IF NOT EXISTS; +CREATE ROLE deniedConfigurationViewer IF NOT EXISTS; +CREATE ROLE serverManager IF NOT EXISTS; +CREATE ROLE serverViewer IF NOT EXISTS; +---- +//// + +[[access-control-dbms-administration]] += DBMS privileges + +All DBMS privileges are relevant system-wide. +Like user management, they do not belong to one specific database or graph. +For more details on the differences between graphs, databases, and the DBMS, refer to link:{neo4j-docs-base-uri}/cypher-manual/current/introduction/cypher-neo4j/[Cypher Manual -> Cypher and Neo4j]. + +image::privileges-grant-and-deny-syntax-dbms-privileges.svg[width="800", title="Syntax of `GRANT` and `DENY` DBMS privileges"] + +image::privileges-hierarchy-dbms.svg[width="800", title="DBMS privileges hierarchy", role=popup] + +[NOTE] +==== +You can only grant, deny, or revoke privileges to or from existing roles. +==== + +[[access-control-dbms-administration-all]] +== Granting `ALL DBMS PRIVILEGES` + +You can grant the `ALL DBMS PRIVILEGES` privilege to a role. + +The `ALL DBMS PRIVILEGES` privilege is equivalent to granting the following privileges: + +* Create, drop, assign, remove, and show roles. +* Create, alter, drop, show, and impersonate users. +* Create, alter, drop, and show databases and aliases. +* Enable, alter, rename, reallocate, deallocate, drop, and show servers. +* Show, assign, and remove privileges. +* Execute all procedures with elevated privileges. +* Execute all user-defined functions with elevated privileges. +* Show all configuration settings. + +[NOTE] +==== +For more details about the syntax descriptions, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax]. +==== + +[source, syntax, role=noheader] +---- +GRANT [IMMUTABLE] ALL [[DBMS] PRIVILEGES] + ON DBMS + TO role[, ...] +---- + +For example, to grant the role `dbmsManager` all DBMS abilities, use the following query: + +[source, cypher, role=noplay] +---- +GRANT ALL DBMS PRIVILEGES ON DBMS TO dbmsManager; +---- + +To list all privileges for the role `dbmsManager` as commands, use the following query: + +[source, cypher, role=noplay] +---- +SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS; +---- + +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT ALL DBMS PRIVILEGES ON DBMS TO `dbmsManager`" +a|Rows: 1 +|=== + +[[access-control-name-globbing]] +== Name-globbing for procedures, user-defined functions, and settings + +The name-globbing for procedures, user-defined functions, and setting names is a simplified version of globbing for filename expansions. +It only allows two wildcard characters: `+*+` and `?`, which are used for multiple and single-character matches. +In this case, `+*+` means 0 or more characters, and `?` matches exactly one character. + +[NOTE] +==== +The name-globbing is subject to the link:{neo4j-docs-base-uri}/cypher-manual/current/syntax/naming/[Cypher Manual -> Naming rules and recommendations], with the exception that it may include dots, stars, and question marks without the need for escaping using backticks. + +Each part of the name-globbing separated by dots may be individually quoted. +For example, `++mine.`procedureWith%`++` is allowed, but not `++mine.procedure`With%`++`. +Also, note that wildcard characters behave as wildcards even when quoted. +For example, using `++`*`++` is equivalent to using `+*+`, and thus allows executing all functions or procedures and not only the procedure or function named `+*+`. +==== + +Given the following list of procedures: + +* `mine.public.exampleProcedure` +* `mine.public.exampleProcedure1` +* `mine.public.exampleProcedure2` +* `mine.public.with#Special§Characters` +* `mine.private.exampleProcedure` +* `mine.private.exampleProcedure1` +* `mine.private.exampleProcedure2` +* `mine.private.with#Special§Characters` +* `your.exampleProcedure` + +The following examples demonstrate how name-globbing patterns can be used in controlling access to procedures. +Note that the same rules apply to user-defined functions and settings. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1; +---- + +Users with the role `globbing1` can run all the procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2; +---- + +Users with the role `globbing2` can run procedures `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3; +---- + +Users with the role `globbing3` can run procedures `mine.public.exampleProcedure1`, `mine.private.exampleProcedure1`, and `mine.private.exampleProcedure2`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4; +---- + +Users with the role `globbing4` can run procedures `your.exampleProcedure`, `mine.public.exampleProcedure`, and `mine.private.exampleProcedure`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5; +---- + +Users with the role `globbing5` can run procedures `mine.public.exampleProcedure`, `mine.public.exampleProcedure1` and `mine.public.exampleProcedure42`, but no other procedures. + +[source, cypher, role=noplay] +---- +GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6; +---- + +Users with the role `globbing6` can run procedures `mine.public.with#Special§Characters`, and `mine.private.with#Special§Characters`, but no other procedures. + +[NOTE] +==== +The name-globbing may be fully or partially quoted. +Both `+*+` and `+?+` are interpreted as wildcards in both cases. +==== \ No newline at end of file diff --git a/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc b/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc index 20b37a3a4..8703d26dd 100644 --- a/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc +++ b/modules/ROOT/pages/authentication-authorization/immutable-roles-privileges.adoc @@ -4,7 +4,7 @@ :description: This section explains how to use Cypher to manage immutable roles and privileges. -Immutable privileges are useful for restricting the actions of users who can themselves administer xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[privileges]. +Immutable privileges are useful for restricting the actions of users who can themselves administer xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[privileges]. Starting with Neo4j 5.26, Neo4j also introduces immutable roles. Immutable roles are useful for providing _system roles_, which appear as permanent parts of the DBMS. @@ -38,8 +38,8 @@ The following examples demonstrate how to use Cypher to manage immutable roles a === Restricting the actions of users who can manage privileges -To prevent all users (including those with `PRIVILEGE MANAGEMENT` privileges) from performing *database management*, attach an immutable privilege to the `PUBLIC` role. -The `PUBLIC` role implicitly and irrevocably applies to all users. +To prevent all users (including those with `PRIVILEGE MANAGEMENT` privileges) from performing *database management*, attach an immutable privilege to the `PUBLIC` role. +The `PUBLIC` role implicitly and irrevocably applies to all users. . Ensure that you have completed steps 1 and 2 from <>. . Run the following command to deny the `IMMUTABLE DATABASE MANAGEMENT` privilege to the `PUBLIC` role: @@ -83,7 +83,7 @@ The result shows that all users are restricted from adding or removing privilege === Creating permanent roles that cannot be changed -You can use immutable roles to create permanent built-in system roles that cannot be modified even by users who have xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[`ROLE MANAGEMENT` privileges]. +You can use immutable roles to create permanent built-in system roles that cannot be modified even by users who have xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[`ROLE MANAGEMENT` privileges]. For example, you want to create an `analyst` role that cannot be dropped, renamed, or have any of its privileges changed (even by users with the `ROLE MANAGEMENT` and `PRIVILEGE MANAGEMENT` privileges). diff --git a/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc b/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc index f21e47852..b561dc4c1 100644 --- a/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc +++ b/modules/ROOT/pages/authentication-authorization/manage-execute-permissions.adoc @@ -22,12 +22,12 @@ Please refer to link:{neo4j-docs-base-uri}/java-reference/{page-version}/extendi [[auth-manage-procedure-permissions]] == Manage procedure permissions -Procedure permissions can be managed using the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-execute[native execute privileges]. +Procedure permissions can be managed using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[native execute privileges]. These control whether the user is allowed to execute a procedure and which set of privileges apply during the execution. -A procedure may be run using the xref:authentication-authorization/dbms-administration.adoc#access-control-execute-procedure[`EXECUTE PROCEDURE` privilege]. +A procedure may be run using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-procedure[`EXECUTE PROCEDURE` privilege]. -This allows the user to execute procedures that match the xref:authentication-authorization/dbms-administration.adoc#access-control-name-globbing[globbed procedures]. +This allows the user to execute procedures that match the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[globbed procedures]. .Grant privilege to execute a procedure ==== @@ -48,7 +48,7 @@ GRANT TRAVERSE ON GRAPH * RELATIONSHIP R1 TO role When calling the `db.schema.visualization` procedure, the user will only see the `A` and `B` nodes and `R1` relationships, even though there might exist other nodes and relationships. ==== -A procedure may also be executed with elevated privileges using the xref:authentication-authorization/dbms-administration.adoc#access-control-execute-boosted-procedure[`EXECUTE BOOSTED PROCEDURE` privilege]. +A procedure may also be executed with elevated privileges using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-boosted-procedure[`EXECUTE BOOSTED PROCEDURE` privilege]. [NOTE] -- @@ -74,12 +74,12 @@ When calling the `db.schema.visualization` procedure, the user will see all node [[auth-manage-function-permissions]] == Manage user-defined function permissions -User-defined function permissions can be managed using the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-execute[native execute privileges]. +User-defined function permissions can be managed using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[native execute privileges]. These control if the user is both allowed to execute a user-defined function and which set of privileges apply during the execution. -A user-defined function may be executed using the xref:authentication-authorization/dbms-administration.adoc#access-control-execute-user-defined-function[`EXECUTE USER DEFINED FUNCTION` privilege]. +A user-defined function may be executed using the xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-user-defined-function[`EXECUTE USER DEFINED FUNCTION` privilege]. -This allows the user to execute user-defined functions that match the xref:authentication-authorization/dbms-administration.adoc#access-control-name-globbing[globbed user-defined function]. +This allows the user to execute user-defined functions that match the xref:authentication-authorization/dbms-administration/index.adoc#access-control-name-globbing[globbed user-defined function]. .Grant privilege to execute a user-defined function ==== @@ -100,7 +100,7 @@ When calling the user-defined function `MATCH (a:A) RETURN apoc.any.properties(a ==== A user-defined function may also be executed with elevated privileges using the -xref:authentication-authorization/dbms-administration.adoc#access-control-execute-boosted-user-defined-function[`EXECUTE BOOSTED USER DEFINED FUNCTION` privilege]. +xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc#access-control-execute-boosted-user-defined-function[`EXECUTE BOOSTED USER DEFINED FUNCTION` privilege]. [NOTE] -- diff --git a/modules/ROOT/pages/authentication-authorization/manage-roles.adoc b/modules/ROOT/pages/authentication-authorization/manage-roles.adoc index 2d0226f04..ebfa27327 100644 --- a/modules/ROOT/pages/authentication-authorization/manage-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/manage-roles.adoc @@ -62,7 +62,7 @@ GRANT SHOW ROLE ---- -See xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +See xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -97,14 +97,14 @@ a| GRANT SHOW ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. [source, privilege, role="noheader"] ---- GRANT SHOW USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -140,7 +140,7 @@ a| GRANT SHOW PRIVILEGE ---- -See xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[DBMS PRIVILEGE MANAGEMENT privileges]. +See xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[DBMS PRIVILEGE MANAGEMENT privileges]. |=== @@ -172,7 +172,7 @@ a| GRANT CREATE ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -206,7 +206,7 @@ GRANT CREATE ROLE GRANT DROP ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -237,7 +237,7 @@ a| GRANT RENAME ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -268,7 +268,7 @@ a| GRANT DROP ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -299,7 +299,7 @@ a| GRANT ASSIGN ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -330,7 +330,7 @@ a| GRANT REMOVE ROLE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[DBMS ROLE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[DBMS ROLE MANAGEMENT privileges]. |=== @@ -590,7 +590,7 @@ Immutable roles are those that cannot be modified in the usual way. This means they cannot be created, renamed, dropped, or have privileges granted to or revoked from them under normal operating conditions. See xref:authentication-authorization/immutable-roles-privileges.adoc[Immutable roles and privileges] for details of when and how the `IMMUTABLE` keyword may be used. -They are useful in cases where you need a permanent built-in system role that cannot be modified even by users who have xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-role-management[`ROLE MANAGEMENT` privileges] but yet can be granted to and revoked from users in the same way as an ordinary role. +They are useful in cases where you need a permanent built-in system role that cannot be modified even by users who have xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc[`ROLE MANAGEMENT` privileges] but yet can be granted to and revoked from users in the same way as an ordinary role. [[access-control-rename-roles]] @@ -746,7 +746,7 @@ SHOW USERS Common errors, such as attempts to grant roles to users who have already been granted those roles, will lead to notifications. Some of these notifications may be replaced with errors in a future major version of Neo4j. -See link:{neo4j-docs-base-uri}/status-codes/{page-version}/notifications/all-notifications[Status Codes -> Notification codes] for details on notifications. +See link:https://neo4j.com/docs/status-codes/current/notifications/all-notifications/[Status Codes for Errors & Notifications -> List of notification codes] for details on notifications. [[access-control-revoke-roles]] == Revoking roles from users diff --git a/modules/ROOT/pages/authentication-authorization/manage-users.adoc b/modules/ROOT/pages/authentication-authorization/manage-users.adoc index b673fccdb..3918d5dc2 100644 --- a/modules/ROOT/pages/authentication-authorization/manage-users.adoc +++ b/modules/ROOT/pages/authentication-authorization/manage-users.adoc @@ -92,7 +92,7 @@ a| GRANT SHOW USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -127,14 +127,14 @@ a| GRANT SHOW PRIVILEGE ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[DBMS PRIVILEGE MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-privilege-management-privileges.adoc[DBMS PRIVILEGE MANAGEMENT privileges]. [source, privilege, role="noheader"] ---- GRANT SHOW USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -185,7 +185,7 @@ a| GRANT CREATE USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc#grant-create-user-privilege[Grant privilege to create users]. |=== @@ -235,7 +235,7 @@ a| GRANT CREATE USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc#grant-create-user-privilege[Grant privilege to create users]. [source, privilege, role="noheader"] @@ -243,7 +243,7 @@ For more information, see xref:authentication-authorization/dbms-administration. GRANT DROP USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc#grant-delete-user-privilege[Grant privilege to delete users]. |=== @@ -272,7 +272,7 @@ a| GRANT RENAME USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -338,7 +338,7 @@ GRANT SET USER HOME DATABASE GRANT SET AUTH ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[DBMS USER MANAGEMENT privileges]. |=== @@ -394,7 +394,7 @@ a| GRANT DROP USER ---- -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[DBMS USER MANAGEMENT privileges]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc#grant-delete-user-privilege[Grant privilege to delete users]. |=== diff --git a/modules/ROOT/pages/clustering/server-syntax.adoc b/modules/ROOT/pages/clustering/server-syntax.adoc index a3f7d6eac..0f5cb553d 100644 --- a/modules/ROOT/pages/clustering/server-syntax.adoc +++ b/modules/ROOT/pages/clustering/server-syntax.adoc @@ -37,7 +37,7 @@ For more information see xref:clustering/servers.adoc#server-enabled-state[Enabl | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -65,7 +65,7 @@ For more information see xref:clustering/servers.adoc#_listing_servers[Listing s | Required privilege a| `GRANT SHOW SERVERS` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -90,7 +90,7 @@ For more information see xref:clustering/servers.adoc#alter-server-options[Alter | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== === Rename a server @@ -114,7 +114,7 @@ For more information see xref:clustering/servers.adoc#_renaming_a_server[Renamin | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -139,7 +139,7 @@ For more information see xref:clustering/servers.adoc#_dropping_a_server[Droppin | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -166,7 +166,7 @@ Note that is a cluster-level command, not a server-level command. | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== @@ -191,5 +191,5 @@ For more information see xref:clustering/servers.adoc#_deallocating_databases_fr | Required privilege a| `GRANT SERVER MANAGEMENT` -(see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-privilege-management[SERVER MANAGEMENT privileges]) +(see xref:authentication-authorization/dbms-administration/dbms-server-management-privileges.adoc[SERVER MANAGEMENT privileges]) |=== diff --git a/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc b/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc index 3be4dfc10..eab5f0114 100644 --- a/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc +++ b/modules/ROOT/pages/database-administration/aliases/manage-aliases-composite-databases.adoc @@ -24,7 +24,7 @@ CREATE DATABASE `perennial-flowers`; Available database aliases in composite databases can be seen using `SHOW ALIASES FOR DATABASE`. The name of the composite database a particular database alias appears in the returned `composite` column. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. .Query [source, cypher] diff --git a/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc b/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc index 33d6b7130..98d459158 100644 --- a/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc +++ b/modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc @@ -22,7 +22,7 @@ Remote database aliases require configuration to safely connect to the remote ta It is not possible to impersonate a user on the remote database or to execute an administration command on the remote database via a remote database alias. Database aliases can be created and managed using a set of Cypher administration commands executed against the `system` database. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. When connected to the DBMS over Bolt, administration commands are automatically routed to the `system` database. [NOTE] @@ -56,8 +56,11 @@ DRIVER { ---- //// -Available database aliases can be seen using `SHOW ALIASES FOR DATABASE`. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +You can list all available database aliases using the `SHOW ALIASES FOR DATABASE` command. +The command returns a table of all database aliases, whether they belong to a composite database or not. + +If you need more details, you can append the command with `YIELD *`. +The `YIELD *` clause returns the full set of columns. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. `SHOW ALIASES FOR DATABASE` will produce a table of database aliases with the following columns: @@ -237,7 +240,7 @@ Database aliases can be created using `CREATE ALIAS`. The command supports the creation of both local and remote database aliases. For more information on local and remote database aliases as part of a composite database, see xref::database-administration/aliases/manage-aliases-composite-databases.adoc#create-composite-database-alias[Create database aliases in composite databases]. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. [NOTE] ==== @@ -476,7 +479,7 @@ SHOW ALIAS `remote-northwind-2021` FOR DATABASE YIELD name, properties Database aliases can be altered using `ALTER ALIAS` to change its database target, properties, URL, user credentials, or driver settings. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. Only the clauses used will be altered. [NOTE] @@ -596,8 +599,8 @@ ALTER ALIAS `no-alias` IF EXISTS SET DATABASE TARGET `northwind-graph-2021` [[alias-management-drop-database-alias]] == Delete database aliases -Both local and remote database aliases can be deleted using the `DROP ALIAS` command. -The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges]. +You can delete both local and remote database aliases using the `DROP ALIAS` command. +The required privileges are described in the xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[The DBMS ALIAS MANAGEMENT privileges]. === Delete local database aliases diff --git a/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc b/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc index b5d9cb451..bba1b4740 100644 --- a/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc +++ b/modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc @@ -33,12 +33,13 @@ In the example above, _Bob_ is the administrator responsible for deciding which Meanwhile, _Alice_ is the administrator that assigns who has access to the privileges set by _Bob_. In the example, _Alice_ will assign that access to _Carol_. -See lxref:authentication-authorization/dbms-administration.adoc[DBMS privileges] for more information. +See xref:authentication-authorization/dbms-administration/index.adoc[DBMS privileges] for more information. ==== _Carol_ can use her own regular credentials to access the remote database `Db1` in DBMS after _Alice_ assigns this privilege to her user profile. This configuration will also allow _Carol_ to access `Db2` in **DBMS B**. -If the administrators decide this should not be the case, then _Bob_ must define the appropriate privileges (see xref:authentication-authorization/index.adoc[Authentication and authorization] for further information). +If the administrators decide this should not be the case, then _Bob_ must define the appropriate privileges. +See xref:authentication-authorization/index.adoc[Authentication and authorization] for further information. == Configure a remote DBMS (_Bob_) @@ -161,9 +162,9 @@ For example, the following command can be used to create a remote database alias CREATE ALIAS `remote-neo4j` FOR DATABASE `neo4j` AT "neo4j+s://location:7687" USER alice PASSWORD 'secretpassword' ---- -In order to do so, either lxref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-database-management[database management] -or lxref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[alias management] privileges are required. -The permission to create an alias can be granted like this: +In order to do so, either xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[database management] +or xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[alias management] privileges are required. +The permission to create an alias can be granted using the following command: [source, Cypher] ---- @@ -208,7 +209,7 @@ USE `remote-neo4j` MATCH (n) RETURN * * Connecting to a remote database alias as a home database. This needs to be set by Administrator A. -See more about lxref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-user-management[User Management]. +See more about xref:authentication-authorization/dbms-administration/dbms-user-management-privileges.adoc[User Management]. [source, Cypher] ---- diff --git a/modules/ROOT/pages/database-administration/composite-databases/delete-composite-databases.adoc b/modules/ROOT/pages/database-administration/composite-databases/delete-composite-databases.adoc index 60b50b553..3f82f25c2 100644 --- a/modules/ROOT/pages/database-administration/composite-databases/delete-composite-databases.adoc +++ b/modules/ROOT/pages/database-administration/composite-databases/delete-composite-databases.adoc @@ -34,7 +34,7 @@ This operation does not deletes the actual target databases of the constituent d The `CASCADE ALIASES` option is useful when you want to delete a composite database and its constituent database aliases in one step. Using `CASCADE ALIASES` requires the `DROP ALIAS` privilege. -For more information about this privilege, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[ALIAS MANAGEMENT privileges]. +For more information about this privilege, see xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[ALIAS MANAGEMENT privileges]. .Drop a composite database and its consitutent alias ==== diff --git a/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc b/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc index 7eef2427f..affb60806 100644 --- a/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc +++ b/modules/ROOT/pages/database-administration/standard-databases/delete-databases.adoc @@ -92,7 +92,7 @@ The option `DESTROY DATA` explicitly requests the default behavior of the comman [NOTE] ==== -The dumps produced by `DUMP DATA` are equivalent to those produced by xref:backup-restore/offline-backup.adoc[`neo4j-admin database dump`]. +The dumps produced by `DUMP DATA` are equivalent to those produced by xref:backup-restore/offline-backup.adoc[`neo4j-admin database dump`]. You can also restore them using the xref:backup-restore/restore-dump.adoc[`neo4j-admin database load`] command. ==== @@ -121,7 +121,7 @@ This command does not affect the remote database aliases targeting the database They will simply no longer resolve their targets as if they were created targeting a non-existing database. Using `CASCADE ALIASES` requires the `DROP ALIAS` privilege. -For more information about the privilege, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[ALIAS MANAGEMENT privileges]. +For more information about the privilege, see xref:authentication-authorization/dbms-administration/dbms-alias-management-privileges.adoc[ALIAS MANAGEMENT privileges]. .Drop a database and the local database alias targeting it ==== diff --git a/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc b/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc index 56caec868..94e5913f5 100644 --- a/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc +++ b/modules/ROOT/pages/database-administration/standard-databases/recreate-database.adoc @@ -33,7 +33,7 @@ Input arguments are the database name and list of the seeding and topology optio [cols="2a,4",frame="topbot",options="header"] |=== |Option -|Description +|Description |seedingServers |A list of possible seeding servers. @@ -65,7 +65,7 @@ To restore CDC functionality, follow the guide on how link:https://neo4j.com/doc Before recreating a database, any eventual quarantined states need to be addressed. For more information, see xref:database-administration/standard-databases/errors.adoc#quarantine[Standard databases -> Error handling]. -You need xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-database-management[the `CREATE DATABASE` and `DROP DATABASE` privileges] to run the recreate procedure. +You need xref:authentication-authorization/dbms-administration/dbms-database-management-privileges.adoc[the `CREATE DATABASE` and `DROP DATABASE` privileges] to run the recreate procedure. Additionally, in a cluster deployment, you have the option to modify <> during the recreation process. However, note that the store format, access, and enrichment cannot be altered during recreation. diff --git a/modules/ROOT/pages/procedures.adoc b/modules/ROOT/pages/procedures.adoc index 77339c30e..5302ed855 100644 --- a/modules/ROOT/pages/procedures.adoc +++ b/modules/ROOT/pages/procedures.adoc @@ -55,7 +55,7 @@ Some procedures can only be run by users with `Admin` privileges. Specifically, either the `EXECUTE ADMIN PROCEDURES` privilege or both the `EXECUTE PROCEDURES` and `EXECUTE BOOSTED PROCEDURES` privileges. These procedures are labeled with label:admin-only[]. -For more information, see xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-execute[the `EXECUTE` privileges section]. +For more information, see xref:authentication-authorization/dbms-administration/dbms-execute-privileges.adoc[the `EXECUTE` privileges]. ==== == Authentication and authorization