From caa0504489eb90a37ff49122541822e3b1417232 Mon Sep 17 00:00:00 2001 From: lidiazuin Date: Tue, 26 Jul 2022 13:12:24 +0200 Subject: [PATCH 1/9] merging editorial review and matching formatting --- modules/ROOT/pages/access-control/index.adoc | 78 ++++++++++++-------- 1 file changed, 48 insertions(+), 30 deletions(-) diff --git a/modules/ROOT/pages/access-control/index.adoc b/modules/ROOT/pages/access-control/index.adoc index e9d31ec42..1013197c5 100644 --- a/modules/ROOT/pages/access-control/index.adoc +++ b/modules/ROOT/pages/access-control/index.adoc @@ -5,34 +5,33 @@ [abstract] -- -This section explains how to manage Neo4j role-based access control and fine-grained security. +This chapter explains how to manage Neo4j role-based access control and fine-grained security. -- -Neo4j has a complex security model stored in the system graph, maintained in a special database called the `system` database. -All administrative commands need to be executing against the `system` database. -When connected to the DBMS over bolt, administrative commands are automatically routed to the `system` database. +Neo4j has a complex security model stored in the system graph, which is maintained on a special database called the `system` database. +All administrative commands need to be executed against the `system` database. +When connected to the DBMS over `bolt`, administrative commands are automatically routed to the `system` database. For more information on how to manage multiple databases, refer to the section on xref::databases.adoc[administering databases]. -Neo4j 3.1 introduced the concept of _role-based access control_. -It was possible to create users and assign them to roles to control whether the users could read, write and administer the database. +The concept of _role-based access control_ was introduced in Neo4j 3.1. +Since then, it has been possible to create users and assign them to roles to control whether users can read, write and administer the database. In Neo4j 4.0 this model was enhanced significantly with the addition of _privileges_, which are the underlying access-control rules by which the users rights are defined. The original built-in roles still exist with almost the exact same access rights, but they are no-longer statically defined (see xref::access-control/built-in-roles.adoc[Built-in roles]). Instead they are defined in terms of their underlying _privileges_ and they can be modified by adding an removing these access rights. -In addition, any new roles created can by assigned any combination of _privileges_ to create the specific access control desired. -A major additional capability is _sub-graph_ access control whereby read-access to the graph can be limited to specific combinations of label, relationship-type and property. +In addition, any new roles can be assigned to any combination of _privileges_ to create specific access controls. +Another new major capability is the _sub-graph_ access control, through which read access to the graph can be limited to specific combinations of labels, relationship types, and properties. [[access-control-syntax]] == Syntax summaries -Almost all administration commands have variations in the commands. -Parts of the command that are optional or can have multiple values are most common. -To show all versions of a command, a summary of the syntax will be presented. -These summaries will use some special characters to indicate such variations. +Almost all administration commands have variations. +The most common are parts of the command that are optional or that can have multiple values. -The special characters and their meaning are as follows: +See below a summary of the syntax to check all versions of a command. +These summaries use some special characters to indicate such variations. .Special characters in syntax summaries [options="header", width="100%", cols="1a,3a,3a"] @@ -40,13 +39,14 @@ The special characters and their meaning are as follows: | Character | Meaning | Example | `\|` -| Or, used to indicate alternative parts of a command. +| Or +Used to indicate alternative parts of a command. Needs to be part of a grouping. | If the syntax needs to specify either a name or `+*+`, this can be indicated with `+* \| name+`. | `+{+` and `+}+` -| Used to group parts of the command, common together with `\|`. -| To use the `or` in the syntax summary it needs to be in a group, `+{* \| name}+`. +| Used to group parts of the command. Commonly found together with `\|`. +| In order to use the `or` in the syntax summary, it needs to be in a group: `+{* \| name}+`. | `[` and `]` | Used to indicate an optional part of the command. @@ -54,40 +54,58 @@ It also groups alternatives together, when there can be either of the alternativ | If a keyword in the syntax can either be in singular or plural, we can indicate that the `S` is optional with `GRAPH[S]`. | `...` -| Repeated pattern, the command part immediately before this is repeated. +| Repeated pattern. +Related to the command part immediately before this is repeated. | A comma separated list of names would be `+name[, ...]+`. | `"` | When a special character is part of the syntax itself, we surround it with `"` to indicate this. -| To include `+{+` in the syntax use `+"{" { * \| name } "}"+`, here we get either `+{*}+` or `+{name}+`. +| To include `+{+` in the syntax use `+"{" { * \| name } "}"+`. In this case, you will get either `+{*}+` or `+{name}+`. |=== The special characters in the table above are the only ones that need to be escaped using `"` in the syntax summaries. -An example that uses all special characters is granting the `READ` privilege: +Here is an example that uses all special characters is granting the `READ` privilege: -[source, syntax, role="noheader"] +[source, cypher, role=noplay] ---- GRANT READ - "{" { * | property[, ...] } "}" - ON {HOME GRAPH | GRAPH[S] { * | name[, ...] }} - [ ELEMENT[S] { * | label-or-rel-type[, ...] } - | NODE[S] { * | label[, ...] } - | RELATIONSHIP[S] { * | rel-type[, ...] }] - TO role[, ...] +"{" { * | property[, ...] } "}" +ON {HOME GRAPH | GRAPH[S] { * | name[, ...] }} + [ ELEMENT[S] { * | label-or-rel-type[, ...] } + | NODE[S] { * | label[, ...] } + | RELATIONSHIP[S] { * | rel-type[, ...] }] +TO role[, ...] ---- -Some things to notice about this command is that it includes `+{+` and `+}+` in the syntax, and between them has a grouping of either a list of properties or the character `+*+`. +Note that this command includes `+{+` and `+}+` in the syntax, and between them there can be a grouping of properties or the character `+*+`. It also has multiple optional parts, including the entity part of the command which is the grouping following the graph name. -In difference, there is no need to escape any characters in the node property existence constraint creation command. -This is because `(` and `)` are not special characters, and the `[` and `]` indicate that the constraint name is optional, and are not part of the command. +However, there is no need to escape any characters when creating a constraint for a node property. +This is because `(` and `)` are not special characters, and `[` and `]` indicate that the constraint name is optional, and therefore not part of the command. -[source, syntax, role="noheader", indent=0] +[source, syntax, role="noheader"] ---- CREATE CONSTRAINT [constraint_name] [IF NOT EXISTS] FOR (n:LabelName) REQUIRE n.propertyName IS NOT NULL ---- +include::manage-users.adoc[leveloffset=+1] + +include::manage-roles.adoc[leveloffset=+1] + +include::manage-privileges.adoc[leveloffset=+1] + +include::built-in-roles.adoc[leveloffset=+1] + +include::privileges-read.adoc[leveloffset=+1] + +include::privileges-write.adoc[leveloffset=+1] + +include::database-administration.adoc[leveloffset=+1] + +include::dbms-administration.adoc[leveloffset=+1] + +include::limitations.adoc[leveloffset=+1] From 832a1107fb187aef6c26f7a6dafc9fded8e61292 Mon Sep 17 00:00:00 2001 From: lidiazuin Date: Tue, 26 Jul 2022 13:14:22 +0200 Subject: [PATCH 2/9] more fixes --- modules/ROOT/pages/access-control/index.adoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/ROOT/pages/access-control/index.adoc b/modules/ROOT/pages/access-control/index.adoc index 1013197c5..a06d2d308 100644 --- a/modules/ROOT/pages/access-control/index.adoc +++ b/modules/ROOT/pages/access-control/index.adoc @@ -68,15 +68,15 @@ The special characters in the table above are the only ones that need to be esca Here is an example that uses all special characters is granting the `READ` privilege: -[source, cypher, role=noplay] +[source, syntax, role="noheader"] ---- GRANT READ -"{" { * | property[, ...] } "}" -ON {HOME GRAPH | GRAPH[S] { * | name[, ...] }} - [ ELEMENT[S] { * | label-or-rel-type[, ...] } - | NODE[S] { * | label[, ...] } - | RELATIONSHIP[S] { * | rel-type[, ...] }] -TO role[, ...] + "{" { * | property[, ...] } "}" + ON {HOME GRAPH | GRAPH[S] { * | name[, ...] }} + [ ELEMENT[S] { * | label-or-rel-type[, ...] } + | NODE[S] { * | label[, ...] } + | RELATIONSHIP[S] { * | rel-type[, ...] }] + TO role[, ...] ---- Note that this command includes `+{+` and `+}+` in the syntax, and between them there can be a grouping of properties or the character `+*+`. From 8b972b5d9787d5d4295d5f85516baeb8efd555c4 Mon Sep 17 00:00:00 2001 From: lidiazuin <102308961+lidiazuin@users.noreply.github.com> Date: Wed, 27 Jul 2022 10:18:11 +0200 Subject: [PATCH 3/9] Update modules/ROOT/pages/access-control/index.adoc Co-authored-by: Martin --- modules/ROOT/pages/access-control/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/access-control/index.adoc b/modules/ROOT/pages/access-control/index.adoc index a06d2d308..e37cc40de 100644 --- a/modules/ROOT/pages/access-control/index.adoc +++ b/modules/ROOT/pages/access-control/index.adoc @@ -5,7 +5,7 @@ [abstract] -- -This chapter explains how to manage Neo4j role-based access control and fine-grained security. +This section explains how to manage Neo4j role-based access control and fine-grained security. -- Neo4j has a complex security model stored in the system graph, which is maintained on a special database called the `system` database. From f365602bf3cf9f33137b65fd62f1d1e265d0afec Mon Sep 17 00:00:00 2001 From: lidiazuin <102308961+lidiazuin@users.noreply.github.com> Date: Wed, 27 Jul 2022 10:45:34 +0200 Subject: [PATCH 4/9] Update modules/ROOT/pages/access-control/index.adoc Co-authored-by: Martin --- modules/ROOT/pages/access-control/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/access-control/index.adoc b/modules/ROOT/pages/access-control/index.adoc index e37cc40de..52b4e66b2 100644 --- a/modules/ROOT/pages/access-control/index.adoc +++ b/modules/ROOT/pages/access-control/index.adoc @@ -53,7 +53,7 @@ Needs to be part of a grouping. It also groups alternatives together, when there can be either of the alternatives or nothing. | If a keyword in the syntax can either be in singular or plural, we can indicate that the `S` is optional with `GRAPH[S]`. -| `...` +| `+...+` | Repeated pattern. Related to the command part immediately before this is repeated. | A comma separated list of names would be `+name[, ...]+`. From 7416c41dfbeddbb0b15ba8d007c3f402ebd26900 Mon Sep 17 00:00:00 2001 From: lidiazuin <102308961+lidiazuin@users.noreply.github.com> Date: Wed, 27 Jul 2022 11:00:10 +0200 Subject: [PATCH 5/9] Update modules/ROOT/pages/access-control/index.adoc Co-authored-by: Martin --- modules/ROOT/pages/access-control/index.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/ROOT/pages/access-control/index.adoc b/modules/ROOT/pages/access-control/index.adoc index 52b4e66b2..a242e1b34 100644 --- a/modules/ROOT/pages/access-control/index.adoc +++ b/modules/ROOT/pages/access-control/index.adoc @@ -54,7 +54,8 @@ It also groups alternatives together, when there can be either of the alternativ | If a keyword in the syntax can either be in singular or plural, we can indicate that the `S` is optional with `GRAPH[S]`. | `+...+` -| Repeated pattern. +| +Repeated pattern. Related to the command part immediately before this is repeated. | A comma separated list of names would be `+name[, ...]+`. From 884e1f6b96f2f9d3e636f9c95756fd54932789bf Mon Sep 17 00:00:00 2001 From: lidiazuin <102308961+lidiazuin@users.noreply.github.com> Date: Wed, 27 Jul 2022 11:00:26 +0200 Subject: [PATCH 6/9] Update modules/ROOT/pages/access-control/index.adoc Co-authored-by: Martin --- modules/ROOT/pages/access-control/index.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/ROOT/pages/access-control/index.adoc b/modules/ROOT/pages/access-control/index.adoc index a242e1b34..2529e25aa 100644 --- a/modules/ROOT/pages/access-control/index.adoc +++ b/modules/ROOT/pages/access-control/index.adoc @@ -61,7 +61,9 @@ Related to the command part immediately before this is repeated. | `"` | When a special character is part of the syntax itself, we surround it with `"` to indicate this. -| To include `+{+` in the syntax use `+"{" { * \| name } "}"+`. In this case, you will get either `+{*}+` or `+{name}+`. +| +To include `+{+` in the syntax use `+"{" { * \| name } "}"+`. +In this case, you will get either `+{ * }+` or `+{ name }+`. |=== From e4b147f67e93eae345721448a6e755ea37457194 Mon Sep 17 00:00:00 2001 From: lidiazuin <102308961+lidiazuin@users.noreply.github.com> Date: Wed, 27 Jul 2022 11:01:03 +0200 Subject: [PATCH 7/9] Update modules/ROOT/pages/access-control/index.adoc Co-authored-by: Martin --- modules/ROOT/pages/access-control/index.adoc | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/modules/ROOT/pages/access-control/index.adoc b/modules/ROOT/pages/access-control/index.adoc index 2529e25aa..99bcf4ff6 100644 --- a/modules/ROOT/pages/access-control/index.adoc +++ b/modules/ROOT/pages/access-control/index.adoc @@ -95,20 +95,3 @@ FOR (n:LabelName) REQUIRE n.propertyName IS NOT NULL ---- -include::manage-users.adoc[leveloffset=+1] - -include::manage-roles.adoc[leveloffset=+1] - -include::manage-privileges.adoc[leveloffset=+1] - -include::built-in-roles.adoc[leveloffset=+1] - -include::privileges-read.adoc[leveloffset=+1] - -include::privileges-write.adoc[leveloffset=+1] - -include::database-administration.adoc[leveloffset=+1] - -include::dbms-administration.adoc[leveloffset=+1] - -include::limitations.adoc[leveloffset=+1] From 2807cddccecb3d3c31582804ed2ba2232992372d Mon Sep 17 00:00:00 2001 From: lidiazuin <102308961+lidiazuin@users.noreply.github.com> Date: Fri, 30 Sep 2022 12:39:24 +0200 Subject: [PATCH 8/9] Update modules/ROOT/pages/access-control/index.adoc --- modules/ROOT/pages/access-control/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/access-control/index.adoc b/modules/ROOT/pages/access-control/index.adoc index f7a513671..63ac9a667 100644 --- a/modules/ROOT/pages/access-control/index.adoc +++ b/modules/ROOT/pages/access-control/index.adoc @@ -20,7 +20,7 @@ In Neo4j 4.0 this model was enhanced significantly with the addition of _privile The original built-in roles still exist with almost the exact same access rights, but they are no-longer statically defined (see xref::access-control/built-in-roles.adoc[Built-in roles]). Instead, they are defined in terms of their underlying _privileges_, and they can be modified by adding or removing these access rights. -In addition, any new roles can be assigned to any combination of _privileges_ to create specific access controls. +In addition, any newly created roles can be assigned to any combination of _privileges_, so that you may set specific access controls for them. Another new major capability is the _sub-graph_ access control, through which read access to the graph can be limited to specific combinations of labels, relationship types, and properties. From 8a6cca1a47be69e21131389347d7b382c632d208 Mon Sep 17 00:00:00 2001 From: lidiazuin <102308961+lidiazuin@users.noreply.github.com> Date: Fri, 30 Sep 2022 12:39:49 +0200 Subject: [PATCH 9/9] Update modules/ROOT/pages/access-control/index.adoc --- modules/ROOT/pages/access-control/index.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/access-control/index.adoc b/modules/ROOT/pages/access-control/index.adoc index 63ac9a667..fa3037b6f 100644 --- a/modules/ROOT/pages/access-control/index.adoc +++ b/modules/ROOT/pages/access-control/index.adoc @@ -39,8 +39,8 @@ These summaries use some special characters to indicate such variations. | Character | Meaning | Example | `\|` -| Or -Used to indicate alternative parts of a command. +| +Used to indicate alternative parts of a command (i.e. `or`). Needs to be part of a grouping. | If the syntax needs to specify either a name or `+*+`, this can be indicated with `+* \| name+`.