diff --git a/modules/ROOT/pages/access-control/privileges-writes.adoc b/modules/ROOT/pages/access-control/privileges-writes.adoc index f690295a4..0dc958f3f 100644 --- a/modules/ROOT/pages/access-control/privileges-writes.adoc +++ b/modules/ROOT/pages/access-control/privileges-writes.adoc @@ -19,18 +19,18 @@ Write privileges are defined for different parts of the graph: There are also compound privileges which combine the above specific privileges: -* xref::access-control/privileges-writes.adoc#access-control-privileges-writes-merge[`MERGE`] - allows match, create and set property to permit the `MERGE` command. -* xref::access-control/privileges-writes.adoc#access-control-privileges-writes-write[`WRITE`] - allows all write operations on an entire graph. -* xref::access-control/privileges-writes.adoc#access-control-privileges-writes-all[`ALL GRAPH PRIVILEGES`] - allows all read and write operation on an entire graph. +* xref::access-control/privileges-writes.adoc#access-control-privileges-writes-merge[`MERGE`] - allows `MATCH`, `CREATE` and `SET PROPERTY` to apply the `MERGE` command. +* xref::access-control/privileges-writes.adoc#access-control-privileges-writes-write[`WRITE`] - allows all `WRITE` operations on an entire graph. +* xref::access-control/privileges-writes.adoc#access-control-privileges-writes-all[`ALL GRAPH PRIVILEGES`] - allows all `READ` and `WRITE` operations on an entire graph. [[access-control-privileges-writes-create]] == The `CREATE` privilege -The `CREATE` privilege allows a user to create new node and relationship elements in a graph. +The `CREATE` privilege allows a user to create new node and relationship elements on a graph. See the Cypher xref::clauses/create.adoc[CREATE] clause. -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- GRANT CREATE ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } @@ -42,16 +42,16 @@ GRANT CREATE TO role[, ...] ---- -For example, granting the ability to create elements on the graph `neo4j` to the role `regularUsers` would be achieved using: +For example, to grant the role `regularUsers` the ability to `CREATE` elements on the graph `neo4j`, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT CREATE ON GRAPH neo4j ELEMENTS * TO regularUsers ---- -The `CREATE` privilege can also be denied. +The `CREATE` privilege can also be denied: -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- DENY CREATE ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } @@ -63,27 +63,27 @@ DENY CREATE TO role[, ...] ---- -For example, denying the ability to create nodes with the label `foo` on all graphs to the role `regularUsers` would be achieved using: +For example, to deny the role `regularUsers` the ability to `CREATE` nodes with the label `foo` on all graphs, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY CREATE ON GRAPH * NODES foo TO regularUsers ---- [NOTE] ==== -If the user attempts to create nodes with a label that does not already exist in the database, then the user must also possess the xref::access-control/database-administration.adoc#access-control-database-administration-tokens[CREATE NEW LABEL] privilege. -The same applies to new relationships - the xref::access-control/database-administration.adoc#access-control-database-administration-tokens[CREATE NEW RELATIONSHIP TYPE] privilege is required. +If the user attempts to create nodes with a label that does not already exist on the database, then the user must also possess the xref::access-control/database-administration.adoc#access-control-database-administration-tokens[CREATE NEW LABEL] privilege. +The same applies to new relationships: the xref::access-control/database-administration.adoc#access-control-database-administration-tokens[CREATE NEW RELATIONSHIP TYPE] privilege is required. ==== [[access-control-privileges-writes-delete]] == The `DELETE` privilege -The `DELETE` privilege allows a user to delete node and relationship elements in a graph. +The `DELETE` privilege allows a user to delete node and relationship elements on a graph. See the Cypher xref::clauses/delete.adoc[DELETE] clause. -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- GRANT DELETE ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } @@ -95,16 +95,16 @@ GRANT DELETE TO role[, ...] ---- -For example, granting the ability to delete elements on the graph `neo4j` to the role `regularUsers` would be achieved using: +For example, to grant the role `regularUsers` the ability to `DELETE` elements on the graph `neo4j`, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT DELETE ON GRAPH neo4j ELEMENTS * TO regularUsers ---- -The `DELETE` privilege can also be denied. +The `DELETE` privilege can also be denied: -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- DENY DELETE ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } @@ -116,9 +116,9 @@ DENY DELETE TO role[, ...] ---- -For example, denying the ability to delete relationships with the relationship type `bar` on all graphs to the role `regularUsers` would be achieved using: +For example, to deny the role `regularUsers` the ability to `DELETE` relationships with the relationship type `bar` on all graphs, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY DELETE ON GRAPH * RELATIONSHIPS bar TO regularUsers ---- @@ -133,85 +133,85 @@ See xref:5.0@operations-manual:ROOT:authentication-authorization/access-control/ [[access-control-privileges-writes-set-label]] == The `SET LABEL` privilege -The `SET LABEL` privilege allows you to set labels on a node using the xref::clauses/set.adoc#set-set-a-label-on-a-node[SET clause]. +The `SET LABEL` privilege allows you to set labels on a node using the xref::clauses/set.adoc#set-set-a-label-on-a-node[SET clause]: -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- GRANT SET LABEL { * | label[, ...] } ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } TO role[, ...] ---- -For example, granting the ability to set any label on nodes of the graph `neo4j` to the role `regularUsers` would be achieved using: +For example, to grant the role `regularUsers` the ability to `SET` any label on nodes of the graph `neo4j`, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT SET LABEL * ON GRAPH neo4j TO regularUsers ---- [NOTE] ==== -Unlike many of the other read and write privileges, it is not possible to restrict the `SET LABEL` privilege to specific +ELEMENTS+, +NODES+, or +RELATIONSHIPS+. +Unlike many of the other `READ` and `WRITE` privileges, it is not possible to restrict the `SET LABEL` privilege to specific +ELEMENTS+, +NODES+ or +RELATIONSHIPS+. ==== -The `SET LABEL` privilege can also be denied. +The `SET LABEL` privilege can also be denied: -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- DENY SET LABEL { * | label[, ...] } ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } TO role[, ...] ---- -For example, denying the ability to set the label `foo` on nodes of all graphs to the role `regularUsers` would be achieved using: +For example, to deny the role `regularUsers` the ability to `SET` the label `foo` on nodes of all graphs, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY SET LABEL foo ON GRAPH * TO regularUsers ---- [NOTE] ==== -If no instances of this label exist in the database, then the xref::access-control/database-administration.adoc#access-control-database-administration-tokens[CREATE NEW LABEL] privilege is also required. +If no instances of this label exist on the database, then the xref::access-control/database-administration.adoc#access-control-database-administration-tokens[CREATE NEW LABEL] privilege is also required. ==== [[access-control-privileges-writes-remove-label]] == The `REMOVE LABEL` privilege -The `REMOVE LABEL` privilege allows you to remove labels from a node using the xref::clauses/remove.adoc#remove-remove-a-label-from-a-node[REMOVE clause]. +The `REMOVE LABEL` privilege allows you to remove labels from a node by using the xref::clauses/remove.adoc#remove-remove-a-label-from-a-node[REMOVE clause]: -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- GRANT REMOVE LABEL { * | label[, ...] } ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } TO role[, ...] ---- -For example, granting the ability to remove any label from nodes of the graph `neo4j` to the role `regularUsers` would be achieved using: +For example, to grant the role `regularUsers` the ability to `REMOVE` any label from nodes of the graph `neo4j`, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT REMOVE LABEL * ON GRAPH neo4j TO regularUsers ---- [NOTE] ==== -Unlike many of the other read and write privileges, it is not possible to restrict the `REMOVE LABEL` privilege to specific +ELEMENTS+, +NODES+, or +RELATIONSHIPS+. +Unlike many of the other `READ` and `WRITE` privileges, it is not possible to restrict the `REMOVE LABEL` privilege to specific +ELEMENTS+, +NODES+ or +RELATIONSHIPS+. ==== -The `REMOVE LABEL` privilege can also be denied. +The `REMOVE LABEL` privilege can also be denied: -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- DENY REMOVE LABEL { * | label[, ...] } ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } TO role[, ...] ---- -For example, denying the ability to remove the label `foo` from nodes of all graphs to the role `regularUsers` would be achieved using: +For example, denying the role `regularUsers` the ability to remove the label `foo` from nodes of all graphs, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY REMOVE LABEL foo ON GRAPH * TO regularUsers ---- @@ -220,9 +220,9 @@ DENY REMOVE LABEL foo ON GRAPH * TO regularUsers [[access-control-privileges-writes-set-property]] == The `SET PROPERTY` privilege -The `SET PROPERTY` privilege allows a user to set a property on a node or relationship element in a graph using the xref::clauses/set.adoc#set-set-a-property[SET clause]. +The `SET PROPERTY` privilege allows a user to set a property on a node or relationship element in a graph by using the xref::clauses/set.adoc#set-set-a-property[SET clause]: -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- GRANT SET PROPERTY "{" { * | property[, ...] } "}" ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } @@ -234,16 +234,16 @@ GRANT SET PROPERTY "{" { * | property[, ...] } "}" TO role[, ...] ---- -For example, granting the ability to set any property on all elements of the graph `neo4j` to the role `regularUsers` would be achieved using: +For example, to grant the role `regularUsers` the ability to `SET` any property on all elements of the graph `neo4j`, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT SET PROPERTY {*} ON HOME GRAPH ELEMENTS * TO regularUsers ---- -The `SET PROPERTY` privilege can also be denied. +The `SET PROPERTY` privilege can also be denied: -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- DENY SET PROPERTY "{" { * | property[, ...] } "}" ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } @@ -255,16 +255,16 @@ DENY SET PROPERTY "{" { * | property[, ...] } "}" TO role[, ...] ---- -For example, denying the ability to set the property `foo` on nodes with the label `bar` on all graphs to the role `regularUsers` would be achieved using: +For example, to deny the role `regularUsers` the ability to `SET` the property `foo` on nodes with the label `bar` on all graphs, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY SET PROPERTY { foo } ON GRAPH * NODES bar TO regularUsers ---- [NOTE] ==== -If the users attempts to set a property with a property name that does not already exist in the database the user must also possess the xref::access-control/database-administration.adoc#access-control-database-administration-tokens[CREATE NEW PROPERTY NAME] privilege. +If the user attempts to set a property with a property name that does not already exist on the database, the user must also possess the xref::access-control/database-administration.adoc#access-control-database-administration-tokens[CREATE NEW PROPERTY NAME] privilege. ==== @@ -272,9 +272,9 @@ If the users attempts to set a property with a property name that does not alrea == The `MERGE` privilege The `MERGE` privilege is a compound privilege that combines `TRAVERSE` and `READ` (i.e. `MATCH`) with `CREATE` and `SET PROPERTY`. -This is intended to permit use of xref::clauses/merge.adoc[the MERGE command] but is applicable to all reads and writes that require these privileges. +This is intended to enable the use of xref::clauses/merge.adoc[the MERGE command], but it is also applicable to all reads and writes that require these privileges. -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- GRANT MERGE "{" { * | property[, ...] } "}" ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } @@ -286,19 +286,19 @@ GRANT MERGE "{" { * | property[, ...] } "}" TO role[, ...] ---- -For example, granting `MERGE` on all elements of the graph `neo4j` to the role `regularUsers` would be achieved using: +For example, to grant the role `regularUsers` the ability to `MERGE` on all elements of the graph `neo4j`, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT MERGE {*} ON GRAPH neo4j ELEMENTS * TO regularUsers ---- It is not possible to deny the `MERGE` privilege. -If it is desirable to prevent a users from creating elements and setting properties, use xref::access-control/privileges-writes.adoc#access-control-privileges-writes-create[DENY CREATE] or xref::access-control/privileges-writes.adoc#access-control-privileges-writes-set-property[DENY SET PROPERTY]. +If you wish to prevent a user from creating elements and setting properties: use xref::access-control/privileges-writes.adoc#access-control-privileges-writes-create[DENY CREATE] or xref::access-control/privileges-writes.adoc#access-control-privileges-writes-set-property[DENY SET PROPERTY]. [NOTE] ==== -If the users attempts to create nodes with a label that does not already exist in the database the user must also possess the +If the user attempts to create nodes with a label that does not already exist on the database, the user must also possess the xref::access-control/database-administration.adoc#access-control-database-administration-tokens[CREATE NEW LABEL] privilege. The same applies to new relationships and properties - the xref::access-control/database-administration.adoc#access-control-database-administration-tokens[CREATE NEW RELATIONSHIP TYPE] or @@ -309,40 +309,40 @@ xref::access-control/database-administration.adoc#access-control-database-admini [[access-control-privileges-writes-write]] == The `WRITE` privilege -The `WRITE` privilege allows the user to execute any write command on a graph. +The `WRITE` privilege allows the user to execute any `WRITE` command on a graph. -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- GRANT WRITE ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } TO role[, ...] ---- -For example, granting the ability to write on the graph `neo4j` to the role `regularUsers` would be achieved using: +For example, to grant the role `regularUsers` the ability to `WRITE` on the graph `neo4j`, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT WRITE ON GRAPH neo4j TO regularUsers ---- [NOTE] ==== -Unlike the more specific write commands, it is not possible to restrict `WRITE` privileges to specific +ELEMENTS+, +NODES+, or +RELATIONSHIPS+. -If it is desirable to prevent a user from writing to a subset of database objects, a `GRANT WRITE` can be combined with more specific `DENY` commands to target these elements. +Unlike the more specific `WRITE` commands, it is not possible to restrict `WRITE` privileges to specific +ELEMENTS+, +NODES+ or +RELATIONSHIPS+. +If you wish to prevent a user from writing to a subset of database objects, a `GRANT WRITE` can be combined with more specific `DENY` commands to target these elements. ==== -The `WRITE` privilege can also be denied. +The `WRITE` privilege can also be denied: -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- DENY WRITE ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } TO role[, ...] ---- -For example, denying the ability to write on the graph `neo4j` to the role `regularUsers` would be achieved using: +For example, to deny the role `regularUsers` the ability to `WRITE` on the graph `neo4j`, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY WRITE ON GRAPH neo4j TO regularUsers ---- @@ -357,41 +357,40 @@ See xref:5.0@operations-manual:ROOT:authentication-authorization/access-control/ [[access-control-privileges-writes-all]] == The `ALL GRAPH PRIVILEGES` privilege -The `ALL GRAPH PRIVILEGES` privilege allows the user to execute any command on a graph. +The `ALL GRAPH PRIVILEGES` privilege allows the user to execute any command on a graph: -[source, syntax, role="noheader", indent=0] +source, syntax, role="noheader"] ---- GRANT ALL [ [ GRAPH ] PRIVILEGES ] ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } TO role[, ...] ---- -For example, granting all graph privileges on the graph `neo4j` to the role `regularUsers` would be achieved using: +For example, to grant the role `regularUsers` `ALL GRAPH PRIVILEGES` on the graph `neo4j`, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT ALL GRAPH PRIVILEGES ON GRAPH neo4j TO regularUsers ---- [NOTE] ==== -Unlike the more specific read and write commands, it is not possible to restrict `ALL GRAPH PRIVILEGES` privileges to specific +ELEMENTS+, +NODES+, or +RELATIONSHIPS+. -If it is desirable to prevent a user from reading or writing to a subset of database objects, a `GRANT ALL GRAPH PRIVILEGES` can be combined with more specific `DENY` commands to target these elements. +Unlike the more specific `READ` and `WRITE` commands, it is not possible to restrict `ALL GRAPH PRIVILEGES` to specific +ELEMENTS, +NODES+ or +RELATIONSHIPS+. +If you wish to prevent a user from reading or writing to a subset of database objects, a `GRANT ALL GRAPH PRIVILEGES` can be combined with more specific `DENY` commands to target these elements. ==== -The `ALL GRAPH PRIVILEGES` privilege can also be denied. +The `ALL GRAPH PRIVILEGES` privilege can also be denied: -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- DENY ALL [ [ GRAPH ] PRIVILEGES ] ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } } TO role[, ...] ---- -For example, denying all graph privileges on the graph `neo4j` to the role `regularUsers` would be achieved using: +For example, to deny the role `regularUsers` all graph privileges on the graph `neo4j`, use: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY ALL GRAPH PRIVILEGES ON GRAPH neo4j TO regularUsers ---- -