From 2c16be568223b4200b8167cf1cac755648d02e48 Mon Sep 17 00:00:00 2001 From: lidiazuin Date: Tue, 26 Jul 2022 13:00:00 +0200 Subject: [PATCH 1/3] merging editorial review and matching current formatting --- .../access-control/dbms-administration.adoc | 868 +++++++++--------- 1 file changed, 416 insertions(+), 452 deletions(-) diff --git a/modules/ROOT/pages/access-control/dbms-administration.adoc b/modules/ROOT/pages/access-control/dbms-administration.adoc index 52f56b09d..72cd5a5f0 100644 --- a/modules/ROOT/pages/access-control/dbms-administration.adoc +++ b/modules/ROOT/pages/access-control/dbms-administration.adoc @@ -27,8 +27,8 @@ These include: * Manage sub-graph privileges. * Manage procedure security. -The easiest way to enable a user to perform these tasks is to grant them the `admin` role. -All of these privileges are also assignable using Cypher commands. +To enable a user to perform these tasks, you can grant them the `admin` role, but it is also possible to make a custom role with a subset of these privileges. +All privileges are also assignable using Cypher commands. For more details, see the following sections: * xref::access-control/dbms-administration.adoc#access-control-dbms-administration-role-management[Role management] @@ -40,46 +40,41 @@ For more details, see the following sections: * xref::access-control/database-administration.adoc#access-control-database-administration-transaction[Transaction management] * xref::access-control/dbms-administration.adoc#access-control-dbms-administration-execute[Procedure and user defined function security] -It is possible to make a custom role with a subset of these privileges. - - [[access-control-dbms-administration-custom]] == Using a custom role to manage DBMS privileges -If it is desired to have an administrator with a subset of privileges that includes all DBMS privileges, but not all database privileges, this can be achieved in multiple ways. -One way is to copy the `admin` role and revoking or denying the unwanted privileges. +In order to have an administrator role with a subset of privileges that includes all DBMS privileges, but not all database privileges, you can copy the `admin` role and revoke or deny the unwanted privileges. A second option is to build a custom administrator from scratch by granting the wanted privileges instead. -As an example, let's create an administrator that can only manage users and roles by using the latter option. +As an example, an administrator role can be created to only manage users and roles by using the second option: -. First we create the new role: +. First, create the new role: + -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- CREATE ROLE usermanager ---- -. Then we grant the privilege to manage users: +. Then grant the privilege to manage users: + -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT USER MANAGEMENT ON DBMS TO usermanager ---- . And to manage roles: + -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT ROLE MANAGEMENT ON DBMS TO usermanager ---- -The resulting role has privileges that only allow user and role management: +The resulting role has privileges that only allow user and role management. +To list all privileges for the role `usermanager` as commands, run this query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE usermanager PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `usermanager`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -89,45 +84,46 @@ Lists all privileges for role `usermanager`: a|Rows: 2 |=== -However, this role doesn't allow all DBMS capabilities. -For example, the role is missing privilege management, creating and dropping databases as well as executing admin procedures. -We can make a more powerful administrator by granting a different set of privileges. -Let's create an administrator that can perform almost all DBMS capabilities, excluding database management, but also with some limited database capabilities, such as managing transactions: +Note that this role doesn't allow all DBMS capabilities. +For example, the role is missing privileges for management, creation and drop of databases as well as execution of `admin` procedures. +To create a more powerful administrator, you can grant a different set of privileges. -. Again, we start by creating a new role: +In the following example, a new administrator role is created to perform almost all DBMS capabilities, excluding database management. +However, the role still has some limited database capabilities, such as managing transactions: + +. Again, start by creating a new role: + -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- CREATE ROLE customAdministrator ---- -. Then we grant the privilege for all DBMS capabilities: +. Then grant the privilege for all DBMS capabilities: + -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT ALL DBMS PRIVILEGES ON DBMS TO customAdministrator ---- . And explicitly deny the privilege to manage databases and aliases: + -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY DATABASE MANAGEMENT ON DBMS TO customAdministrator ---- -. Thereafter we grant the transaction management privilege: +. Next, grant the transaction management privilege: + -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO customAdministrator ---- -The resulting role has privileges that allow all DBMS privileges except creating, dropping, and modifying databases and aliases, as well as managing transactions: +The resulting role has privileges that include all DBMS privileges except creating, dropping, and modifying databases and aliases, as well as managing transactions. +Use the following query to list all privileges for the role `customAdministrator` as commands: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE customAdministrator PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `customAdministrator`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -150,67 +146,66 @@ They can be granted, denied and revoked like other privileges. |=== | Command | Description -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT CREATE ROLE ON DBMS TO role[, ...] -| Enable the specified roles to create new roles. +| Enables the specified roles to create new roles. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT RENAME ROLE ON DBMS TO role[, ...] -| Enable the specified roles to change the name of roles. +| Enables the specified roles to change the name of roles. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT DROP ROLE ON DBMS TO role[, ...] -| Enable the specified roles to delete roles. +| Enables the specified roles to delete roles. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT ASSIGN ROLE ON DBMS TO role[, ...] -| Enable the specified roles to assign roles to users. +| Enables the specified roles to assign roles to users. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT REMOVE ROLE ON DBMS TO role[, ...] -| Enable the specified roles to remove roles from users. +| Enables the specified roles to remove roles from users. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT SHOW ROLE ON DBMS TO role[, ...] -| Enable the specified roles to list roles. +| Enables the specified roles to list roles. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT ROLE MANAGEMENT ON DBMS TO role[, ...] -| Enable the specified roles to create, delete, assign, remove, and list roles. +| Enables the specified roles to create, delete, assign, remove, and list roles. |=== The ability to add roles can be granted via the `CREATE ROLE` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT CREATE ROLE ON DBMS TO roleAdder ---- -The resulting role has privileges that only allow adding roles: +The resulting role has privileges that only allow adding roles. +List all privileges for the role `roleAdder` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE roleAdder PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `roleAdder`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -220,22 +215,21 @@ a|Rows: 1 |=== The ability to rename roles can be granted via the `RENAME ROLE` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT RENAME ROLE ON DBMS TO roleNameModifier ---- -The resulting role has privileges that only allow renaming roles: +The resulting role has privileges that only allow renaming roles. +List all privileges for the role `roleNameModifier` using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE roleNameModifier PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `roleNameModifier`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -245,22 +239,21 @@ a|Rows: 1 |=== The ability to delete roles can be granted via the `DROP ROLE` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT DROP ROLE ON DBMS TO roleDropper ---- -The resulting role has privileges that only allow deleting roles: +The resulting role has privileges that only allow deleting roles. +List all privileges for the role `roleDropper` by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE roleDropper PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `roleDropper`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -270,22 +263,21 @@ a|Rows: 1 |=== The ability to assign roles to users can be granted via the `ASSIGN ROLE` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT ASSIGN ROLE ON DBMS TO roleAssigner ---- -The resulting role has privileges that only allow assigning/granting roles: +The resulting role has privileges that only allow assigning/granting roles. +List all privileges for the role `roleAssigner` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE roleAssigner PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `roleAssigner`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -295,22 +287,21 @@ a|Rows: 1 |=== The ability to remove roles from users can be granted via the `REMOVE ROLE` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT REMOVE ROLE ON DBMS TO roleRemover ---- -The resulting role has privileges that only allow removing/revoking roles: +The resulting role has privileges that only allow removing/revoking roles. +List all privileges for the role `roleRemover` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE roleRemover PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `roleRemover`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -321,23 +312,23 @@ a|Rows: 1 The ability to show roles can be granted via the `SHOW ROLE` privilege. A user with this privilege is allowed to execute the `SHOW ROLES` and `SHOW POPULATED ROLES` administration commands. -For the `SHOW ROLES WITH USERS` and `SHOW POPULATED ROLES WITH USERS` administration commands, both this privilege and the `SHOW USER` privilege are required. -The following query shows an example of how to grant the `SHOW ROLE` privilege: -[source, cypher, role=noplay, indent=0] +In order to use `SHOW ROLES WITH USERS` and `SHOW POPULATED ROLES WITH USERS` administration commands, both this and the `SHOW USER` privileges are required. +See an example of how to grant the `SHOW ROLE` privilege: + +[source, cypher, role=noplay] ---- GRANT SHOW ROLE ON DBMS TO roleShower ---- -The resulting role has privileges that only allow showing roles: +The resulting role has privileges that only allow showing roles. +List all privileges for the role `roleShower` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE roleShower PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `roleShower`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -347,22 +338,21 @@ a|Rows: 1 |=== The privileges to create, rename, delete, assign, remove, and list roles can be granted via the `ROLE MANAGEMENT` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT ROLE MANAGEMENT ON DBMS TO roleManager ---- -The resulting role has all privileges to manage roles: +The resulting role has all privileges to manage roles. +List all privileges for the role `roleManager` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE roleManager PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `roleManager`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -375,7 +365,7 @@ a|Rows: 1 [[access-control-dbms-administration-user-management]] == The DBMS `USER MANAGEMENT` privileges -The DBMS privileges for user management are assignable using Cypher administrative commands. +The DBMS privileges for user management can be assigned using Cypher administrative commands. They can be granted, denied and revoked like other privileges. .User management privileges command syntax @@ -383,79 +373,78 @@ They can be granted, denied and revoked like other privileges. |=== | Command | Description -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT CREATE USER ON DBMS TO role[, ...] -| Enable the specified roles to create new users. +| Enables the specified roles to create new users. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT RENAME USER ON DBMS TO role[, ...] -| Enable the specified roles to change the name of users. +| Enables the specified roles to change the name of users. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT ALTER USER ON DBMS TO role[, ...] -| Enable the specified roles to modify users. +| Enables the specified roles to modify users. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT SET PASSWORD[S] ON DBMS TO role[, ...] -| Enable the specified roles to modify users' passwords and whether those passwords must be changed upon first login. +| Enables the specified roles to modify users' passwords and whether those passwords must be changed upon first login. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT SET USER HOME DATABASE ON DBMS TO role[, ...] -| Enable the specified roles to modify users' home database. +| Enables the specified roles to modify users' home database. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT SET USER STATUS ON DBMS TO role[, ...] -| Enable the specified roles to modify the account status of users. +| Enables the specified roles to modify the account status of users. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT DROP USER ON DBMS TO role[, ...] -| Enable the specified roles to delete users. +| Enables the specified roles to delete users. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT SHOW USER ON DBMS TO role[, ...] -| Enable the specified roles to list users. +| Enables the specified roles to list users. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT USER MANAGEMENT ON DBMS TO role[, ...] -| Enable the specified roles to create, delete, modify, and list users. +| Enables the specified roles to create, delete, modify, and list users. |=== The ability to add users can be granted via the `CREATE USER` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT CREATE USER ON DBMS TO userAdder ---- -The resulting role has privileges that only allow adding users: +The resulting role has privileges that only allow adding users. +List all privileges for the role `userAdder` as commands by using this query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE userAdder PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `userAdder`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -467,14 +456,14 @@ a|Rows: 1 The ability to rename users can be granted via the `RENAME USER` privilege. The following query shows an example of this: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT RENAME USER ON DBMS TO userNameModifier ---- The resulting role has privileges that only allow renaming users: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE userNameModifier PRIVILEGES AS COMMANDS ---- @@ -490,22 +479,21 @@ a|Rows: 1 |=== The ability to modify users can be granted via the `ALTER USER` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT ALTER USER ON DBMS TO userModifier ---- -The resulting role has privileges that only allow modifying users: +The resulting role has privileges that only allow modifying users. +List all privileges for the role `userModifier` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE userModifier PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `userModifier`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -514,30 +502,29 @@ Lists all privileges for role `userModifier`: a|Rows: 1 |=== -A user that is granted `ALTER USER` is allowed to run the `ALTER USER` administration command with one or several of the `SET PASSWORD`, `SET PASSWORD CHANGE [NOT] REQUIRED` and `SET STATUS` parts: +A user that is granted the `ALTER USER` privilege is allowed to run the `ALTER USER` administration command with one or several of the `SET PASSWORD`, `SET PASSWORD CHANGE [NOT] REQUIRED` and `SET STATUS` parts: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- ALTER USER jake SET PASSWORD 'secret' SET STATUS SUSPENDED ---- The ability to modify users' passwords and whether those passwords must be changed upon first login can be granted via the `SET PASSWORDS` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT SET PASSWORDS ON DBMS TO passwordModifier ---- -The resulting role has privileges that only allow modifying users' passwords and whether those passwords must be changed upon first login: +The resulting role has privileges that only allow modifying users' passwords and whether those passwords must be changed upon first login. +List all privileges for the role `passwordModifier` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE passwordModifier PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `passwordModifier`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -546,30 +533,29 @@ Lists all privileges for role `passwordModifier`: a|Rows: 1 |=== -A user that is granted `SET PASSWORDS` is allowed to run the `ALTER USER` administration command with one or both of the `SET PASSWORD` and `SET PASSWORD CHANGE [NOT] REQUIRED` parts: +A user that is granted the `SET PASSWORDS` privilege is allowed to run the `ALTER USER` administration command with one or both of the `SET PASSWORD` and `SET PASSWORD CHANGE [NOT] REQUIRED` parts: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- ALTER USER jake SET PASSWORD 'abc123' CHANGE NOT REQUIRED ---- The ability to modify the account status of users can be granted via the `SET USER STATUS` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT SET USER STATUS ON DBMS TO statusModifier ---- -The resulting role has privileges that only allow modifying the account status of users: +The resulting role has privileges that only allow modifying the account status of users. +List all privileges for the role `statusModifier` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE statusModifier PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `statusModifier`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -578,30 +564,29 @@ Lists all privileges for role `statusModifier`: a|Rows: 1 |=== -A user that is granted `SET USER STATUS` is allowed to run the `ALTER USER` administration command with only the `SET STATUS` part: +A user that is granted the `SET USER STATUS` privilege is allowed to run the `ALTER USER` administration command with only the `SET STATUS` part: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- ALTER USER jake SET STATUS ACTIVE ---- -The ability to modify the home database of users can be granted via the `SET USER HOME DATABASE` privilege. -The following query shows an example of this: +In order to be able to modify the home database of users, grant the `SET USER HOME DATABASE` privilege. +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT SET USER HOME DATABASE ON DBMS TO statusModifier ---- -The resulting role has privileges that only allow modifying the home database of users: +The resulting role has privileges that only allow modifying the home database of users. +List all privileges for the role `statusModifier` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE statusModifier PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `statusModifier`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -611,14 +596,14 @@ Lists all privileges for role `statusModifier`: a|Rows: 2 |=== -A user that is granted `SET USER HOME DATABASE` is allowed to run the `ALTER USER` administration command with only the `SET HOME DATABASE` or `REMOVE HOME DATABASE` part: +A user that is granted the `SET USER HOME DATABASE` privilege is allowed to run the `ALTER USER` administration command with only the `SET HOME DATABASE` or `REMOVE HOME DATABASE` part: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- ALTER USER jake SET HOME DATABASE otherDb ---- -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- ALTER USER jake REMOVE HOME DATABASE ---- @@ -629,22 +614,21 @@ Note that the combination of the `SET PASSWORDS`, `SET USER STATUS`, and the `SE ==== The ability to delete users can be granted via the `DROP USER` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT DROP USER ON DBMS TO userDropper ---- -The resulting role has privileges that only allow deleting users: +The resulting role has privileges that only allow deleting users. +List all privileges for the role `userDropper` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE userDropper PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `userDropper`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -654,22 +638,21 @@ a|Rows: 1 |=== The ability to show users can be granted via the `SHOW USER` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT SHOW USER ON DBMS TO userShower ---- -The resulting role has privileges that only allow showing users: +The resulting role has privileges that only allow showing users. +List all privileges for the role `userShower` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE userShower PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `userShower`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -679,27 +662,36 @@ a|Rows: 1 |=== The privileges to create, rename, modify, delete, and list users can be granted via the `USER MANAGEMENT` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT USER MANAGEMENT ON DBMS TO userManager ---- -The resulting role has all privileges to manage users: +The resulting role has all privileges to manage users. +List all privileges for the role `userManager` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE userManager PRIVILEGES AS COMMANDS ---- +.Result +[options="header,footer", width="100%", cols="m"] +|=== +|command +|"GRANT SHOW USER ON DBMS TO `userManager`" +a|Rows: 1 +|=== [[access-control-dbms-administration-impersonation]] == The DBMS `IMPERSONATE` privileges -The DBMS privileges for impersonation are assignable using Cypher administrative commands. +The DBMS privileges for impersonation can be assigned through Cypher administrative commands. They can be granted, denied, and revoked like other privileges. -Impersonation is the capability of a user to assume another user's roles (and therefore privileges), with the restriction of not being able to execute updating admin commands as the impersonated user (i.e. they would still be able to use `SHOW` commands). + +Impersonation is the ability of a user to assume another user's roles (and therefore privileges), with the restriction of not being able to execute updating `admin` commands as the impersonated user (i.e. they would still be able to use `SHOW` commands). The ability to impersonate users can be granted via the `IMPERSONATE` privilege. @@ -708,24 +700,25 @@ The ability to impersonate users can be granted via the `IMPERSONATE` privilege. |=== | Command | Description -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT IMPERSONATE [(*)] ON DBMS TO role[, ...] -| Enable the specified roles to impersonate any user. +| Enables the specified roles to impersonate any user. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT IMPERSONATE (user[, ...]) ON DBMS TO role[, ...] -| Enable the specified roles to impersonate the specified users. +| Enables the specified roles to impersonate the specified users. |=== -The following query shows an example of this (where `userImpersonator` must be an existing role): +The following query shows an example of this. +Note that `userImpersonator` must be an existing role in order to make this query work: .Query -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT IMPERSONATE (*) ON DBMS TO userImpersonator ---- @@ -733,7 +726,7 @@ GRANT IMPERSONATE (*) ON DBMS TO userImpersonator The resulting role has privileges that allow impersonating all users: .Query -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE userImpersonator PRIVILEGES AS COMMANDS ---- @@ -747,18 +740,18 @@ a|Rows: 1 |=== It is also possible to deny and revoke that privilege. -The following example shows how the `userImpersonator` user would be able to impersonate all users, except for `alice`: +See an example which shows of how the `userImpersonator` user would be able to impersonate all users, except `alice`: .Query -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY IMPERSONATE (alice) ON DBMS TO userImpersonator ---- -To grant (or revoke) the permissions to impersonate a specific user or a subset of users, you can do so by listing them in the command: +To grant (or revoke) the permissions to impersonate a specific user or a subset of users, you can first list them with this query: .Query -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT IMPERSONATE (alice, bob) ON DBMS TO userImpersonator ---- @@ -767,63 +760,62 @@ GRANT IMPERSONATE (alice, bob) ON DBMS TO userImpersonator [[access-control-dbms-administration-database-management]] == The DBMS `DATABASE MANAGEMENT` privileges -The DBMS privileges for database management are assignable using Cypher administrative commands. They can be granted, denied and revoked like other privileges. +The DBMS privileges for database management can be assigned by using Cypher administrative commands. They can be granted, denied and revoked like other privileges. .Database management privileges command syntax [options="header", width="100%", cols="3a,2"] |=== | Command | Description -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT CREATE DATABASE ON DBMS TO role[, ...] -| Enable the specified roles to create new databases and aliases. +| Enables the specified roles to create new databases and aliases. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT DROP DATABASE ON DBMS TO role[, ...] -| Enable the specified roles to delete databases and aliases. +| Enables the specified roles to delete databases and aliases. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT ALTER DATABASE ON DBMS TO role[, ...] -| Enable the specified roles to modify databases and aliases. +| Enables the specified roles to modify databases and aliases. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT SET DATABASE ACCESS ON DBMS TO role[, ...] -| Enable the specified roles to modify access of databases. +| Enables the specified roles to modify access of databases. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT DATABASE MANAGEMENT ON DBMS TO role[, ...] -| Enable the specified roles to create, delete, and modify databases and aliases. +| Enables the specified roles to create, delete, and modify databases and aliases. |=== The ability to create databases and aliases can be granted via the `CREATE DATABASE` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT CREATE DATABASE ON DBMS TO databaseAdder ---- -The resulting role has privileges that only allow creating databases and aliases: +The resulting role has privileges that only allow creating databases and aliases. +List all privileges for the role `databaseAdder` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE databaseAdder PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `databaseAdder`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -833,22 +825,21 @@ a|Rows: 1 |=== The ability to delete databases and aliases can be granted via the `DROP DATABASE` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT DROP DATABASE ON DBMS TO databaseDropper ---- -The resulting role has privileges that only allow deleting databases and aliases: +The resulting role has privileges that only allow deleting databases and aliases. +List all privileges for the role `databaseDropper` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE databaseDropper PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `databaseDropper`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -858,22 +849,21 @@ a|Rows: 1 |=== The ability to modify databases and aliases can be granted via the `ALTER DATABASE` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT ALTER DATABASE ON DBMS TO databaseModifier ---- -The resulting role has privileges that only allow modifying databases and aliases: +The resulting role has privileges that only allow modifying databases and aliases. +List all privileges for the role `databaseModifier` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE databaseModifier PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `databaseModifier`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -883,22 +873,21 @@ a|Rows: 1 |=== The ability to modify access of databases can be granted via the `SET DATABASE ACCESS` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT SET DATABASE ACCESS ON DBMS TO accessModifier ---- -The resulting role has privileges that only allow modifying access of databases: +The resulting role has privileges that only allow modifying access of databases. +List all privileges for the role `accessModifier` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE accessModifier PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `accessModifier`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -908,22 +897,21 @@ a|Rows: 1 |=== The privileges to create, delete, and modify databases and aliases can be granted via the `DATABASE MANAGEMENT` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT DATABASE MANAGEMENT ON DBMS TO databaseManager ---- -The resulting role has all privileges to manage databases and aliases: +The resulting role has all privileges to manage databases and aliases. +List all privileges for the role `databaseManager` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE databaseManager PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `databaseManager`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -935,64 +923,63 @@ a|Rows: 1 [[access-control-dbms-administration-alias-management]] == The DBMS `ALIAS MANAGEMENT` privileges -The DBMS privileges for alias management are assignable using Cypher administrative commands and apply to both local and remote aliases. +The DBMS privileges for alias management can be assigned by using Cypher administrative commands and can be applied to both local and remote aliases. They can be granted, denied and revoked like other privileges. -It is also possible to manage aliases with the xref::access-control/dbms-administration.adoc#access-control-dbms-administration-database-management[database management commands]. +It is also possible to manage aliases with xref::access-control/dbms-administration.adoc#access-control-dbms-administration-database-management[database management commands]. .Alias management privileges command syntax [options="header", width="100%", cols="3a,2"] |=== | Command | Description -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT CREATE ALIAS ON DBMS TO role[, ...] -| Enable the specified roles to create new aliases. +| Enables the specified roles to create new aliases. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT DROP ALIAS ON DBMS TO role[, ...] -| Enable the specified roles to delete aliases. +| Enables the specified roles to delete aliases. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT ALTER ALIAS ON DBMS TO role[, ...] -| Enable the specified roles to modify aliases. +| Enables the specified roles to modify aliases. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT SHOW ALIAS ON DBMS TO role[, ...] -| Enable the specified roles to list aliases. +| Enables the specified roles to list aliases. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT ALIAS MANAGEMENT ON DBMS TO role[, ...] -| Enable the specified roles to list, create, delete, and modify aliases. +| Enables the specified roles to list, create, delete, and modify aliases. |=== The ability to create aliases can be granted via the `CREATE ALIAS` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT CREATE ALIAS ON DBMS TO aliasAdder ---- -The resulting role has privileges that only allow creating aliases: +The resulting role has privileges that only allow creating aliases. +List all privileges for the role `aliasAdder` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE aliasAdder PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `aliasAdder`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1002,22 +989,21 @@ a|Rows: 1 |=== The ability to delete aliases can be granted via the `DROP ALIAS` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT DROP ALIAS ON DBMS TO aliasDropper ---- -The resulting role has privileges that only allow deleting aliases: +The resulting role has privileges that only allow deleting aliases. +See all privileges for the role `aliasDropper` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE aliasDropper PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `aliasDropper`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1027,22 +1013,21 @@ a|Rows: 1 |=== The ability to modify aliases can be granted via the `ALTER ALIAS` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT ALTER ALIAS ON DBMS TO aliasModifier ---- -The resulting role has privileges that only allow modifying aliases: +The resulting role has privileges that only allow modifying aliases. +List all privileges for the role `aliasModifier` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE aliasModifier PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `aliasModifier`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1052,22 +1037,21 @@ a|Rows: 1 |=== The ability to list aliases can be granted via the `SHOW ALIAS` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT SHOW ALIAS ON DBMS TO aliasLister ---- -The resulting role has privileges that only allow modifying aliases: +The resulting role has privileges that only allow modifying aliases. +List all privileges for the role `aliasLister` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE aliasLister PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `aliasLister`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1077,22 +1061,21 @@ a|Rows: 1 |=== The privileges to list, create, delete, and modify aliases can be granted via the `ALIAS MANAGEMENT` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT ALIAS MANAGEMENT ON DBMS TO aliasManager ---- -The resulting role has all privileges to manage aliases: +The resulting role has all privileges to manage aliases. +List all privileges for the role `aliasManager` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE aliasManager PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `aliasManager`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1104,7 +1087,7 @@ a|Rows: 1 [[access-control-dbms-administration-privilege-management]] == The DBMS `PRIVILEGE MANAGEMENT` privileges -The DBMS privileges for privilege management are assignable using Cypher administrative commands. +The DBMS privileges for privilege management can be assigned by using Cypher administrative commands. They can be granted, denied and revoked like other privileges. .Privilege management privileges command syntax @@ -1112,50 +1095,49 @@ They can be granted, denied and revoked like other privileges. |=== | Command | Description -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT SHOW PRIVILEGE ON DBMS TO role[, ...] -| Enable the specified roles to list privileges. +| Enables the specified roles to list privileges. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT ASSIGN PRIVILEGE ON DBMS TO role[, ...] -| Enable the specified roles to assign privileges using the `GRANT` and `DENY` commands. +| Enables the specified roles to assign privileges using the `GRANT` and `DENY` commands. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT REMOVE PRIVILEGE ON DBMS TO role[, ...] -| Enable the specified roles to remove privileges using the `REVOKE` command. +| Enables the specified roles to remove privileges using the `REVOKE` command. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT PRIVILEGE MANAGEMENT ON DBMS TO role[, ...] -| Enable the specified roles to list, assign, and remove privileges. +| Enables the specified roles to list, assign, and remove privileges. |=== The ability to list privileges can be granted via the `SHOW PRIVILEGE` privilege. A user with this privilege is allowed to execute the `SHOW PRIVILEGES` and `SHOW ROLE roleName PRIVILEGES` administration commands. -For the `SHOW USER username PRIVILEGES` administration command, both this privilege and the `SHOW USER` privilege are required. +To execute the `SHOW USER username PRIVILEGES` administration command, both this privilege and the `SHOW USER` privilege are required. The following query shows an example of how to grant the `SHOW PRIVILEGE` privilege: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT SHOW PRIVILEGE ON DBMS TO privilegeShower ---- -The resulting role has privileges that only allow showing privileges: +The resulting role has privileges that only allow showing privileges. +List all privileges for the role `privilegeShower` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE privilegeShower PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `privilegeShower`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1166,30 +1148,29 @@ a|Rows: 1 [NOTE] ==== -Note that no specific privileges are required for showing the current user's privileges using either `SHOW USER _username_ PRIVILEGES`, or `SHOW USER PRIVILEGES`. +Note that no specific privileges are required for showing the current user's privileges through the `SHOW USER _username_ PRIVILEGES` or `SHOW USER PRIVILEGES` commands. -Please note that if a non-native auth provider like LDAP is in use, `SHOW USER PRIVILEGES` will only work in a limited capacity; It is only possible for a user to show their own privileges. +In addition, note that if a non-native auth provider like LDAP is in use, `SHOW USER PRIVILEGES` will only work with a limited capacity by making it only possible for a user to show their own privileges. Other users' privileges cannot be listed when using a non-native auth provider. ==== The ability to assign privileges to roles can be granted via the `ASSIGN PRIVILEGE` privilege. -A user with this privilege is allowed to execute GRANT and DENY administration commands. -The following query shows an example of how to grant this privilege: +A user with this privilege is allowed to execute `GRANT` and `DENY` administration commands. +See an example of how to grant this privilege: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT ASSIGN PRIVILEGE ON DBMS TO privilegeAssigner ---- -The resulting role has privileges that only allow assigning privileges: +The resulting role has privileges that only allow assigning privileges. +List all privileges for the role `privilegeAssigner` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE privilegeAssigner PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `privilegeAssigner`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1199,23 +1180,22 @@ a|Rows: 1 |=== The ability to remove privileges from roles can be granted via the `REMOVE PRIVILEGE` privilege. -A user with this privilege is allowed to execute REVOKE administration commands. -The following query shows an example of how to grant this privilege: +A user with this privilege is allowed to execute `REVOKE` administration commands. +See an example of how to grant this privilege: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT REMOVE PRIVILEGE ON DBMS TO privilegeRemover ---- -The resulting role has privileges that only allow removing privileges: +The resulting role has privileges that only allow removing privileges. +List all privileges for the role `privilegeRemover` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE privilegeRemover PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `privilegeRemover`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1225,22 +1205,21 @@ a|Rows: 1 |=== The privileges to list, assign, and remove privileges can be granted via the `PRIVILEGE MANAGEMENT` privilege. -The following query shows an example of this: +See an example: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT PRIVILEGE MANAGEMENT ON DBMS TO privilegeManager ---- -The resulting role has all privileges to manage privileges: +The resulting role has all privileges to manage privileges. +List all privileges for the role `privilegeManager` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE privilegeManager PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `privilegeManager`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1253,7 +1232,7 @@ a|Rows: 1 [[access-control-dbms-administration-execute]] == The DBMS `EXECUTE` privileges -The DBMS privileges for procedure and user defined function execution are assignable using Cypher administrative commands. +The DBMS privileges for procedure and user defined function execution can be assigned by using Cypher administrative commands. They can be granted, denied and revoked like other privileges. .Execute privileges command syntax @@ -1262,39 +1241,39 @@ They can be granted, denied and revoked like other privileges. | Command | Description -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT EXECUTE PROCEDURE[S] name-globbing[, ...] ON DBMS TO role[, ...] -| Enable the specified roles to execute the given procedures. +| Enables the specified roles to execute the given procedures. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT EXECUTE BOOSTED PROCEDURE[S] name-globbing[, ...] ON DBMS TO role[, ...] -| Enable the specified roles to execute the given procedures with elevated privileges. +| Enables the specified roles to execute the given procedures with elevated privileges. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT EXECUTE ADMIN[ISTRATOR] PROCEDURES ON DBMS TO role[, ...] -| Enable the specified roles to execute procedures annotated with `@Admin`. The procedures are executed with elevated privileges. +| Enables the specified roles to execute procedures annotated with `@Admin`. The procedures are executed with elevated privileges. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT EXECUTE [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] ON DBMS TO role[, ...] -| Enable the specified roles to execute the given user defined functions. +| Enables the specified roles to execute the given user defined functions. -| [source, cypher, role=noplay, indent=0] +| [source, cypher, role=noplay] GRANT EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] name-globbing[, ...] ON DBMS TO role[, ...] -| Enable the specified roles to execute the given user defined functions with elevated privileges. +| Enables the specified roles to execute the given user defined functions with elevated privileges. |=== The `EXECUTE BOOSTED` privileges replace the `dbms.security.procedures.default_allowed` and `dbms.security.procedures.roles` configuration parameters for procedures and user defined functions. -The configuration parameters are still honoured as a set of temporary privileges. +The configuration parameters are still honored as a set of temporary privileges. These cannot be revoked, but will be updated on each restart with the current configuration values. @@ -1305,22 +1284,22 @@ The ability to execute a procedure can be granted via the `EXECUTE PROCEDURE` pr A user with this privilege is allowed to execute the procedures matched by the xref::access-control/dbms-administration.adoc#access-control-name-globbing[name-globbing]. The following query shows an example of how to grant this privilege: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE PROCEDURE db.schema.* ON DBMS TO procedureExecutor ---- -Users with the role 'procedureExecutor' can then run any procedure in the `db.schema` namespace. +Users with the role `procedureExecutor` can then run any procedure in the `db.schema` namespace. The procedure is run using the user's own privileges. -The resulting role has privileges that only allow executing procedures in the `db.schema` namespace: -[source, cypher, role=noplay, indent=0] +The resulting role has privileges that only allow executing procedures in the `db.schema` namespace. +List all privileges for the role `procedureExecutor` as commands by using the following query: + +[source, cypher, role=noplay] ---- SHOW ROLE procedureExecutor PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `procedureExecutor`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1329,28 +1308,27 @@ Lists all privileges for role `procedureExecutor`: a|Rows: 1 |=== -If we want to allow executing all but a few procedures, we can grant `+EXECUTE PROCEDURES *+` and deny the unwanted procedures. -For example, the following queries allow for executing all procedures, except those starting with `dbms.killTransaction`: +In order to allow the execution of all but only a few procedures, you can grant `EXECUTE PROCEDURES *` and deny the unwanted procedures. +For example, the following queries allow the execution of all procedures, except those starting with `dbms.killTransaction`: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE PROCEDURE * ON DBMS TO deniedProcedureExecutor ---- -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY EXECUTE PROCEDURE dbms.killTransaction* ON DBMS TO deniedProcedureExecutor ---- -The resulting role has privileges that only allow executing all procedures except those starting with `dbms.killTransaction`: +The resulting role has privileges that only allow executing all procedures except those starting with `dbms.killTransaction`. +List all privileges for the role `deniedProcedureExecutor` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE deniedProcedureExecutor PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `deniedProcedureExecutor`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1360,7 +1338,7 @@ Lists all privileges for role `deniedProcedureExecutor`: a|Rows: 2 |=== -The `dbms.killTransaction` and `dbms.killTransactions` are blocked, as well as any other procedures starting with `dbms.killTransaction`. +Both `dbms.killTransaction` and `dbms.killTransactions` are blocked here, as well as any other procedures starting with `dbms.killTransaction`. [[access-control-execute-boosted-procedure]] @@ -1368,26 +1346,27 @@ The `dbms.killTransaction` and `dbms.killTransactions` are blocked, as well as a The ability to execute a procedure with elevated privileges can be granted via the `EXECUTE BOOSTED PROCEDURE` privilege. A user with this privilege is allowed to execute the procedures matched by the xref::access-control/dbms-administration.adoc#access-control-name-globbing[name-globbing] without the execution being restricted to their other privileges. + There is no need to grant an individual `EXECUTE PROCEDURE` privilege for the procedures either, as granting the `EXECUTE BOOSTED PROCEDURE` includes an implicit `EXECUTE PROCEDURE` grant for them. A denied `EXECUTE PROCEDURE` still denies executing the procedure. The following query shows an example of how to grant this privilege: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE BOOSTED PROCEDURE db.labels, db.relationshipTypes ON DBMS TO boostedProcedureExecutor ---- -Users with the role `boostedProcedureExecutor` can then run `db.labels` and `db.relationshipTypes` with full privileges, seeing everything in the graph not just the labels and types that the user has `TRAVERSE` privilege on. +Users with the role `boostedProcedureExecutor` can thus run `db.labels` and `db.relationshipTypes` with full privileges. +Now they can see everything on the graph and not just the labels and types that the user has `TRAVERSE` privilege on. -The resulting role has privileges that only allow executing procedures `db.labels` and `db.relationshipTypes`, but with elevated execution: +The resulting role has privileges that only allow executing procedures `db.labels` and `db.relationshipTypes`, but with elevated execution. +List all privileges for the role `boostedProcedureExecutor` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE boostedProcedureExecutor PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `boostedProcedureExecutor`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1397,34 +1376,35 @@ Lists all privileges for role `boostedProcedureExecutor`: a|Rows: 2 |=== -Granting `EXECUTE BOOSTED PROCEDURE` on its own allows the procedure to be both executed (because of the implicit `EXECUTE PROCEDURE` grant) and given elevated privileges during the execution. -A denied `EXECUTE BOOSTED PROCEDURE` on its own behaves slightly differently, and only denies the elevation and not the execution of the procedure. -However, a role with only a granted `EXECUTE BOOSTED PROCEDURE` and a denied `EXECUTE BOOSTED PROCEDURE` will deny the execution as well. +Granting the `EXECUTE BOOSTED PROCEDURE` privilege on its own allows the procedure to be both executed (due to the implicit `EXECUTE PROCEDURE` grant) and proceed with elevated privileges. +A denied `EXECUTE BOOSTED PROCEDURE` on its own behaves slightly differently: it only denies the elevation and not the execution of the procedure. +However, a role with both a granted `EXECUTE BOOSTED PROCEDURE` and a denied `EXECUTE BOOSTED PROCEDURE` will deny the execution as well. This is explained through the following examples: .Grant `EXECUTE PROCEDURE` and deny `EXECUTE BOOSTED PROCEDURE` [example] ==== -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor1 ---- -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor1 ---- -The resulting role has privileges that allow executing all procedures using the user's own privileges, as well as blocking `db.labels` from being elevated. -The deny `EXECUTE BOOSTED PROCEDURE` does not block execution of `db.labels`. +The resulting role has privileges that allow the execution of all procedures using the user's own privileges. +It also prevents `db.labels` from being elevated. +Still, the denied `EXECUTE BOOSTED PROCEDURE` does not block execution of `db.labels`. -[source, cypher, role=noplay, indent=0] +To list all privileges for role `deniedBoostedProcedureExecutor1` as commands, use the following query: + +[source, cypher, role=noplay] ---- SHOW ROLE deniedBoostedProcedureExecutor1 PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `deniedBoostedProcedureExecutor1`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1438,25 +1418,24 @@ a|Rows: 2 .Grant `EXECUTE BOOSTED PROCEDURE` and deny `EXECUTE PROCEDURE` [example] ==== -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor2 ---- -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY EXECUTE PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor2 ---- -The resulting role has privileges that allow executing all procedures with elevated privileges except `db.labels` which is not allowed to execute at all: +The resulting role has privileges that allow executing all procedures with elevated privileges except `db.labels`, which is not allowed to be executed at all. +List all privileges for the role `deniedBoostedProcedureExecutor2` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE deniedBoostedProcedureExecutor2 PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `deniedBoostedProcedureExecutor2`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1470,25 +1449,24 @@ a|Rows: 2 .Grant `EXECUTE BOOSTED PROCEDURE` and deny `EXECUTE BOOSTED PROCEDURE` [example] ==== -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor3 ---- -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor3 ---- -The resulting role has privileges that allow executing all procedures with elevated privileges except `db.labels` which is not allowed to execute at all: +The resulting role has privileges that allow executing all procedures with elevated privileges except `db.labels`, which is not allowed to be executed at all. +List all privileges for the role `deniedBoostedProcedureExecutor3` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE deniedBoostedProcedureExecutor3 PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `deniedBoostedProcedureExecutor3`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1502,24 +1480,25 @@ a|Rows: 2 .Grant `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` and deny `EXECUTE BOOSTED PROCEDURE` [example] ==== -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor4 ---- -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor4 ---- -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor4 ---- -The resulting role has privileges that allow executing all procedures with elevated privileges except `db.labels` which is only allowed to execute using the user's own privileges: +The resulting role has privileges that allow executing all procedures with elevated privileges except `db.labels`, which is only allowed to execute using the user's own privileges. +List all privileges for the role `deniedBoostedProcedureExecutor4` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE deniedBoostedProcedureExecutor4 PRIVILEGES AS COMMANDS ---- @@ -1535,14 +1514,14 @@ a|Rows: 3 |=== ==== -.How would the privileges from Examples 1 to 4 affect the output of a procedure? +.How would the privileges from examples 1 to 4 affect the output of a procedure? [example] ==== -Let's assume there exists a procedure called `myProc`. +Assume there is a procedure called `myProc`. -This procedure gives the result `A` and `B` for a user with `EXECUTE PROCEDURE` privilege and `A`, `B`, and `C` for a user with `EXECUTE BOOSTED PROCEDURE` privilege. +This procedure gives the result `A` and `B` for a user with `EXECUTE PROCEDURE` privilege and `A`, `B` and `C` for a user with `EXECUTE BOOSTED PROCEDURE` privilege. -Now, let's adapt the privileges in examples 1 to 4 to apply to this procedure and show what is returned. +Now, adapt the privileges from examples 1 to 4 to be applied to this procedure and show what is returned. With the privileges from example 1, granted `EXECUTE PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A` and `B`. With the privileges from example 2, granted `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE PROCEDURE myProc`, execution of the `myProc` procedure is not allowed. @@ -1551,7 +1530,7 @@ With the privileges from example 3, granted `EXECUTE BOOSTED PROCEDURE *` and de With the privileges from example 4, granted `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A` and `B`. -For comparison, when only granted `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A`, `B`, and `C`, without needing to be granted the `EXECUTE PROCEDURE myProc` privilege. +For comparison, when only `EXECUTE BOOSTED PROCEDURE myProc` is granted, the `myProc` procedure returns the result `A`, `B` and `C`, without the need for granting of the `EXECUTE PROCEDURE myProc` privilege. ==== @@ -1559,26 +1538,25 @@ For comparison, when only granted `EXECUTE BOOSTED PROCEDURE myProc`, the `myPro === The `EXECUTE ADMIN PROCEDURE` privilege The ability to execute admin procedures (annotated with `@Admin`) can be granted via the `EXECUTE ADMIN PROCEDURES` privilege. -This privilege is equivalent with granting the xref::access-control/dbms-administration.adoc#access-control-execute-boosted-procedure[`EXECUTE BOOSTED PROCEDURE` privilege] on each of the admin procedures. -Any new admin procedures that gets added are automatically included in this privilege. +This privilege is equivalent to granting the xref::access-control/dbms-administration.adoc#access-control-execute-boosted-procedure[`EXECUTE BOOSTED PROCEDURE` privilege] on each of the admin procedures. +Any newly added `admin` procedure is automatically included in this privilege. The following query shows an example of how to grant this privilege: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE ADMIN PROCEDURES ON DBMS TO adminProcedureExecutor ---- -Users with the role `adminProcedureExecutor` can then run any admin procedure with elevated privileges. +Users with the role `adminProcedureExecutor` can then run any `admin` procedure with elevated privileges. -The resulting role has privileges that allow executing all admin procedures: +The resulting role has privileges that allow executing all admin procedures. +List all privileges for the role `adminProcedureExecutor` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE adminProcedureExecutor PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `adminProcedureExecutor`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1587,15 +1565,14 @@ Lists all privileges for role `adminProcedureExecutor`: a|Rows: 1 |=== -To compare this with the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges, let's revisit the `myProc` procedure. -This time as an admin procedure, which gives the result `A`, `B`, and `C` when allowed to execute. +In order to compare this with the `EXECUTE PROCEDURE` and `EXECUTE BOOSTED PROCEDURE` privileges, revisit the `myProc` procedure, but this time as an `admin` procedure, which will give the result `A`, `B` and `C` when allowed to execute. -Let's start with a user only granted the `EXECUTE PROCEDURE myProc` privilege, execution of the `myProc` procedure is not allowed. +By starting with a user only granted with the `EXECUTE PROCEDURE myProc` privilege, execution of the `myProc` procedure is not allowed. -However, for a user granted `EXECUTE BOOSTED PROCEDURE myProc` or `EXECUTE ADMIN PROCEDURES`, the `myProc` procedure returns the result `A`, `B`, and `C`. +However, for a user granted with the `EXECUTE BOOSTED PROCEDURE myProc` or `EXECUTE ADMIN PROCEDURES` privileges, the `myProc` procedure returns the result `A`, `B` and `C`. -Any denied execute privilege results in the procedure not being allowed to execute. -It does not matter whether `EXECUTE PROCEDURE`, `EXECUTE BOOSTED PROCEDURE` or `EXECUTE ADMIN PROCEDURES` is denied. +Any denied `EXECUTE` privilege results in the procedure not being allowed to be executed. +In this case, it does not matter whether `EXECUTE PROCEDURE`, `EXECUTE BOOSTED PROCEDURE` or `EXECUTE ADMIN PROCEDURES` is being denied. [[access-control-execute-user-defined-function]] @@ -1614,30 +1591,29 @@ The `EXECUTE USER DEFINED FUNCTION` privilege does not apply to built-in functio ====== The following query shows an example of how to grant this privilege: -[source,cypher,role=noplay, indent=0] +[source,cypher,role=noplay] ---- GRANT EXECUTE USER DEFINED FUNCTION apoc.coll.* ON DBMS TO functionExecutor ---- Or in short form: -[source,cypher,role=noplay, indent=0] +[source,cypher,role=noplay] ---- GRANT EXECUTE FUNCTION apoc.coll.* ON DBMS TO functionExecutor ---- -Users with the role `functionExecutor` can then run any UDF in the `apoc.coll` namespace. -The function is run using the user's own privileges. +Users with the role `functionExecutor` can thus run any UDF in the `apoc.coll` namespace. +The function here is run using the user's own privileges. -The resulting role has privileges that only allow executing UDFs in the `apoc.coll` namespace: +The resulting role has privileges that only allow executing UDFs in the `apoc.coll` namespace. +List all privileges for the role `functionExecutor` as commands by using the following query: -[source,cypher,role=noplay, indent=0] +[source,cypher,role=noplay] ---- SHOW ROLE functionExecutor PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `functionExecutor`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1647,43 +1623,42 @@ a|Rows: 1 |=== ====== -If you want to allow executing all but a few UDFs, you can grant `+EXECUTE USER DEFINED FUNCTIONS *+` and deny the unwanted functions. +To allow the execution of all but a few UDFs, you can grant `+EXECUTE USER DEFINED FUNCTIONS *+` and deny the unwanted functions. .Execute user defined functions ====== -The following queries allow for executing all UDFs except those starting with `apoc.any.prop`: +The following queries allow the execution of all UDFs except those starting with `apoc.any.prop`: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO deniedFunctionExecutor ---- -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY EXECUTE USER DEFINED FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor ---- Or in short form: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE FUNCTIONS * ON DBMS TO deniedFunctionExecutor ---- -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- DENY EXECUTE FUNCTION apoc.any.prop* ON DBMS TO deniedFunctionExecutor ---- -The resulting role has privileges that only allow executing all procedures except those starting with `apoc.any.prop`: +The resulting role has privileges that only allow the execution of all procedures except those starting with `apoc.any.prop`. +List all privileges for the role `deniedFunctionExecutor` as commands by using the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE deniedFunctionExecutor PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `deniedFunctionExecutor`: - .Result [options="header,footer", width="100%", cols="m"] |=== @@ -1693,7 +1668,7 @@ Lists all privileges for role `deniedFunctionExecutor`: a|Rows: 2 |=== -The `apoc.any.property` and `apoc.any.properties` is blocked, as well as any other procedures starting with `apoc.any.prop`. +The `apoc.any.property` and `apoc.any.properties` are blocked, as well as any other procedures starting with `apoc.any.prop`. ====== [[access-control-execute-boosted-user-defined-function]] @@ -1702,46 +1677,46 @@ The `apoc.any.property` and `apoc.any.properties` is blocked, as well as any oth //EXECUTE BOOSTED [USER [DEFINED]] FUNCTION[S] The ability to execute a user defined function (UDF) with elevated privileges can be granted via the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege. A user with this privilege is allowed to execute the UDFs matched by the xref::access-control/dbms-administration.adoc#access-control-name-globbing[name-globbing] without the execution being restricted to their other privileges. -There is no need to grant an individual `EXECUTE USER DEFINED FUNCTION` privilege for the functions either, as granting the `EXECUTE BOOSTED USER DEFINED FUNCTION` includes an implicit `EXECUTE USER DEFINED FUNCTION` grant for them. -A denied `EXECUTE USER DEFINED FUNCTION` still denies executing the function. + +There is no need to grant an individual `EXECUTE USER DEFINED FUNCTION` privilege for the functions, as granting `EXECUTE BOOSTED USER DEFINED FUNCTION` includes an implicit `EXECUTE USER DEFINED FUNCTION` grant. +However, a denied `EXECUTE USER DEFINED FUNCTION` still prevents the function to be executed. [IMPORTANT] ==== The `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege does not apply to built-in functions, as they have no concept of elevated privileges. ==== -Granting `EXECUTE BOOSTED USER DEFINED FUNCTION` on its own allows the UDF to be both executed (because of the implicit `EXECUTE USER DEFINED FUNCTION` grant) and given elevated privileges during the execution. -A denied `EXECUTE BOOSTED USER DEFINED FUNCTION` on its own behaves slightly differently, and only denies the elevation and not the execution of the UDF. -However, a role with only a granted `EXECUTE BOOSTED USER DEFINED FUNCTION` and a denied `EXECUTE BOOSTED USER DEFINED FUNCTION` denies the execution as well. +Granting `EXECUTE BOOSTED USER DEFINED FUNCTION` on its own allows the UDF to be both executed (because of the implicit `EXECUTE USER DEFINED FUNCTION` grant) and gives it elevated privileges during the execution. +A denied `EXECUTE BOOSTED USER DEFINED FUNCTION` on its own behaves slightly differently: it only denies the elevation and not the execution of the UDF. +However, a role with only a granted `EXECUTE BOOSTED USER DEFINED FUNCTION` and a denied `EXECUTE BOOSTED USER DEFINED FUNCTION` prevents the execution to be performed as well. This is the same behavior as for the xref::access-control/dbms-administration.adoc#access-control-execute-boosted-procedure[`EXECUTE BOOSTED PROCEDURE` privilege]. .Execute boosted user defined function ====== The following query shows an example of how to grant the `EXECUTE BOOSTED USER DEFINED FUNCTION` privilege: -[source,cypher,role=noplay, indent=0] +[source,cypher,role=noplay] ---- GRANT EXECUTE BOOSTED USER DEFINED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor ---- Or in short form: -[source,cypher,role=noplay, indent=0] +[source,cypher,role=noplay] ---- GRANT EXECUTE BOOSTED FUNCTION apoc.any.properties ON DBMS TO boostedFunctionExecutor ---- -Users with the role `boostedFunctionExecutor` can then run `apoc.any.properties` with full privileges, seeing every property on the node/relationship not just the properties that the user has `READ` privilege on. +Users with the role `boostedFunctionExecutor` can thus run `apoc.any.properties` with full privileges and see every property on the node/relationship, not just the properties that the user has `READ` privilege on. -The resulting role has privileges that only allow executing the UDF `apoc.any.properties`, but with elevated execution: +The resulting role has privileges that only allow executing of the UDF `apoc.any.properties`, but with elevated execution. +List all privileges for the role `boostedFunctionExecutor` as commands by using the following query: -[source,cypher,role=noplay, indent=0] +[source,cypher,role=noplay] ---- SHOW ROLE boostedFunctionExecutor PRIVILEGES AS COMMANDS ---- -Lists all privileges for role `boostedFunctionExecutor`: - .Result [options="header,footer",width="100%",cols="m"] |=== @@ -1754,20 +1729,21 @@ a|Rows: 1 [[access-control-name-globbing]] === Procedure and user-defined function name-globbing -The name-globbing for procedure and user defined function names is a simplified version of globbing for filename expansions, only allowing two wildcard characters; `+*+` and `?`. -They are used for multiple and single character matches, where `+*+` means 0 or more characters and `?` matches exactly one character. +The name-globbing for procedure and user defined function names is a simplified version of globbing for filename expansions. +It only allows two wildcard characters: `+*+` and `?`, which are used for multiple and single character matches. +In this case, `+*+` means 0 or more characters and `?` matches exactly one character. [NOTE] ==== -The name-globbing is subject to the xref::syntax/naming.adoc[standard Cypher restrictions on valid identifiers], +The name-globbing is subject to the xref::access-control/dbms-administration.adoc#access-control-name-globbing[name-globbing], with the exception that it may include dots, stars, and question marks without the need for escaping using backticks. + Each part of the name-globbing separated by dots may be individually escaped, for example, `++mine.`procedureWith%`++` but not `++mine.procedure`With%`++`. -Also good to keep in mind is that the wildcard characters behave as wildcards even when escaped. +It is also good to keep in mind that wildcard characters behave as wildcards even when escaped. As an example, using `++`*`++` is equivalent to using `+*+`, and thus allows executing all functions or procedures and not only the procedure or function named `+*+`. ==== -The examples below only use procedures but the same rules apply to user defined function names. -For the examples below, assume we have the following procedures: +The examples below only use procedures, but the same rules apply to user defined function names: * `mine.public.exampleProcedure` * `mine.public.exampleProcedure1` @@ -1779,51 +1755,52 @@ For the examples below, assume we have the following procedures: * `mine.private.with#Special§Characters` * `your.exampleProcedure` -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1 ---- -Users with the role `globbing1` can then run procedures all the procedures. +Users with the role `globbing1` can thus run all the procedures. -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2 ---- -Users with the role `globbing2` can then run procedures `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but none of the others. +Users with the role `globbing2` can thus run procedures `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but none of the others. -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3 ---- -Users with the role `globbing3` can then run procedures `mine.public.exampleProcedure1`, `mine.private.exampleProcedure1` and `mine.private.exampleProcedure2`, but none of the others. +Users with the role `globbing3` can thus run procedures `mine.public.exampleProcedure1`, `mine.private.exampleProcedure1` and `mine.private.exampleProcedure2`, but none of the others. -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4 ---- -Users with the role `globbing4` can then run procedures `your.exampleProcedure`, `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but none of the others. +Users with the role `globbing4` can thus run procedures `your.exampleProcedure`, `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but none of the others. -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5 ---- -Users with the role `globbing5` can then run procedures `mine.public.exampleProcedure`, `mine.public.exampleProcedure1` and `mine.public.exampleProcedure42`, but none of the others. +Users with the role `globbing5` can thus run procedures `mine.public.exampleProcedure`, `mine.public.exampleProcedure1` and `mine.public.exampleProcedure42`, but none of the others. -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6 ---- -Users with the role `globbing6` can then run procedures `mine.public.with#Special§Characters` and `mine.private.with#Special§Characters`, but none of the others. +Users with the role `globbing6` can thus run procedures `mine.public.with#Special§Characters` and `mine.private.with#Special§Characters`, but none of the others. [NOTE] ==== -The name-globbing may be fully or partially escaped, and both the `+*+` and `+?+` are interpreted as wildcards either way. +The name-globbing may be fully or partially escaped. +Both `+*+` and `+?+` are interpreted as wildcards either way. ==== @@ -1832,42 +1809,30 @@ The name-globbing may be fully or partially escaped, and both the `+*+` and `+?+ The right to perform the following privileges can be achieved with a single command: -* create roles -* drop roles -* assign roles -* remove roles -* show roles -* create users -* alter users -* drop users -* show users -* impersonate users -* create databases -* alter databases -* drop databases -* show privileges -* assign privileges -* remove privileges -* execute all procedures with elevated privileges -* execute all user defined functions with elevated privileges - -[source, cypher, role=noplay, indent=0] +* Create, drop, assign, remove and show roles +* Create, alter, drop, show and impersonate users +* Create, alter and drop databases +* Show, assign and remove privileges +* Execute all procedures with elevated privileges +* Execute all user defined functions with elevated privileges + +[source, cypher, role=noplay] ---- GRANT ALL [[DBMS] PRIVILEGES] ON DBMS TO role[, ...] ---- -For example, granting the abilities above to the role `dbmsManager` is done using the following query. +For example, to grant the role `dbmsManager` the abilities above, use the following query: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- GRANT ALL DBMS PRIVILEGES ON DBMS TO dbmsManager ---- The privileges granted can be seen using the `SHOW PRIVILEGES` command: -[source, cypher, role=noplay, indent=0] +[source, cypher, role=noplay] ---- SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS ---- @@ -1879,4 +1844,3 @@ SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS |"GRANT ALL DBMS PRIVILEGES ON DBMS TO `dbmsManager`" a|Rows: 1 |=== - From 1093d1f01b0c45fc5e0939063d0a779d61d6691e Mon Sep 17 00:00:00 2001 From: lidiazuin Date: Tue, 26 Jul 2022 13:04:29 +0200 Subject: [PATCH 2/3] fixing some remaining conflicts --- modules/ROOT/pages/access-control/dbms-administration.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/access-control/dbms-administration.adoc b/modules/ROOT/pages/access-control/dbms-administration.adoc index 72cd5a5f0..912a16cf5 100644 --- a/modules/ROOT/pages/access-control/dbms-administration.adoc +++ b/modules/ROOT/pages/access-control/dbms-administration.adoc @@ -760,7 +760,8 @@ GRANT IMPERSONATE (alice, bob) ON DBMS TO userImpersonator [[access-control-dbms-administration-database-management]] == The DBMS `DATABASE MANAGEMENT` privileges -The DBMS privileges for database management can be assigned by using Cypher administrative commands. They can be granted, denied and revoked like other privileges. +The DBMS privileges for database management can be assigned by using Cypher administrative commands. +They can be granted, denied and revoked like other privileges. .Database management privileges command syntax [options="header", width="100%", cols="3a,2"] @@ -1735,7 +1736,7 @@ In this case, `+*+` means 0 or more characters and `?` matches exactly one chara [NOTE] ==== -The name-globbing is subject to the xref::access-control/dbms-administration.adoc#access-control-name-globbing[name-globbing], +The name-globbing is subject to the xref::syntax/naming.adoc[standard Cypher restrictions on valid identifiers], with the exception that it may include dots, stars, and question marks without the need for escaping using backticks. Each part of the name-globbing separated by dots may be individually escaped, for example, `++mine.`procedureWith%`++` but not `++mine.procedure`With%`++`. From 698fa501dbe0020b9f07553d8218354b930c7ec2 Mon Sep 17 00:00:00 2001 From: lidiazuin Date: Wed, 27 Jul 2022 10:06:57 +0200 Subject: [PATCH 3/3] making changes after comments --- .../access-control/dbms-administration.adoc | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/modules/ROOT/pages/access-control/dbms-administration.adoc b/modules/ROOT/pages/access-control/dbms-administration.adoc index 912a16cf5..ac5c2eb7b 100644 --- a/modules/ROOT/pages/access-control/dbms-administration.adoc +++ b/modules/ROOT/pages/access-control/dbms-administration.adoc @@ -84,7 +84,7 @@ SHOW ROLE usermanager PRIVILEGES AS COMMANDS a|Rows: 2 |=== -Note that this role doesn't allow all DBMS capabilities. +Note that this role does not allow all DBMS capabilities. For example, the role is missing privileges for management, creation and drop of databases as well as execution of `admin` procedures. To create a more powerful administrator, you can grant a different set of privileges. @@ -313,7 +313,7 @@ a|Rows: 1 The ability to show roles can be granted via the `SHOW ROLE` privilege. A user with this privilege is allowed to execute the `SHOW ROLES` and `SHOW POPULATED ROLES` administration commands. -In order to use `SHOW ROLES WITH USERS` and `SHOW POPULATED ROLES WITH USERS` administration commands, both this and the `SHOW USER` privileges are required. +In order to use `SHOW ROLES WITH USERS` and `SHOW POPULATED ROLES WITH USERS` administration commands, both the `SHOW ROLE` and the `SHOW USER` privileges are required. See an example of how to grant the `SHOW ROLE` privilege: [source, cypher, role=noplay] @@ -1339,7 +1339,7 @@ SHOW ROLE deniedProcedureExecutor PRIVILEGES AS COMMANDS a|Rows: 2 |=== -Both `dbms.killTransaction` and `dbms.killTransactions` are blocked here, as well as any other procedures starting with `dbms.killTransaction`. +Both the `dbms.killTransaction` and the `dbms.killTransactions` procedures are blocked here, as well as any other procedures starting with `dbms.killTransaction`. [[access-control-execute-boosted-procedure]] @@ -1357,10 +1357,10 @@ The following query shows an example of how to grant this privilege: GRANT EXECUTE BOOSTED PROCEDURE db.labels, db.relationshipTypes ON DBMS TO boostedProcedureExecutor ---- -Users with the role `boostedProcedureExecutor` can thus run `db.labels` and `db.relationshipTypes` with full privileges. +Users with the role `boostedProcedureExecutor` can thus run the `db.labels` and the `db.relationshipTypes` procedures with full privileges. Now they can see everything on the graph and not just the labels and types that the user has `TRAVERSE` privilege on. -The resulting role has privileges that only allow executing procedures `db.labels` and `db.relationshipTypes`, but with elevated execution. +The resulting role has privileges that only allow executing the `db.labels` and the `db.relationshipTypes` procedures, but with elevated execution. List all privileges for the role `boostedProcedureExecutor` as commands by using the following query: [source, cypher, role=noplay] @@ -1396,7 +1396,7 @@ DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecut ---- The resulting role has privileges that allow the execution of all procedures using the user's own privileges. -It also prevents `db.labels` from being elevated. +It also prevents the `db.labels` procedure from being elevated. Still, the denied `EXECUTE BOOSTED PROCEDURE` does not block execution of `db.labels`. To list all privileges for role `deniedBoostedProcedureExecutor1` as commands, use the following query: @@ -1496,7 +1496,7 @@ GRANT EXECUTE BOOSTED PROCEDURE * ON DBMS TO deniedBoostedProcedureExecutor4 DENY EXECUTE BOOSTED PROCEDURE db.labels ON DBMS TO deniedBoostedProcedureExecutor4 ---- -The resulting role has privileges that allow executing all procedures with elevated privileges except `db.labels`, which is only allowed to execute using the user's own privileges. +The resulting role has privileges that allow executing all procedures with elevated privileges except the `db.labels` procedure, which is only allowed to execute using the user's own privileges. List all privileges for the role `deniedBoostedProcedureExecutor4` as commands by using the following query: [source, cypher, role=noplay] @@ -1531,7 +1531,7 @@ With the privileges from example 3, granted `EXECUTE BOOSTED PROCEDURE *` and de With the privileges from example 4, granted `EXECUTE PROCEDURE myProc` and `EXECUTE BOOSTED PROCEDURE *` and denied `EXECUTE BOOSTED PROCEDURE myProc`, the `myProc` procedure returns the result `A` and `B`. -For comparison, when only `EXECUTE BOOSTED PROCEDURE myProc` is granted, the `myProc` procedure returns the result `A`, `B` and `C`, without the need for granting of the `EXECUTE PROCEDURE myProc` privilege. +For comparison, when only `EXECUTE BOOSTED PROCEDURE myProc` is granted, the `myProc` procedure returns the result `A`, `B`, and `C`; without the need for granting of the `EXECUTE PROCEDURE myProc` privilege. ==== @@ -1810,12 +1810,12 @@ Both `+*+` and `+?+` are interpreted as wildcards either way. The right to perform the following privileges can be achieved with a single command: -* Create, drop, assign, remove and show roles -* Create, alter, drop, show and impersonate users -* Create, alter and drop databases -* Show, assign and remove privileges -* Execute all procedures with elevated privileges -* Execute all user defined functions with elevated privileges +* Create, drop, assign, remove, and show roles. +* Create, alter, drop, show, and impersonate users. +* Create, alter, and drop databases. +* Show, assign, and remove privileges. +* Execute all procedures with elevated privileges. +* Execute all user defined functions with elevated privileges. [source, cypher, role=noplay] ----