neo4j
diff --git a/‎modules/ROOT/content-nav.adoc‎
Lines changed: 1 addition & 0 deletions b/‎modules/ROOT/content-nav.adoc‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎modules/ROOT/images/privileges_grant_and_deny_syntax.svg‎
Lines changed: 1 addition & 9 deletions b/‎modules/ROOT/images/privileges_grant_and_deny_syntax.svg‎
Lines changed: 1 addition & 9 deletions
diff --git a/‎modules/ROOT/images/privileges_grant_and_deny_syntax_load_privileges.svg‎
Lines changed: 1 addition & 0 deletions b/‎modules/ROOT/images/privileges_grant_and_deny_syntax_load_privileges.svg‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎modules/ROOT/images/privileges_on_graph_syntax.svg‎
Lines changed: 1 addition & 9 deletions b/‎modules/ROOT/images/privileges_on_graph_syntax.svg‎
Lines changed: 1 addition & 9 deletions
diff --git a/‎modules/ROOT/pages/authentication-authorization/built-in-roles.adoc‎
Lines changed: 23 additions & 19 deletions b/‎modules/ROOT/pages/authentication-authorization/built-in-roles.adoc‎
Lines changed: 23 additions & 19 deletions
@@ -169,6 +169,7 @@
 *** xref:authentication-authorization/privileges-writes.adoc[]
 *** xref:authentication-authorization/database-administration.adoc[]
 *** xref:authentication-authorization/dbms-administration.adoc[]
+*** xref:authentication-authorization/load-privileges.adoc[]
 *** xref:authentication-authorization/limitations.adoc[]
 *** xref:authentication-authorization/privileges-immutable.adoc[]
 *** xref:authentication-authorization/manage-execute-permissions.adoc[]
 
@@ -21,9 +21,9 @@ The built-in roles have the following default privileges:
 [.compact]
 <<access-control-built-in-roles-public, `PUBLIC`>>::
 * Access to the home database.
-* Allows executing procedures with the users' own privileges.
-* Allows executing user-defined functions with the users' own privileges.
-* Allows loading data.
+* Execute procedures with the users' own privileges.
+* Execute user-defined functions with the users' own privileges.
+* Load data.
 <<access-control-built-in-roles-reader, `reader`>>::
 * Access to all databases.
 * Traverse and read on the data graph (all nodes, relationships, properties).
@@ -45,11 +45,11 @@ In other words, the `editor` role cannot add to the schema but can only make cha
 <<access-control-built-in-roles-admin, `admin`>>::
 * Access to all databases.
 * Traverse, read, and write on the data graph.
-* Allows loading data.
+* Load data.
 * Create/drop/show indexes and constraints along with any other future schema constructs.
-* Allows executing procedures using boosted privileges.
-* Allows executing admin procedures.
-* Allows executing user-defined functions using boosted privileges.
+* Execute procedures using boosted privileges.
+* Execute admin procedures.
+* Execute user-defined functions using boosted privileges.
 * View/terminate queries.
 * Manage databases, users, roles, and privileges.
 
@@ -398,15 +398,6 @@ All of the commands require that the user executing the commands has the rights
 | {check-mark}
 | {check-mark}
 
-| Load data
-|
-|
-|
-|
-| {check-mark}
-| {check-mark}
-| {check-mark}
-
 
 | Execute procedures
 |
@@ -449,7 +440,7 @@ All of the commands require that the user executing the commands has the rights
 == The `PUBLIC` role
 
 All users are granted the `PUBLIC` role, and it can not be revoked or dropped.
-By default, it gives access to the default database and allows executing all procedures and user-defined functions.
+By default, it gives access to the default database and allows loading data, executing all procedures and user-defined functions.
 
 [IMPORTANT]
 ====
@@ -472,7 +463,8 @@ SHOW ROLE PUBLIC PRIVILEGES AS COMMANDS
 |"GRANT ACCESS ON HOME DATABASE TO `PUBLIC`"
 |"GRANT EXECUTE FUNCTION * ON DBMS TO `PUBLIC`"
 |"GRANT EXECUTE PROCEDURE * ON DBMS TO `PUBLIC`"
-a|Rows: 3
+|"GRANT LOAD ON ALL DATA TO `PUBLIC`"
+a|Rows: 4
 |===
 
 
@@ -500,6 +492,11 @@ GRANT EXECUTE PROCEDURES * ON DBMS TO PUBLIC
 GRANT EXECUTE USER DEFINED FUNCTIONS * ON DBMS TO PUBLIC
 ----
 
+[source, cypher, role=noplay]
+----
+GRANT LOAD ON ALL DATA TO PUBLIC
+----
+
 The resulting `PUBLIC` role now has the same privileges as the original built-in `PUBLIC` role.
 
 
@@ -839,6 +836,7 @@ These include the rights to perform the following classes of tasks:
 ** Change configuration parameters.
 ** Manage sub-graph privileges.
 ** Manage procedure security.
+** Manage xref:authentication-authorization/load-privileges.adoc[load privileges] to control the rights to load data from external sources.
 
 These rights are conferred using privileges that can be managed through the xref:authentication-authorization/manage-privileges.adoc#access-control-graph-privileges[`GRANT`, `DENY` and `REVOKE` commands].
 
@@ -859,6 +857,7 @@ SHOW ROLE admin PRIVILEGES AS COMMANDS
 |"GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`"
 |"GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`"
 |"GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`"
+|"GRANT LOAD ON ALL DATA TO `admin`"
 |"GRANT MATCH {*} ON GRAPH * NODE * TO `admin`"
 |"GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`"
 |"GRANT NAME MANAGEMENT ON DATABASE * TO `admin`"
@@ -868,7 +867,7 @@ SHOW ROLE admin PRIVILEGES AS COMMANDS
 |"GRANT STOP ON DATABASE * TO `admin`"
 |"GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`"
 |"GRANT WRITE ON GRAPH * TO `admin`"
-a|Rows: 13
+a|Rows: 14
 |===
 
 If the built-in `admin` role has been altered or dropped and needs to be restored to its original state, see xref:configuration/password-and-user-recovery[Password and user recovery].
@@ -916,6 +915,11 @@ GRANT MATCH {*} ON GRAPH * TO admin
 GRANT WRITE ON GRAPH * TO admin
 ----
 
+[source, cypher, role=noplay]
+----
+GRANT LOAD ON ALL DATA TO admin
+----
+
 [source, cypher, role=noplay]
 ----
 GRANT ALL ON DATABASE * TO admin