Document ALTER COMPOSITE DATABASE privilege

also update to not say we can manage aliases using the database management privileges

Author: Hunterness

modules/ROOT/images/privileges_grant_and_deny_syntax_dbms_privileges.svg

@@ -26,6 +26,8 @@ CREATE ROLE databaseDropper IF NOT EXISTS;
 CREATE ROLE compositeDatabaseDropper IF NOT EXISTS;
 CREATE ROLE databaseModifier IF NOT EXISTS;
 CREATE ROLE accessModifier IF NOT EXISTS;
+CREATE ROLE languageModifier IF NOT EXISTS;
+CREATE ROLE compositeDatabaseModifier IF NOT EXISTS;
 CREATE ROLE compositeDatabaseManager IF NOT EXISTS;
 CREATE ROLE databaseManager IF NOT EXISTS;
 CREATE ROLE aliasAdder IF NOT EXISTS;
@@ -864,19 +866,19 @@ For more details about the syntax descriptions, see xref:database-administration
 GRANT [IMMUTABLE] CREATE DATABASE
   ON DBMS
   TO role[, ...]
-| Enables the specified roles to create new standard databases and aliases.
+| Enables the specified roles to create new standard databases.
 
 | [source, syntax, role=noheader]
 GRANT [IMMUTABLE] DROP DATABASE
   ON DBMS
   TO role[, ...]
-| Enables the specified roles to delete standard databases and aliases.
+| Enables the specified roles to delete standard databases.
 
 | [source, syntax, role=noheader]
 GRANT [IMMUTABLE] ALTER DATABASE
   ON DBMS
   TO role[, ...]
-| Enables the specified roles to modify standard databases and aliases.
+| Enables the specified roles to modify standard databases.
 
 | [source, syntax, role=noheader]
 GRANT [IMMUTABLE] SET DATABASE ACCESS
@@ -888,7 +890,7 @@ GRANT [IMMUTABLE] SET DATABASE ACCESS
 GRANT [IMMUTABLE] SET DATABASE DEFAULT LANGUAGE
   ON DBMS
   TO role[, ...]
-| Enables the specified roles to set the default query language on a database.
+| Enables the specified roles to set the default query language on a standard database.
 
 | [source, syntax, role=noheader]
 GRANT CREATE COMPOSITE DATABASE
@@ -902,30 +904,36 @@ GRANT DROP COMPOSITE DATABASE
   TO role[, ...]
 | Enables the specified roles to delete composite databases.
 
+| [source, syntax, role=noheader]
+GRANT ALTER COMPOSITE DATABASE
+  ON DBMS
+  TO role[, ...]
+| Enables the specified roles to modify composite databases.
+
 | [source, syntax, role=noheader]
 GRANT COMPOSITE DATABASE MANAGEMENT
   ON DBMS
   TO role[, ...]
-| Enables the specified roles to create and delete composite databases.
+| Enables the specified roles to create, delete or modify composite databases.
 
 | [source, syntax, role=noheader]
 GRANT [IMMUTABLE] DATABASE MANAGEMENT
   ON DBMS
   TO role[, ...]
-| Enables the specified roles to create, delete, and modify databases and aliases.
+| Enables the specified roles to create, delete, and modify databases.
 
 |===
 
 
-The ability to create standard databases and aliases can be granted via the `CREATE DATABASE` privilege.
+The ability to create standard databases can be granted via the `CREATE DATABASE` privilege.
 See an example:
 
 [source, cypher, role=noplay]
 ----
 GRANT CREATE DATABASE ON DBMS TO databaseAdder
 ----
 
-The resulting role has privileges that only allow creating standard databases and aliases.
+The resulting role has privileges that only allow creating standard databases.
 List all privileges for the role `databaseAdder` as commands by using the following query:
 
 [source, cypher, role=noplay]
@@ -965,15 +973,15 @@ SHOW ROLE compositeDatabaseAdder PRIVILEGES AS COMMANDS
 a|Rows: 1
 |===
 
-The ability to delete standard databases and aliases can be granted via the `DROP DATABASE` privilege.
+The ability to delete standard databases can be granted via the `DROP DATABASE` privilege.
 See an example:
 
 [source, cypher, role=noplay]
 ----
 GRANT DROP DATABASE ON DBMS TO databaseDropper
 ----
 
-The resulting role has privileges that only allow deleting standard databases and aliases.
+The resulting role has privileges that only allow deleting standard databases.
 List all privileges for the role `databaseDropper` as commands by using the following query:
 
 [source, cypher, role=noplay]
@@ -1013,15 +1021,15 @@ SHOW ROLE compositeDatabaseDropper PRIVILEGES AS COMMANDS
 a|Rows: 1
 |===
 
-The ability to modify standard databases and aliases can be granted via the `ALTER DATABASE` privilege.
+The ability to modify standard databases can be granted via the `ALTER DATABASE` privilege.
 See an example:
 
 [source, cypher, role=noplay]
 ----
 GRANT ALTER DATABASE ON DBMS TO databaseModifier
 ----
 
-The resulting role has privileges that only allow modifying standard databases and aliases.
+The resulting role has privileges that only allow modifying standard databases.
 List all privileges for the role `databaseModifier` as commands by using the following query:
 
 [source, cypher, role=noplay]
@@ -1061,6 +1069,54 @@ SHOW ROLE accessModifier PRIVILEGES AS COMMANDS
 a|Rows: 1
 |===
 
+The ability to modify the default language to standard databases can be granted via the `SET DATABASE DEFAULT LANGUAGE` privilege.
+See an example:
+
+[source, cypher, role=noplay]
+----
+GRANT SET DATABASE DEFAULT LANGUAGE ON DBMS TO languageModifier
+----
+
+The resulting role has privileges that only allow modifying default language to standard databases.
+List all privileges for the role `languageModifier` as commands by using the following query:
+
+[source, cypher, role=noplay]
+----
+SHOW ROLE languageModifier PRIVILEGES AS COMMANDS
+----
+
+.Result
+[options="header,footer", width="100%", cols="m"]
+|===
+|command
+|"GRANT SET DATABASE DEFAULT LANGUAGE ON DBMS TO `languageModifier`"
+a|Rows: 1
+|===
+
+The ability to modify composite databases can be granted via the `ALTER COMPOSITE DATABASE` privilege.
+See an example:
+
+[source, cypher, role=noplay]
+----
+GRANT ALTER COMPOSITE DATABASE ON DBMS TO compositeDatabaseModifier
+----
+
+The resulting role has privileges that only allow modifying composite databases.
+List all privileges for the role `compositeDatabaseModifier` as commands by using the following query:
+
+[source, cypher, role=noplay]
+----
+SHOW ROLE compositeDatabaseModifier PRIVILEGES AS COMMANDS
+----
+
+.Result
+[options="header,footer", width="100%", cols="m"]
+|===
+|command
+|"GRANT ALTER COMPOSITE DATABASE ON DBMS TO `compositeDatabaseModifier`"
+a|Rows: 1
+|===
+
 The ability to create and delete composite databases can be granted via the `COMPOSITE DATABASE MANAGEMENT` privilege.
 See an example:
 
@@ -1085,15 +1141,15 @@ SHOW ROLE compositeDatabaseManager PRIVILEGES AS COMMANDS
 a|Rows: 1
 |===
 
-The ability to create, delete, and modify databases and aliases can be granted via the `DATABASE MANAGEMENT` privilege.
+The ability to create, delete, and modify databases can be granted via the `DATABASE MANAGEMENT` privilege.
 See an example:
 
 [source, cypher, role=noplay]
 ----
 GRANT DATABASE MANAGEMENT ON DBMS TO databaseManager
 ----
 
-The resulting role has all privileges to manage standard and composite databases as well as aliases.
+The resulting role has all privileges to manage standard and composite databases.
 List all privileges for the role `databaseManager` as commands by using the following query:
 
 [source, cypher, role=noplay]
@@ -1114,7 +1170,6 @@ a|Rows: 1
 
 The DBMS privileges for alias management can be assigned by using Cypher administrative commands and can be applied to both local and remote aliases.
 They can be granted, denied and revoked like other privileges.
-It is also possible to manage aliases with <<access-control-dbms-administration-database-management, database management commands>>.
 
 [NOTE]
 ====

modules/ROOT/images/privileges_hierarchy_dbms.svg

@@ -208,7 +208,7 @@ The results of the `SHOW DATABASES` command are filtered according to the `ACCES
 However, some privileges enable users to see additional databases regardless of their `ACCESS` privileges:
 
 * Users with `CREATE/DROP/ALTER DATABASE` or `SET DATABASE ACCESS` privileges can see all standard databases.
-* Users with `CREATE/DROP COMPOSITE DATABASE` or `COMPOSITE DATABASE MANAGEMENT` privileges can see all composite databases.
+* Users with `CREATE/DROP/ALTER COMPOSITE DATABASE` or `COMPOSITE DATABASE MANAGEMENT` privileges can see all composite databases.
 * Users with `DATABASE MANAGEMENT` privilege can see all databases.
 
 If a user has not been granted `ACCESS` privilege to any databases nor any of the above special cases, the command can still be executed but it will only return the `system` database, which is always visible.