diff --git a/modules/ROOT/pages/administration/access-control/database-administration.adoc b/modules/ROOT/pages/administration/access-control/database-administration.adoc index a93046e54..662954ab2 100644 --- a/modules/ROOT/pages/administration/access-control/database-administration.adoc +++ b/modules/ROOT/pages/administration/access-control/database-administration.adoc @@ -837,6 +837,10 @@ GRANT NAME [MANAGEMENT] |=== +[NOTE] +==== +The `SHOW PRIVILEGES` commands return the `NAME MANAGEMENT` privilege as the action `token`, when not using `AS COMMANDS`. +==== For example, to grant the role `regularUsers` the ability to create new properties on nodes or relationships on the database `neo4j`, use: diff --git a/modules/ROOT/pages/administration/access-control/manage-privileges.adoc b/modules/ROOT/pages/administration/access-control/manage-privileges.adoc index 825e7c2d2..6a1ce42aa 100644 --- a/modules/ROOT/pages/administration/access-control/manage-privileges.adoc +++ b/modules/ROOT/pages/administration/access-control/manage-privileges.adoc @@ -599,6 +599,11 @@ Lists all privileges for all roles: 6+a|Rows: 39 |=== +[NOTE] +==== +The `token` action corresponds to the `NAME MANAGEMENT` privilege. +==== + It is also possible to filter and sort the results by using `YIELD`, `ORDER BY` and `WHERE`: [source, cypher, role=noplay] @@ -688,6 +693,11 @@ In this example: 4+a|Rows: 12 |=== +[NOTE] +==== +The `token` action corresponds to the `NAME MANAGEMENT` privilege. +==== + `WHERE` can also be used without `YIELD`: [source, cypher, role=noplay] @@ -782,6 +792,11 @@ SHOW PRIVILEGES YIELD * RETURN role, access, collect([graph, resource, segment, 3+a|Rows: 8 |=== +[NOTE] +==== +The `token` action corresponds to the `NAME MANAGEMENT` privilege. +==== + The `RETURN` clause can also be used to order and paginate the results, which is useful when combined with `YIELD` and `WHERE`. In this example the query returns privileges for display five-per-page, and skips the first five to display the second page. diff --git a/modules/ROOT/pages/administration/access-control/privileges-writes.adoc b/modules/ROOT/pages/administration/access-control/privileges-writes.adoc index 3cda14681..aefc9ba53 100644 --- a/modules/ROOT/pages/administration/access-control/privileges-writes.adoc +++ b/modules/ROOT/pages/administration/access-control/privileges-writes.adoc @@ -380,10 +380,16 @@ GRANT ALL GRAPH PRIVILEGES ON GRAPH neo4j TO regularUsers [NOTE] ==== -Unlike the more specific `READ` and `WRITE` commands, it is not possible to restrict `ALL GRAPH PRIVILEGES` to specific +ELEMENTS, +NODES+ or +RELATIONSHIPS+. +Unlike the more specific `READ` and `WRITE` commands, it is not possible to restrict `ALL GRAPH PRIVILEGES` to specific +ELEMENTS+, +NODES+ or +RELATIONSHIPS+. If you wish to prevent a user from reading or writing to a subset of database objects, a `GRANT ALL GRAPH PRIVILEGES` can be combined with more specific `DENY` commands to target these elements. ==== +[NOTE] +==== +The `ALL GRAPH PRIVILEGES` privilege does not allow creating new labels, relationship types, or property names. +These are instead managed by the `NAME MANAGEMENT` privileges. +==== + The `ALL GRAPH PRIVILEGES` privilege can also be denied: [source, syntax, role="noheader"]