Add token privilege notes (#1015)

JPryce-Aklundh · web-flow · commit 3519a08e9da6 · 2024-08-12T10:21:15.000+02:00
diff --git a/modules/ROOT/pages/administration/access-control/database-administration.adoc b/modules/ROOT/pages/administration/access-control/database-administration.adoc
@@ -837,6 +837,10 @@ GRANT NAME [MANAGEMENT]
 
 |===
 
+[NOTE]
+====
+The `SHOW PRIVILEGES` commands return the `NAME MANAGEMENT` privilege as the action `token`, when not using `AS COMMANDS`.
+====
 
 For example, to grant the role `regularUsers` the ability to create new properties on nodes or relationships on the database `neo4j`, use:
 
diff --git a/modules/ROOT/pages/administration/access-control/manage-privileges.adoc b/modules/ROOT/pages/administration/access-control/manage-privileges.adoc
@@ -599,6 +599,11 @@ Lists all privileges for all roles:
 6+a|Rows: 39
 |===
 
+[NOTE]
+====
+The `token` action corresponds to the `NAME MANAGEMENT` privilege.
+====
+
 It is also possible to filter and sort the results by using `YIELD`, `ORDER BY` and `WHERE`:
 
 [source, cypher, role=noplay]
@@ -688,6 +693,11 @@ In this example:
 4+a|Rows: 12
 |===
 
+[NOTE]
+====
+The `token` action corresponds to the `NAME MANAGEMENT` privilege.
+====
+
 `WHERE` can also be used without `YIELD`:
 
 [source, cypher, role=noplay]
@@ -782,6 +792,11 @@ SHOW PRIVILEGES YIELD * RETURN role, access, collect([graph, resource, segment,
 3+a|Rows: 8
 |===
 
+[NOTE]
+====
+The `token` action corresponds to the `NAME MANAGEMENT` privilege.
+====
+
 The `RETURN` clause can also be used to order and paginate the results, which is useful when combined with `YIELD` and `WHERE`.
 In this example the query returns privileges for display five-per-page, and skips the first five to display the second page.
 
diff --git a/modules/ROOT/pages/administration/access-control/privileges-writes.adoc b/modules/ROOT/pages/administration/access-control/privileges-writes.adoc
@@ -380,10 +380,16 @@ GRANT ALL GRAPH PRIVILEGES ON GRAPH neo4j TO regularUsers
 
 [NOTE]
 ====
-Unlike the more specific `READ` and `WRITE` commands, it is not possible to restrict `ALL GRAPH PRIVILEGES` to specific +ELEMENTS, +NODES+ or +RELATIONSHIPS+.
+Unlike the more specific `READ` and `WRITE` commands, it is not possible to restrict `ALL GRAPH PRIVILEGES` to specific +ELEMENTS+, +NODES+ or +RELATIONSHIPS+.
 If you wish to prevent a user from reading or writing to a subset of database objects, a `GRANT ALL GRAPH PRIVILEGES` can be combined with more specific `DENY` commands to target these elements.
 ====
 
+[NOTE]
+====
+The `ALL GRAPH PRIVILEGES` privilege does not allow creating new labels, relationship types, or property names.
+These are instead managed by the `NAME MANAGEMENT` privileges.
+====
+
 The `ALL GRAPH PRIVILEGES` privilege can also be denied:
 
 [source, syntax, role="noheader"]
