apply suggestions from review

Author: renetapopova

modules/ROOT/pages/authentication-authorization/dbms-administration.adoc

@@ -79,13 +79,14 @@ The xref:authentication-authorization/built-in-roles.adoc#access-control-built-i
 
 These include:
 
-* Create, delete, and modify databases and aliases.
+* <<access-control-dbms-administration-database-management, Create, delete, and modify databases>> and  <<access-control-dbms-administration-alias-management, aliases>>.
 * Change configuration parameters.
-* Manage transactions.
-* Manage users and roles.
-* Manage sub-graph privileges.
-* Manage procedure security.
-* Load data.
+* xref:authentication-authorization/database-administration.adoc#access-control-database-administration-transaction[Manage transactions].
+* Manage <<access-control-dbms-administration-role-management, users>> and <<access-control-dbms-administration-user-management, roles>>.
+* Manage sub-graph <<access-control-dbms-administration-privilege-management, privileges>>.
+* Manage <<access-control-dbms-administration-impersonation, impersonation privileges>>.
+* Manage <<access-control-dbms-administration-execute, procedure security>>.
+* Manage <<access-control-dbms-administration-load-privileges, load data security>>.
 
 To enable a user to perform these tasks, you can grant them the `admin` role, but it is also possible to make a custom role with a subset of these privileges.
 All privileges are also assignable using Cypher commands.
@@ -148,7 +149,7 @@ To create a more powerful administrator, you can grant a different set of privil
 
 === Create a custom administrator role by copying the `admin` role
 
-You can also create a custom administrator role that can  perform almost all DBMS capabilities, excluding database management.
+You can also create a custom administrator role that can perform almost all DBMS capabilities, excluding database management.
 This is done by copying the `admin` role and denying the privileges you do not want.
 However, the role still has some limited database capabilities, such as managing transactions:
 
@@ -177,7 +178,7 @@ DENY DATABASE MANAGEMENT ON DBMS TO customAdministrator
 GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO customAdministrator
 ----
 +
-As a result, the `customAdministrator` role has privileges that include all DBMS privileges except creating, dropping, and modifying databases and aliases, as well as managing transactions.
+As a result, the `customAdministrator` role has privileges that include all DBMS privileges except creating, dropping, and modifying databases, as well as managing transactions.
 . To list all privileges for the role `customAdministrator` as commands, use the following query:
 +
 [source, cypher, role=noplay]
@@ -195,6 +196,37 @@ SHOW ROLE customAdministrator PRIVILEGES AS COMMANDS
 a|Rows: 3
 |===
 
+===
+
+CREATE ROLE newRole AS COPY OF admin and then revoke the ability to read/write/load data?
+
+[source, cypher, role=noplay]
+----
+CREATE ROLE newRole AS COPY OF admin;
+REVOKE GRANT MATCH {*} ON GRAPH * NODE * FROM newRole;
+REVOKE GRANT MATCH {*} ON GRAPH * RELATIONSHIP * FROM newRole;
+REVOKE GRANT WRITE ON GRAPH * FROM newRole;
+REVOKE GRANT LOAD ON ALL DATA FROM newRole;
+----
+
+potentially also remove the index/constraint/name management
+
+[source, cypher, role=noplay]
+----
+REVOKE GRANT CONSTRAINT MANAGEMENT ON DATABASE * FROM newRole;
+REVOKE GRANT INDEX MANAGEMENT ON DATABASE * FROM newRole;
+REVOKE GRANT NAME MANAGEMENT ON DATABASE * FROM newRole;
+REVOKE GRANT SHOW CONSTRAINT ON DATABASE * FROM newRole;
+REVOKE GRANT SHOW INDEX ON DATABASE * FROM newRole;
+----
+
+If you want to be fancy we could also change what they have access on to system only:
+
+[source, cypher, role=noplay]
+----
+REVOKE GRANT ACCESS ON DATABASE * FROM newRole;
+GRANT ACCESS ON DATABASE system TO newRole;
+----
 
 [[access-control-dbms-administration-role-management]]
 == The DBMS `ROLE MANAGEMENT` privileges
@@ -335,7 +367,7 @@ a|Rows: 1
 
 === Grant privilege to assign roles
 
-You can grant the privilege to assign roles using the `ASSIGN ROLE` privilege.
+You can grant the privilege to assign roles to users using the `ASSIGN ROLE` privilege.
 For example:
 
 [source, cypher, role=noplay]
@@ -361,7 +393,7 @@ a|Rows: 1
 
 === Grant privilege to remove roles
 
-You can grant the privilege to remove roles using the `REMOVE ROLE` privilege.
+You can grant the privilege to remove roles from users using the `REMOVE ROLE` privilege.
 For example:
 
 [source, cypher, role=noplay]
@@ -390,13 +422,13 @@ a|Rows: 1
 You can grant the privilege to show roles using the `SHOW ROLE` privilege.
 A role with this privilege is allowed to execute the `SHOW ROLES` and `SHOW POPULATED ROLES` administration commands.
 
-The following query shows an example of how to grant the `SHOW ROLE` privilege:
-
 [NOTE]
 ====
 In order to use `SHOW ROLES WITH USERS` and `SHOW POPULATED ROLES WITH USERS` administration commands, both the `SHOW ROLE` and the `SHOW USER` privileges are required.
 ====
 
+The following query shows an example of how to grant the `SHOW ROLE` privilege:
+
 [source, cypher, role=noplay]
 ----
 GRANT SHOW ROLE ON DBMS TO roleShower
@@ -635,18 +667,31 @@ SHOW ROLE passwordModifier PRIVILEGES AS COMMANDS
 a|Rows: 1
 |===
 
-The `SET PASSWORDS` privilege allows the user to run the `ALTER USER` administration command with one or both of the `SET PASSWORD` and `SET PASSWORD CHANGE [NOT] REQUIRED` parts.
+The `SET PASSWORDS` privilege allows you to run the `ALTER USER` administration command with one or both of the `SET PASSWORD` and `SET PASSWORD CHANGE [NOT] REQUIRED` parts.
 
 [source, cypher, role=noplay]
 ----
 ALTER USER jake SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED
 ----
 
-A user that is granted the `SET AUTH` privilege is allowed to run the `ALTER USER` administration command with one or both of the `SET AUTH` and `REMOVE AUTH` parts:
+=== Grant privilege to modify users' auth providers
+
+You can grant the privilege to modify users' auth providers using the `SET AUTH` privilege.
+For example:
+
+[source, cypher, role=noplay]
+----
+GRANT SET AUTH ON DBMS TO userModifier
+----
+As a result, the `userModifier` role has privileges that only allow modifying users' auth providers.
+
+The `SET AUTH` privilege allows the user to run the `ALTER USER` administration command with one or both of the `SET
+AUTH` and `REMOVE AUTH` parts.
+For example:
 
 [source, cypher, role=noplay]
 ----
-ALTER USER jake REMOVE AUTH 'native SET AUTH 'oidc-okta' { SET id 'jakesUniqueOktaUserId' }
+ALTER USER jake REMOVE AUTH 'native' SET AUTH 'oidc-okta' { SET id 'jakesUniqueOktaUserId' }
 ----
 
 === Grant privilege to modify the account status of users
@@ -675,7 +720,7 @@ SHOW ROLE statusModifier PRIVILEGES AS COMMANDS
 a|Rows: 1
 |===
 
-A user that is granted the `SET USER STATUS` privilege is allowed to run the `ALTER USER` administration command with only the `SET STATUS` part:
+The `SET USER STATUS` privilege allows the user to run the `ALTER USER` administration command with only the `SET STATUS` part:
 
 [source, cypher, role=noplay]
 ----
@@ -709,7 +754,7 @@ SHOW ROLE statusModifier PRIVILEGES AS COMMANDS
 a|Rows: 2
 |===
 
-A user that is granted the `SET USER HOME DATABASE` privilege is allowed to run the `ALTER USER` administration command with only the `SET HOME DATABASE` or `REMOVE HOME DATABASE` part:
+The `SET USER HOME DATABASE` privilege allows you to run the `ALTER USER` administration command with only the `SET HOME DATABASE` or `REMOVE HOME DATABASE` part:
 
 [source, cypher, role=noplay]
 ----

modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc

@@ -13,27 +13,14 @@ If a transaction modifies a database alias, other transactions concurrently exec
 This prevents issues such as a transaction executing against multiple target databases for the same alias.
 ====
 
-When a query is run against a database alias, it will be redirected to the target database.
-The home database for users can be set to an alias, which will be resolved to the target database on use.
-Starting with Neo4j 2025.04, a database alias can also be set as the default database.
-
-This page describes managing database aliases for standard databases.
-For aliases created as part of a xref:database-administration/composite-databases/concepts.adoc[composite database], see xref:database-administration/aliases/manage-aliases-composite-databases.adoc[].
-
 There are two kinds of database aliases - local and remote:
 
 Local database aliases::
 A local database alias can only target a database within the same DBMS.
 It can be used in all Cypher commands in place of the target database.
 Please note that the local database alias will be resolved while executing the command.
 Privileges are defined on the target database, and not the local database alias.
-+
-[NOTE]
-====
-Starting with Neo4j 2025.06, a database can be assigned a default Cypher version.
-However, local database aliases cannot be assigned a default Cypher version.
-They always get the Cypher version of their target database.
-====
+
 
 Remote database aliases::
 A remote database alias may target a database from another Neo4j DBMS.
@@ -45,7 +32,20 @@ It can be used for:
 +
 Remote database aliases require configuration to safely connect to the remote target, which is described in xref::database-administration/aliases/remote-database-alias-configuration.adoc[Connecting remote databases].
 It is not possible to impersonate a user on the remote database or to execute an administration command on the remote database via a remote database alias.
-Starting with Neo4j 2025.06, a remote database alias can be assigned a default Cypher version.
+
+[NOTE]
+====
+Starting with Neo4j 2025.06, a database or remote alias can be assigned a default Cypher version.
+However, local database aliases cannot be assigned a default Cypher version.
+They always get the Cypher version of their target database.
+====
+
+When a query is run against a database alias, it will be redirected to the target database.
+The home database for users can be set to an alias, which will be resolved to the target database on use.
+Starting with Neo4j 2025.04, a database alias can also be set as the DBMS default database.
+
+This page describes managing database aliases for standard databases.
+For aliases created as part of a xref:database-administration/composite-databases/concepts.adoc[composite database], see xref:database-administration/aliases/manage-aliases-composite-databases.adoc[].
 
 [[manage-aliases-list]]
 == List database aliases
@@ -74,7 +74,7 @@ DEFAULT LANGUAGE CYPHER 25;
 ////
 
 You can list all available database aliases using the `SHOW ALIASES FOR DATABASE` command.
-The command returns a table of all standard and composite database aliases. +
+The command returns a table of all database aliases, whether they belong to a composite database or not. +
 If you need more details, you can append the command with `YIELD *`.
 The `YIELD *` clause returns the full set of columns.
 The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges].
@@ -337,7 +337,7 @@ CREATE OR REPLACE ALIAS `northwind` FOR DATABASE `northwind-graph-2021`
 ----
 +
 This is equivalent to running ```DROP ALIAS `northwind++` IF EXISTS FOR DATABASE++``` followed by ```CREATE ALIAS `northwind++` FOR DATABASE `northwind-graph-2021++````.
-+
+
 [NOTE]
 ====
 The `IF NOT EXISTS` and `OR REPLACE` parts of these commands cannot be used together.
@@ -384,6 +384,8 @@ See xref:database-administration/aliases/remote-database-alias-configuration.ado
 
 Since remote database aliases target databases that are not in this DBMS, they do not fetch the default Cypher version from their target like the local database aliases.
 Instead, they are assigned the version given by xref:configuration/configuration-settings.adoc#config_db.query.default_language[`db.query.default_language`], which is set in the `neo4j.conf` file.
+Alternatively, you can specify the version in the `CREATE ALIAS` or `ALTER ALIAS` commands.
+See xref:database-administration/aliases/manage-aliases-standard-databases.adoc#set-default-language-for-remote-database-aliases[] and xref:database-administration/aliases/manage-aliases-standard-databases.adoc#alter-default-language-remote-database-alias[] for more information.
 
 .Query
 [source, cypher]
@@ -429,7 +431,7 @@ If `ssl_enforced` is set to true, a secure URL scheme is enforced.
 It is be validated when the command is executed.
 * `connection_timeout` (For details, see xref:configuration/configuration-settings.adoc#config_dbms.routing.driver.connection.connect_timeout[dbms.routing.driver.connection.connect_timeout].)
 * `connection_max_lifetime` (For details, see xref:configuration/configuration-settings.adoc#config_dbms.routing.driver.connection.max_lifetime[dbms.routing.driver.connection.max_lifetime].)
-* `connection_pool_acquisition_timeout` (Foror details, see xref:configuration/configuration-settings.adoc#config_dbms.routing.driver.connection_pool_acquisition_timeout[dbms.routing.driver.connection_pool_acquisition_timeout].)
+* `connection_pool_acquisition_timeout` (For details, see xref:configuration/configuration-settings.adoc#config_dbms.routing.driver.connection_pool_acquisition_timeout[dbms.routing.driver.connection_pool_acquisition_timeout].)
 * `connection_pool_idle_test` (For details, see xref:configuration/configuration-settings.adoc#config_dbms.routing.driver.connection_pool_idle_test[dbms.routing.driver.connection_pool_idle_test].)
 * `connection_pool_max_size` (For details, see xref:configuration/configuration-settings.adoc#config_dbms.routing.driver.connection.pool.max_size[dbms.routing.driver.connection.pool.max_size].)
 * `logging_level` (For details, see xref:configuration/configuration-settings.adoc#config_dbms.routing.driver.logging.level[dbms.routing.driver.logging.level].)
@@ -470,6 +472,7 @@ SHOW ALIAS `remote-with-driver-settings` FOR DATABASE YIELD *
 ----
 
 [role=label--new-2025.06]
+[[set-default-language-for-remote-database-aliases]]
 ==== Set a default Cypher version for remote database aliases
 
 You can set a default Cypher version for remote database aliases using the `DEFAULT LANGUAGE` clause of the `CREATE ALIAS` or `ALTER ALIAS` commands.
@@ -539,7 +542,8 @@ SHOW ALIAS `remote-northwind-2021` FOR DATABASE YIELD name, properties
 == Alter database aliases
 
 You can alter both local and remote database aliases using the `ALTER ALIAS` command.
-The command allows you to change the target database, properties, URL, user credentials, default language, or driver settings of the database alias.
+For all aliases, the command allows you to change the target database and properties of the database alias.
+For remote aliases, the command also allows you to change the URL, user credentials, default language, or driver settings of the database alias.
 The required privileges are described in the xref:authentication-authorization/dbms-administration.adoc#access-control-dbms-administration-alias-management[The DBMS ALIAS MANAGEMENT privileges].
 Only the clauses used will be altered.
 
@@ -561,7 +565,7 @@ SET DATABASE TARGET `northwind-graph-2021`
 ----
 
 To verify that the local database alias has a new target database, you can use the `SHOW DATABASE` command.
-
+It shows up in the `aliases` column for the target database.
 .Query
 [source, cypher]
 ----
@@ -587,25 +591,26 @@ For example:
 .Query
 [source, cypher]
 ----
-ALTER ALIAS `remote-northwind` SET DATABASE
-TARGET `northwind-graph-2020` AT "neo4j+s://other-location:7687"
+ALTER ALIAS `remote-northwind`
+SET DATABASE TARGET `northwind-graph-2020` AT "neo4j+s://other-location:7687"
 ----
 
 === Alter a remote database alias credentials and driver settings
 
-You can change the user credentials and driver settings of a remote database alias using the `USER`, `PASSWORD`, and `DRIVER` clauses of the `ALTER ALIAS` command.
+You can change the user credentials and driver settings of a remote database alias using the `USER`, `PASSWORD`, and `DRIVER` subclauses of the `SET DATABASE` clause of the `ALTER ALIAS` command.
 For example:
 
 .Query
 [source, cypher]
 ----
-ALTER ALIAS `remote-with-driver-settings` SET DATABASE
-USER bob
-PASSWORD 'new_example_secret'
-DRIVER {
-  connection_timeout: duration({ minutes: 1}),
-  logging_level: 'debug'
-}
+ALTER ALIAS `remote-with-driver-settings`
+SET DATABASE
+  USER bob
+  PASSWORD 'new_example_secret'
+  DRIVER {
+    connection_timeout: duration({ minutes: 1}),
+    logging_level: 'debug'
+  }
 ----
 
 [IMPORTANT]
@@ -626,16 +631,17 @@ DRIVER {}
 ----
 
 [role=label--new-2025.06]
+[[alter-default-language-remote-database-alias]]
 === Alter the default Cypher version of a remote database alias
 
-You can alter the default Cypher version of a remote database alias using the `DEFAULT LANGUAGE` clause of the `ALTER ALIAS` command.
+You can alter the default Cypher version of a remote database alias using the `SET DATABASE DEFAULT LANGUAGE` clause of the `ALTER ALIAS` command.
 For example:
 
 .Query
 [source, cypher]
 ----
-ALTER ALIAS `remote-with-default-language` SET DATABASE
-DEFAULT LANGUAGE CYPHER 5
+ALTER ALIAS `remote-with-default-language`
+SET DATABASE DEFAULT LANGUAGE CYPHER 5
 ----
 
 === Alter properties of local and remote database aliases
@@ -691,7 +697,7 @@ For example:
 DROP ALIAS `northwind` FOR DATABASE
 ----
 
-To verify that the local database alias has been deleted, you can use the `SHOW ALIASES FOR DATABASE` command.
+To verify that the local database alias has been deleted, you can use the `SHOW DATABASES` command.
 The deleted alias will no longer appear in the `aliases` column.
 
 .Query

modules/ROOT/pages/database-administration/index.adoc

@@ -8,7 +8,16 @@ The DBMS can manage a standalone server, or a group of servers in a cluster.
 
 A database is an administrative partition of a DBMS.
 In practical terms, it is a physical structure of files organized within a directory or folder, that has the same name of the database.
-This chapter describes how to manage local and remote standard databases, composite databases, and database aliases.
+
+This chapter describes how to manage local and remote standard databases, composite databases, and database aliases. +
+All databases are managed using the Cypher administration commands.
+For more information on the Cypher administration commands syntax, see xref:database-administration/syntax.adoc[Database management command syntax].
+
+[WARNING]
+====
+Cypher administration commands must not be used during a rolling upgrade.
+For more information, see link:{neo4j-docs-base-uri}/upgrade-migration-guide/upgrade/upgrade-4.4/causal-cluster/[Upgrade and Migration Guide -> Upgrade a cluster].
+====
 
 == Standard databases
 

modules/ROOT/pages/database-administration/standard-databases/alter-databases.adoc

@@ -8,7 +8,7 @@ You can modify standard databases using the Cypher command `ALTER DATABASE`.
 
 [.tabbed-example]
 =====
-[role=include-with-cypher-5]
+[role=include-with-cypher-5 label--before-2025.06]
 ======
 [options="header", width="100%", cols="1m,5a"]
 |===
@@ -22,7 +22,7 @@ ALTER DATABASE name [IF EXISTS]
 {
 SET ACCESS {READ ONLY \| READ WRITE} \|
 SET TOPOLOGY n PRIMAR{Y\|IES} [m SECONDAR{Y\|IES}] \|
-SET OPTION option value \|
+SET OPTION option value
 }
 [WAIT [n [SEC[OND[S]]]]\|NOWAIT]
 ----
@@ -133,7 +133,7 @@ SET ACCESS READ WRITE
 
 [role=label--new-2025.06]
 [[alter-database-default-language]]
-== Alter database default language
+== Alter database default Cypher version
 
 You can change the default Cypher version of an existing database, including the `system` database, using the `ALTER DATABASE` command with the `SET DEFAULT LANGUAGE` clause.
 For example:
@@ -168,7 +168,7 @@ For more information, see xref::clustering/databases.adoc#alter-topology[Managin
 
 [role=label--enterprise-edition label--not-on-aura]
 [[alter-database-options]]
-== `ALTER DATABASE` options
+== Alter database options
 
 The `ALTER DATABASE` command can be used to set or remove specific options for a database.