neo4j
diff --git a/‎antora.yml‎
Lines changed: 6 additions & 6 deletions b/‎antora.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎modules/ROOT/pages/authentication-authorization/limitations.adoc‎
Lines changed: 4 additions & 2 deletions b/‎modules/ROOT/pages/authentication-authorization/limitations.adoc‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc‎
Lines changed: 35 additions & 20 deletions b/‎modules/ROOT/pages/authentication-authorization/property-based-access-control.adoc‎
Lines changed: 35 additions & 20 deletions
diff --git a/‎modules/ROOT/pages/backup-restore/online-backup.adoc‎
Lines changed: 160 additions & 7 deletions b/‎modules/ROOT/pages/backup-restore/online-backup.adoc‎
Lines changed: 160 additions & 7 deletions
diff --git a/‎modules/ROOT/pages/backup-restore/restore-backup.adoc‎
Lines changed: 1 addition & 1 deletion b/‎modules/ROOT/pages/backup-restore/restore-backup.adoc‎
Lines changed: 1 addition & 1 deletion
@@ -1,14 +1,14 @@
 name: operations-manual
 title: Operations Manual
-version: '2025.03'
+version: '2025.04'
 current: true
 start_page: ROOT:index.adoc
 nav:
 - modules/ROOT/content-nav.adoc
 asciidoc:
   attributes:
-    neo4j-version: '2025.03'
-    neo4j-version-minor: '2025.03'
-    neo4j-version-exact: '2025.03.0'
-    neo4j-buildnumber: '2025.03'
-    neo4j-debian-package-version: '1:2025.03.0@'
+    neo4j-version: '2025.04'
+    neo4j-version-minor: '2025.04'
+    neo4j-version-exact: '2025.04.0'
+    neo4j-buildnumber: '2025.04'
+    neo4j-debian-package-version: '1:2025.04.0@'
@@ -390,8 +390,10 @@ So due to the additional data access required by the security checks, this opera
 
 [[property-based-access-control-limitations]]
 === Property-based access control limitations
-Extra node-level security checks are necessary when adding security rules based on property rules, and these can have a significant performance impact.
-The following example shows how the database behaves when adding security rules to roles `restricted` and `unrestricted`:
+Extra node or relationship-level security checks are necessary when adding security rules based on property rules, and these can have a significant performance impact.
+
+The following example shows how the database behaves when adding security rules for nodes to roles `restricted` and `unrestricted`. 
+The same limitations apply to relationships.
 
 [source, cypher]
 ----
 
@@ -12,9 +12,9 @@ CREATE ROLE regularUsers;
 [[property-based-access-control]]
 = Property-based access control
 
-Property-based access control grants permissions to users to read node properties based on property/value conditions.
+Property-based access control grants or denies permission to read or traverse nodes or relationships based on property/value conditions.
 Each property-based privilege can only be restricted by a single property.
-For information about read privileges and their syntax, see xref:authentication-authorization/privileges-reads.adoc[Read privileges].
+For information about and syntax for these privileges, see xref:authentication-authorization/privileges-reads.adoc[Read privileges].
 
 [IMPORTANT]
 ====
@@ -25,28 +25,32 @@ Users who can change this property can affect the granted property-based privile
 
 == Syntax
 
-To specify the property/value conditions of the read privilege, you can use the following syntax:
+To specify the property/value conditions of the privilege, you can use the following syntax:
 
 [source, syntax, role="noheader"]
 ----
 {GRANT | DENY | REVOKE [GRANT | DENY]}
 [IMMUTABLE]
-{MATCH | READ | TRAVERSE}	
+{MATCH | READ | TRAVERSE}
   ON { HOME GRAPH | GRAPH[S] { * | name[, ...] } }
     [
       ELEMENT[S] { * | label-or-rel-type[, ...] }
       | NODE[S] { * | label[, ...] }
       | RELATIONSHIP[S] { * | rel-type[, ...] }
       | FOR {
-  
-([var][:label["|" ...]] "{" property: value "}") 
-  | (var[:label["|" ...]]) 
-      WHERE [NOT] var.property { { = | <> | > | >= | < | <= } value | IS NULL | IS NOT NULL | IN { "["[value[, ...]]"]" | listParam } }
-  | (var[:label["|" ...]] 
-WHERE [NOT] var.property { { = | <> | > | >= | < | <= } value | IS NULL | IS NOT NULL | IN { "["[value[, ...]]"]" | listParam } } ) 
-}
-
- {TO | FROM} role[, ...] 
+          ([var][:label["|" ...]] "{" property: value "}")
+          | (var[:label["|" ...]])
+            WHERE [NOT] var.property { { = | <> | > | >= | < | <= } value | IS NULL | IS NOT NULL | IN { "["[value[, ...]]"]" | listParam } }
+          | (var[:label["|" ...]]
+            WHERE [NOT] var.property { { = | <> | > | >= | < | <= } value | IS NULL | IS NOT NULL | IN { "["[value[, ...]]"]" | listParam } } )
+          | ()[<]-"["[var][:type["|" ...]] "{" property: value "}" "]"-[>]()
+          | ()[<]-"["var[:type["|" ...]]"]"-[>]()
+            WHERE [NOT] var.property { { = | <> | > | >= | < | <= } value | IS NULL | IS NOT NULL | IN { "["[value[, ...]]"]" | listParam } }
+          | ()[<]-"["var[:type["|" ...]]
+            WHERE [NOT] var.property { { = | <> | > | >= | < | <= } value | IS NULL | IS NOT NULL | IN { "["[value[, ...]]"]" | listParam } } "]"-[>]()
+      }
+    ]
+ {TO | FROM} role[, ...]
 ----
 
 
@@ -57,7 +61,7 @@ See xref:authentication-authorization/limitations.adoc#property-based-access-con
 
 When having property rules, the following factors can worsen the impact on performance:
 
-* The number of properties on the nodes concerned (more properties = greater performance impact).
+* The number of properties on the nodes and relationships concerned (more properties = greater performance impact).
 * The number of property-based privileges (more property-based privileges = greater performance impact).
 * The type of the privilege: `TRAVERSE` property-based privileges have greater performance impact than `READ` property-based privileges.
 * The type of storage medium in operation. The impact of the property-based privileges on performance is considerably amplified by accessing disc storage.
@@ -81,7 +85,7 @@ GRANT privilege-name ON GRAPH graph-name FOR pattern TO role-name
 The user role does not need to have `READ` privilege for the property used by the property-based privilege.
 ====
 
-=== Grant a property-based privilege on a specific property using its value
+=== Grant a property-based privilege on a specific property using the value of another property
 
 The following example shows how to grant permission to `READ` the `address` property on `Email` or `Website` nodes with domain `exampledomain.com` to role `regularUsers`:
 
@@ -97,6 +101,12 @@ Alternatively, you can use the following syntax:
 GRANT READ { address } ON GRAPH * FOR (:Email|Website {domain: 'exampledomain.com'}) TO regularUsers
 ----
 
+The following example shows how to grant permission to `READ` the `since` property on `OWNS` relationships having `classification` equal to `UNCLASSIFIED` to role `regularUsers`:
+
+[source, syntax, role="noheader"]
+----
+GRANT READ { since } ON GRAPH * FOR ()-[o:OWNS]-() WHERE o.classification = 'UNCLASSIFIED' TO regularUsers
+----
 
 === Grant a property-based privilege using `NULL`
 
@@ -109,20 +119,22 @@ GRANT TRAVERSE ON GRAPH * FOR (n:Email) WHERE n.classification IS NULL TO regula
 
 === Deny a property-based privilege using a comparison operator
 
-The following example shows how to deny permission to `READ` and `TRAVERSE` nodes where the property `classification` is different from `UNCLASSIFIED` to role `regularUsers`:
+The following example shows how to deny permission to `READ` and `TRAVERSE` nodes and relationships where the property `classification` is different from `UNCLASSIFIED` to role `regularUsers`:
 
 [source, syntax, role="noheader"]
 ----
 DENY MATCH {*} ON GRAPH * FOR (n) WHERE n.classification <> 'UNCLASSIFIED' TO regularUsers
+DENY MATCH {*} ON GRAPH * FOR ()-[r]-() WHERE r.classification <> 'UNCLASSIFIED' TO regularUsers
 ----
 
 === Grant a property-based privilege on all properties using a property value
 
-The following example shows how to grant permission to `READ` all properties on nodes where the property `securityLevel` is higher than `3` to role `regularUsers`:
+The following example shows how to grant permission to `READ` all properties on nodes and relationships where the property `securityLevel` is higher than `3` to role `regularUsers`:
 
 [source, syntax, role="noheader"]
 ----
 GRANT READ {*} ON GRAPH * FOR (n) WHERE n.securityLevel > 3 TO regularUsers
+GRANT READ {*} ON GRAPH * FOR ()-[r]-() WHERE r.securityLevel > 3 TO regularUsers
 ----
 
 [NOTE]
@@ -132,22 +144,24 @@ The role `regularUsers` does not need to have `READ` privilege for the property
 
 === Deny a property-based privilege using a list of values
 
-The following example shows how to deny permission to `READ` all properties on nodes where the property `classification` is not included in the list of `[UNCLASSIFIED, PUBLIC]`:
+The following example shows how to deny permission to `READ` all properties on nodes and relationships where the property `classification` is not included in the list of `[UNCLASSIFIED, PUBLIC]`:
 
 [source, syntax, role="noheader"]
 ----
 DENY READ {*} ON GRAPH * FOR (n) WHERE NOT n.classification IN ['UNCLASSIFIED', 'PUBLIC'] TO regularUsers
+DENY READ {*} ON GRAPH * FOR ()-[r]-() WHERE NOT r.classification IN ['UNCLASSIFIED', 'PUBLIC'] TO regularUsers
 ----
 
 // The last two examples were added in 5.26.
 
 === Grant a property-based privilege using temporal value
 
-The following example shows how to grant permission to `READ` all properties on nodes where the property `createdAt` is later than the current date:
+The following example shows how to grant permission to `READ` all properties on nodes and relationships where the property `createdAt` is later than the current date:
 
 [source, syntax, role="noheader"]
 ----
 GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date() TO regularUsers
+GRANT READ {*} ON GRAPH * FOR ()-[r]-() WHERE r.createdAt > date() TO regularUsers
 ----
 
 [NOTE]
@@ -174,6 +188,7 @@ SHOW ROLE regularUsers PRIVILEGES AS REVOKE COMMANDS
 |===
 |command
 |"REVOKE GRANT READ {*} ON GRAPH * FOR (n) WHERE n.createdAt > date('2024-10-25') FROM `regularUsers`"
-a|Rows: 1
+|"REVOKE GRANT READ {*} ON GRAPH * FOR ()-[r]-() WHERE r.createdAt > date('2024-10-25') FROM `regularUsers`"
+a|Rows: 2
 |===
 
@@ -64,14 +64,12 @@ For more information, see xref:backup-restore/online-backup.adoc#online-backup-c
 
 [source,role=noheader]
 ----
-neo4j-admin database backup [-h] [--expand-commands] [--verbose]
+neo4j-admin database backup [-h] [--expand-commands] [--prefer-diff-as-parent] [--verbose]
                             [--compress[=true|false]] [--keep-failed[=true|false]]
-                            [--parallel-recovery[=true|false]]
-                            [--additional-config=<file>]
-                            [--include-metadata=none|all|users|roles]
-                            [--inspect-path=<path>] [--pagecache=<size>] [--temp-path=<path>]
-                            [--to-path=<path>] [--type=<type>] [--from=<host:port>[,<host:
-                            port>...]]... [<database>...]
+                            [--parallel-recovery[=true|false]] [--additional-config=<file>]
+                            [--include-metadata=none|all|users|roles] [--inspect-path=<path>]
+                            [--pagecache=<size>] [--temp-path=<path>] [--to-path=<path>]
+                            [--type=<type>] [--from=<host:port>[,<host:port>...]]... [<database>...]
 ----
 
 === Description
@@ -162,6 +160,10 @@ It is recommended to use `SHOW USERS`, `SHOW ROLES`, and `SHOW ROLE $role PRIVIL
 Note: this is an EXPERIMENTAL option. Consult Neo4j support before use.
 |false
 
+|--prefer-diff-as-parent
+|label:new[Introduced in 2025.04] When performing a differential backup, prefer the latest non-empty differential backup as the parent instead of the latest backup.
+|false
+
 |--temp-path=<path>
 |Provide a path to a temporary empty directory for storing backup files until the command is completed. The files will be deleted once the command is finished.
 |
@@ -457,3 +459,154 @@ bin/neo4j-admin database backup --to-path=azb://myStorageAccount/myContainer/myD
 ----
 ======
 =====
+
+
+[role=label--new-2025.04]
+[[diff-backup-as-parent]]
+=== Perform a differential backup using the `--prefer-diff-as-parent` option
+
+By default, a differential backup (`--type=DIFF`) uses the *most recent non-empty* backup -- whether full or differential -- in the directory as its parent. 
+
+The `--prefer-diff-as-parent` option changes this behavior and forces the backup job to use the *latest differential* backup as the parent, even if a newer full backup exists. 
+
+This approach allows you to maintain a chain of differential backups for all transactions and restore to any point in time.
+Without this option, the transactions between the last full backup and a previous differential backup cannot be backed up as individual transactions.
+
+To use the `--prefer-diff-as-parent` option, set it to `true`.
+
+The following examples cover different scenarios for using the `--prefer-diff-as-parent` option.
+
+[.tabbed-example]
+=====
+[role=include-with-Chain-with-full-and-differential-backups]
+======
+
+Let's assume that you write 10 transactions to the `neo4j` database every hour, except from 12:30 to 13:30, when you do not write any transactions.
+
+There is a backup job that takes a backup every hour and a full backup every four hours.
+An empty backup has no transactions, meaning that both the lower transaction ID and the upper transaction ID are zero.
+
+Imagine you have the following backup chain:
+
+[cols="h,e,m,h,h"]
+|===
+|Timestamp | Backup name | Backup type | Lower Transaction ID | Upper Transaction ID
+
+| 10:30
+| backup1
+| FULL
+| 1
+| 10
+
+| 11:30
+| backup2
+| DIFF
+| 11
+| 20
+
+| 12:30
+| backup3
+| DIFF
+| 21
+| 30
+
+| 13:30
+| backup4
+| DIFF
+| 0
+| 0
+
+| 14:30
+| backup5
+| FULL
+| 1
+| 40
+
+|===
+
+At 15:30, you execute the following backup command:
+
+[source,shell]
+----
+neo4j-admin database backup --from=<address:port> --to-path=<targetPath> --type=DIFF neo4j
+----
+
+The result would be:
+
+[cols="h,e,m,h,h"]
+|===
+| 15:30
+| backup6
+| DIFF
+| 41
+| 50
+|===
+
+The result means you have chosen `backup5` as the parent for your differential `backup6` since the `backup5` is the *latest non-empty* backup.
+
+However, if you execute the following command with the `--prefer-diff-as-parent` option:
+
+[source,shell]
+----
+neo4j-admin database backup --from=<address:port> --to-path=<targetPath> --type=DIFF --prefer-diff-as-parent neo4j
+----
+
+The result would be:
+
+[cols="h,e,m,h,h"]
+|===
+| 15:30
+| backup6
+| DIFF
+| 31
+| 50
+|===
+
+In this case, the `backup3` is selected as the parent since it is the *latest non-empty differential* backup.
+
+======
+[role=include-with-Chain-with-only-full-backups]
+======
+
+Let's assume that you write 10 transactions to the `neo4j` database every hour and trigger an hourly full backup.
+
+[cols="h,e,m,h,h"]
+|===
+|Timestamp | Backup name | Backup type | Lower Transaction ID | Upper Transaction ID
+
+| 10:30
+| backup1
+| FULL
+| 1
+| 10
+
+| 11:30
+| backup2
+| FULL
+| 11
+| 20
+|===
+
+In this case, there is no differential backup.
+Therefore, the `--prefer-diff-as-parent` option has no effect and the behaviour is the same as the default one.
+
+[source,shell]
+----
+neo4j-admin database backup \
+--from=<address:port> --to-path=<targetPath> \
+--type=DIFF --prefer-diff-as-parent \
+neo4j
+----
+
+The result would be (with or without the `--prefer-diff-as-parent` option):
+[cols="h,e,m,h,h"]
+|===
+| 12:30
+| backup3
+| DIFF
+| 21
+| 30
+|===
+
+======
+=====
@@ -300,7 +300,7 @@ For more information, see xref:clustering/databases.adoc#cluster-seed[Designated
 
 If you have backed up a database with the option `--include-metadata`, you can manually restore the users and roles metadata.
 
-From the _<NEO4J_HOME>_ directory, you run the Cypher script _data/databases/databasename/tools/metadata_script.cypher_, which the `neo4j-admin database restore` command outputs, using xref:cypher-shell.adoc[][Cypher Shell]:
+From the _<NEO4J_HOME>_ directory, you run the Cypher script _data/databases/databasename/tools/metadata_script.cypher_, which the `neo4j-admin database restore` command outputs, using xref:cypher-shell.adoc[]:
 
 *Using `cat` (UNIX)*
 [source, shell, role=nocopy noplay]