From 210ded1606e3bf588734a2fd64151b3ce349d886 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jens=20Pryce-=C3=85klundh?=
 <112686610+JPryce-Aklundh@users.noreply.github.com>
Date: Fri, 9 Aug 2024 09:42:17 +0200
Subject: [PATCH 1/2] add token privilege notes

---
 .../access-control/database-administration.adoc   |  4 ++++
 .../access-control/manage-privileges.adoc         | 15 +++++++++++++++
 .../access-control/privileges-writes.adoc         |  6 ++++++
 3 files changed, 25 insertions(+)

diff --git a/modules/ROOT/pages/administration/access-control/database-administration.adoc b/modules/ROOT/pages/administration/access-control/database-administration.adoc
index a93046e54..662954ab2 100644
--- a/modules/ROOT/pages/administration/access-control/database-administration.adoc
+++ b/modules/ROOT/pages/administration/access-control/database-administration.adoc
@@ -837,6 +837,10 @@ GRANT NAME [MANAGEMENT]
 
 |===
 
+[NOTE]
+====
+The `SHOW PRIVILEGES` commands return the `NAME MANAGEMENT` privilege as the action `token`, when not using `AS COMMANDS`.
+====
 
 For example, to grant the role `regularUsers` the ability to create new properties on nodes or relationships on the database `neo4j`, use:
 
diff --git a/modules/ROOT/pages/administration/access-control/manage-privileges.adoc b/modules/ROOT/pages/administration/access-control/manage-privileges.adoc
index 825e7c2d2..6a1ce42aa 100644
--- a/modules/ROOT/pages/administration/access-control/manage-privileges.adoc
+++ b/modules/ROOT/pages/administration/access-control/manage-privileges.adoc
@@ -599,6 +599,11 @@ Lists all privileges for all roles:
 6+a|Rows: 39
 |===
 
+[NOTE]
+====
+The `token` action corresponds to the `NAME MANAGEMENT` privilege.
+====
+
 It is also possible to filter and sort the results by using `YIELD`, `ORDER BY` and `WHERE`:
 
 [source, cypher, role=noplay]
@@ -688,6 +693,11 @@ In this example:
 4+a|Rows: 12
 |===
 
+[NOTE]
+====
+The `token` action corresponds to the `NAME MANAGEMENT` privilege.
+====
+
 `WHERE` can also be used without `YIELD`:
 
 [source, cypher, role=noplay]
@@ -782,6 +792,11 @@ SHOW PRIVILEGES YIELD * RETURN role, access, collect([graph, resource, segment,
 3+a|Rows: 8
 |===
 
+[NOTE]
+====
+The `token` action corresponds to the `NAME MANAGEMENT` privilege.
+====
+
 The `RETURN` clause can also be used to order and paginate the results, which is useful when combined with `YIELD` and `WHERE`.
 In this example the query returns privileges for display five-per-page, and skips the first five to display the second page.
 
diff --git a/modules/ROOT/pages/administration/access-control/privileges-writes.adoc b/modules/ROOT/pages/administration/access-control/privileges-writes.adoc
index 3cda14681..e70d1700d 100644
--- a/modules/ROOT/pages/administration/access-control/privileges-writes.adoc
+++ b/modules/ROOT/pages/administration/access-control/privileges-writes.adoc
@@ -384,6 +384,12 @@ Unlike the more specific `READ` and `WRITE` commands, it is not possible to rest
 If you wish to prevent a user from reading or writing to a subset of database objects, a `GRANT ALL GRAPH PRIVILEGES` can be combined with more specific `DENY` commands to target these elements.
 ====
 
+[NOTE]
+====
+The `ALL GRAPH PRIVILEGES` privilege does not allow creating new labels, relationship types, or property names.
+These are instead managed by the `NAME MANAGEMENT` privileges.
+====
+
 The `ALL GRAPH PRIVILEGES` privilege can also be denied:
 
 [source, syntax, role="noheader"]

From 5728761dda8472306800c50a741d91faa3e2cb1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jens=20Pryce-=C3=85klundh?=
 <112686610+JPryce-Aklundh@users.noreply.github.com>
Date: Fri, 9 Aug 2024 09:49:54 +0200
Subject: [PATCH 2/2] fix

---
 .../pages/administration/access-control/privileges-writes.adoc  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ROOT/pages/administration/access-control/privileges-writes.adoc b/modules/ROOT/pages/administration/access-control/privileges-writes.adoc
index e70d1700d..aefc9ba53 100644
--- a/modules/ROOT/pages/administration/access-control/privileges-writes.adoc
+++ b/modules/ROOT/pages/administration/access-control/privileges-writes.adoc
@@ -380,7 +380,7 @@ GRANT ALL GRAPH PRIVILEGES ON GRAPH neo4j TO regularUsers
 
 [NOTE]
 ====
-Unlike the more specific `READ` and `WRITE` commands, it is not possible to restrict `ALL GRAPH PRIVILEGES` to specific +ELEMENTS, +NODES+ or +RELATIONSHIPS+.
+Unlike the more specific `READ` and `WRITE` commands, it is not possible to restrict `ALL GRAPH PRIVILEGES` to specific +ELEMENTS+, +NODES+ or +RELATIONSHIPS+.
 If you wish to prevent a user from reading or writing to a subset of database objects, a `GRANT ALL GRAPH PRIVILEGES` can be combined with more specific `DENY` commands to target these elements.
 ====