diff --git a/modules/ROOT/pages/authentication-authorization/manage-privileges.adoc b/modules/ROOT/pages/authentication-authorization/manage-privileges.adoc index 824577cab..5e6851547 100644 --- a/modules/ROOT/pages/authentication-authorization/manage-privileges.adoc +++ b/modules/ROOT/pages/authentication-authorization/manage-privileges.adoc @@ -34,9 +34,16 @@ For more details about the syntax descriptions, see xref:database-administration ==== [[access-control-graph-privileges]] -== Graph privilege commands (`GRANT`, `DENY`, and `REVOKE`) +== Graph privilege commands + +Administrators can use the Cypher commands `GRANT`, `DENY`, and `REVOKE` to manage Neo4j graph administrative rights. +These commands can be used to grant or deny privileges to roles, and to revoke previously granted or denied privileges. +The privileges can be granted or denied on the entire graph or specific elements within the graph. +The privileges can also be made immutable, which means they cannot be granted, denied, or revoked unless auth is disabled. + +[[components-of-the-graph-privilege-commands]] +=== Components of the graph privilege commands -Administrators can use Cypher commands to manage Neo4j graph administrative rights. The components of the graph privilege commands are: * _the command_: @@ -87,6 +94,9 @@ See xref:authentication-authorization/privileges-writes.adoc[Write privileges] f * _role[, ...]_ ** The role or roles to associate the privilege with, comma-separated. +[[general-syntax-for-graph-privilege-commands]] +=== General syntax for graph privilege commands + .General grant +ON GRAPH+ privilege syntax [cols="<15s,<85"] |=== diff --git a/modules/ROOT/pages/authentication-authorization/privileges-reads.adoc b/modules/ROOT/pages/authentication-authorization/privileges-reads.adoc index ad5027db2..1b37465cc 100644 --- a/modules/ROOT/pages/authentication-authorization/privileges-reads.adoc +++ b/modules/ROOT/pages/authentication-authorization/privileges-reads.adoc @@ -17,10 +17,7 @@ There are three separate read privileges: * xref:authentication-authorization/privileges-reads.adoc#access-control-privileges-reads-read[`READ`] - enables the specified properties of the found entities to be read. * xref:authentication-authorization/privileges-reads.adoc#access-control-privileges-reads-match[`MATCH`] - combines both `TRAVERSE` and `READ`, enabling an entity to be found and its properties read. -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== +For more details about how to read the administration commands syntax, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax] and xref:authentication-authorization/manage-privileges.adoc#components-of-the-graph-privilege-commands[Components of the graph privilege commands]. [[access-control-privileges-reads-traverse]] == The `TRAVERSE` privilege diff --git a/modules/ROOT/pages/authentication-authorization/privileges-writes.adoc b/modules/ROOT/pages/authentication-authorization/privileges-writes.adoc index 81e81aa88..2fbaa0411 100644 --- a/modules/ROOT/pages/authentication-authorization/privileges-writes.adoc +++ b/modules/ROOT/pages/authentication-authorization/privileges-writes.adoc @@ -25,10 +25,7 @@ There are also compound privileges that combine the above specific privileges: * <> - allows all `WRITE` operations on an entire graph. * <> - allows all `READ` and `WRITE` operations on an entire graph. -[NOTE] -==== -For more details about the syntax descriptions, see xref:database-administration/syntax.adoc[]. -==== +For more details about how to read the administration commands syntax, see xref:database-administration/syntax.adoc#administration-syntax-reading[Reading the administration commands syntax] and xref:authentication-authorization/manage-privileges.adoc#components-of-the-graph-privilege-commands[Components of the graph privilege commands]. [[access-control-privileges-writes-create]] == The `CREATE` privilege diff --git a/modules/ROOT/pages/database-administration/syntax.adoc b/modules/ROOT/pages/database-administration/syntax.adoc index ad6054aa0..2ed82dd9c 100644 --- a/modules/ROOT/pages/database-administration/syntax.adoc +++ b/modules/ROOT/pages/database-administration/syntax.adoc @@ -47,7 +47,8 @@ In this case, you will get either `+{ * }+` or `+{ name }+`. The special characters in the table above are the only ones that need to be escaped using `"` in the syntax summaries. -Here is an example that uses all the special characters. It grants the `READ` privilege: +Here is an example that uses all the special characters. +It grants the `READ` privilege: [source, syntax, role="noheader"] ---- @@ -62,6 +63,7 @@ GRANT READ Note that this command includes `+{+` and `+}+` in the syntax, and between them there can be a grouping of properties or the character `+*+`. It also has multiple optional parts, including the entity part of the command which is the grouping following the graph name. +For details about the graph privilege commands syntax, see xref:/authentication-authorization/manage-privileges.adoc#components-of-the-graph-privilege-commands[Components of the graph privilege commands]. However, there is no need to escape any characters when creating a constraint for a node property. This is because `(` and `)` are not special characters, and `[` and `]` indicate that the constraint name and the `IF NOT EXISTS` parts are optional, and therefore not part of the command.