How to recreate User and Roles in Neo4j Aura ?

This article describes the process to recreate users and roles in Neo4j Aura. This is a recommended step after cloning your database from one instance to a new Aura Instance as metadata will not get copied with Cloning.

To do so, please follow this step-by-step approach to recreate user and roles:

Note: 

- Make sure you are signed into the database you previously used to clone your instance because you will need to run all the cypher queries on it.

-  Ensure you are using the system database and we do that with the :use system command

- Resultant output of below cypher queries can be played back on cloned Neo4j Aura Instance.

Export Users:

The first step is to export the scripts for user creation. The resultant output will default all users passwords to 'newpassword' and the user will be required to change their password on initial log-on. 

SHOW USERS yield user where user<>'neo4j' return 'CREATE USER '+ user +' SET PASSWORD \'newpassword\' CHANGE REQUIRED;' as output;

Sample output is as follows:

You can export the output as CSV using `Export CSV`.  Copy the scripts from csv and execute them on the cloned Aura Instance . You can verify the users are created successfully using  below command:

SHOW USERS; 

Export Roles:

The next step will be to create roles. This script will generate the cypher for roles that need to be created if they do not exist already.

SHOW ROLES yield role return 'CREATE ROLE ' + role + ' IF NOT EXISTS;' as output;

Sample output is as follows:

You can verify the created roles using below command

SHOW ROLES ;

Assign Privileges:

Privileges control the access rights to graph elements using a combined allowlist/denylist mechanism. The user will be able to access the resource if their roles have aGRANT(allowlist) and do not have aDENY(denylist) relevant to that resource.

SHOW PRIVILEGES AS COMMANDS;

This returns the privileges as the commands that are granted or denied. You can now execute these commands directly to cloned Aura instance. Make sure to use a semicolon(;) at the end of every statement if you are getting errors in the syntax.

Sample output is as follows:

Generate User Role Mapping Cypher:

When we created the users in the first step, by default all users will get the `PUBLIC` role which provides access to the default database and allows the execution of all procedures and user-defined functions. Therefore in the below script we will be excluding the PUBLIC role and roles having no users mapped.

SHOW ROLES WITH USERS yield member,role where role<>"PUBLIC" and member is not null RETURN 'GRANT ROLE ' + role + ' TO USER ' + member + '' AS OUTPUT;

This will generate cypher scripts to map users to roles. Copy and execute these on the cloned instance to create user role mappings.

Sample output is as follows:

You can verify the mapping by using below command:

SHOW ROLES WITH USERS;

Please make sure you export the output of all of the above cypher queries and run every query to avoid any mismatch in the roles and mappings. To get help in case of an error, please open a support ticket with us.