Using Neo4j to grant permissions to SSO Users

This article covers how to apply permissions to SSO users when you don't have an authorisation server for your IdP.

This is especially important for the Google IdP which we don't currently support as an authorisation server, so you must use the method in this article to apply permissions to your users.

1. Log in to your database with the SSO user you wish to configure, for this example I will be using browser.

2. Run SHOW CURRENT USER, you will only have the PUBLIC role if no other roles have been applied, make a note of the username that is displayed:

3. Next you will to log in with a user that has permission to assign roles, if this is your first user you will most likely need to use the default neo4j account, if you already have an admin, then you can use that account.

4. Next we need to create that user in the database, but the username needs to be surrounded by backticks, for example:

A password must be set, however it is possible to disable username + password authentication for the database once you have an admin user defined, to prevent the username and password being used to log in. If this is a requirement, please raise this with the support team.

5. Now we can grant a role to the user, for example to give the admin role to my user:

For further information on roles and permissions, please see our official documentation below:

https://neo4j.com/docs/operations-manual/current/authentication-authorization/built-in-roles/

6. Next you can log in as the created user and run SHOW CURRENT USER once again, here you can check the roles to confirm the permissions have been applied, as you can see I now have the admin role applied: