If you have a number of colleagues who require access to your AuraDB Instance, rather than request for them to be given the ability to do so via the Aura console (with full admin privileges), as an Aura Enterprise tier customer you have the ability to create and grant permissions that define access control via assigned roles, which are in turn assigned to users on the AuraDB Instance, using Role-Based Access Control (RBAC).
Role-Based Access Control (RBAC) is available in Neo4j Aura Enterprise only.
Neo4j provides a number of built-in roles, which are:
- PUBLIC - All users have this role, can by default access the home AuraDB Instance and run all procedures and user-defined functions.
- reader - Can read data from all AuraDB Instances.
- editor - Can read and update all AuraDB Instances, but not expand the schema with new labels, relationship types or property names.
- publisher - Can read and edit, as well as add new labels, relationship types and property names.
- architect - Has all the capabilities of the publisher as well as the ability to manage indexes and constraints.
- admin - Can perform architect actions as well as manage AuraDB Instances, users, roles and privileges.
Full details of the privileges defined in each role and much more can be found in the Neo4j Operations Manual
All users will be assigned the PUBLIC role, which by default does not give any rights or capabilities regarding the data, not even read privileges. A user may have more than one assigned role, and the union of these determine what action(s) on the data may be undertaken by the user.
Access control using built-in roles
In order to make use of the built-in roles, you would first need to create AuraDB Instance users, who you will then assign the roles to.
Remember, Neo4j stores user and role information in the system database.
To create users, ensure you are using the system database and we do that with the
:use command then telling it which database we want.
Now we can issue the cypher statements to create the user accounts,
CREATE USER `charlie` SET PASSWORD $secret1 CHANGE NOT REQUIRED;
CREATE USER `alice` SET PASSWORD $secret2 CHANGE NOT REQUIRED;
CREATE USER `daniel` SET PASSWORD $secret3 CHANGE NOT REQUIRED;
CREATE USER `bob` SET PASSWORD $secret4 CHANGE NOT REQUIRED;
CREATE USER `tina` SET PASSWORD $secret5 CHANGE NOT REQUIRED;
With user accounts created for AuraDB Instance access, we can now assign the built-in roles to the users in order to set the required permissions,
GRANT ROLE reader TO charlie;
GRANT ROLE editor TO alice;
GRANT ROLE editor TO daniel;
GRANT ROLE editor TO bob;
GRANT ROLE admin TO tina;
To view the complete set of privileges available to users assigned a role, use the following command:
SHOW ROLE admin PRIVILEGES AS COMMANDS;
If you don’t wish to use the built-in roles, it is possible to create custom roles and assign specific privileges to those roles.
When creating new custom roles, it is good practice to revoke any built-in roles currently assigned to the users, for example:
REVOKE ROLE admin FROM tina;
It is possible to create new custom roles based on the built-in roles by using the following command,
CREATE ROLE itadmin AS COPY OF admin;
Alternatively to create a brand new role, type the following,
CREATE ROLE role_name
You then can add or remove permissions from you new custom role by using the following commands,
// To allow the role_name to find all nodes
ON GRAPH graph_name