You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/ROOT/pages/authentication-authorization/dbms-administration.adoc
+12-4Lines changed: 12 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -68,9 +68,9 @@ All DBMS privileges are relevant system-wide.
68
68
Like user management, they do not belong to one specific database or graph.
69
69
For more details on the differences between graphs, databases, and the DBMS, refer to link:{neo4j-docs-base-uri}/cypher-manual/{page-version}/introduction/cypher_neo4j/[Cypher Manual -> Cypher and Neo4j].
70
70
71
-
image::privileges_grant_and_deny_syntax_dbms_privileges.svg[title="Syntax of GRANT and DENY DBMS Privileges"]
71
+
image::privileges_grant_and_deny_syntax_dbms_privileges.svg[width="800", title="Syntax of GRANT and DENY DBMS Privileges"]
The xref:authentication-authorization/built-in-roles.adoc#access-control-built-in-roles-admin[`admin` role] has a number of built-in privileges.
76
76
These include:
@@ -577,7 +577,7 @@ SHOW ROLE userModifier PRIVILEGES AS COMMANDS
577
577
a|Rows: 1
578
578
|===
579
579
580
-
A user that is granted the `ALTER USER` privilege is allowed to run the `ALTER USER` administration command with one or several of the `SET PASSWORD`, `SET PASSWORD CHANGE [NOT] REQUIRED` and `SET STATUS` parts:
580
+
A user that is granted the `ALTER USER` privilege is allowed to run the `ALTER USER` administration command with one or several of the `SET PASSWORD`, `SET PASSWORD CHANGE [NOT] REQUIRED`, `SET AUTH`, `REMOVE AUTH` and `SET STATUS` parts:
581
581
582
582
[source, cypher, role=noplay]
583
583
----
@@ -615,6 +615,14 @@ A user that is granted the `SET PASSWORDS` privilege is allowed to run the `ALTE
615
615
ALTER USER jake SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED
616
616
----
617
617
618
+
A user that is granted the `SET AUTH` privilege is allowed to run the `ALTER USER` administration command with one or both of the `SET AUTH` and `REMOVE AUTH` parts:
619
+
620
+
[source, cypher, role=noplay]
621
+
----
622
+
ALTER USER jake REMOVE AUTH 'native SET AUTH 'oidc' { SET id 'jakesUniqueOktaUserId' }
623
+
----
624
+
625
+
618
626
The ability to modify the account status of users can be granted via the `SET USER STATUS` privilege.
619
627
See an example:
620
628
@@ -685,7 +693,7 @@ ALTER USER jake REMOVE HOME DATABASE
685
693
686
694
[NOTE]
687
695
====
688
-
Note that the combination of the `SET PASSWORDS`, `SET USER STATUS`, and the `SET USER HOME DATABASE` privilege actions is equivalent to the `ALTER USER` privilege action.
696
+
Note that the combination of the `SET PASSWORDS`, `SET AUTH`, `SET USER STATUS`, and the `SET USER HOME DATABASE` privilege actions is equivalent to the `ALTER USER` privilege action.
689
697
====
690
698
691
699
The ability to delete users can be granted via the `DROP USER` privilege.
0 commit comments