Add 22ND1 and 22ND2 (#412)

https://linear.app/neo4j/issue/COPS-301/update-to-notification-cannot-deny-with-auth-rule

The trello/linear template says
> Docs for new status code should
> have a table with code, title, severity and category

But I didn't find one for other codes?

Documents error codes introduced in
neo-technology/neo4j#33422

---------

Co-authored-by: Reneta Popova <[email protected]>

Author: l-heemann

modules/ROOT/content-nav.adoc

@@ -175,6 +175,8 @@
 **** xref:errors/gql-errors/22NCD.adoc[]
 **** xref:errors/gql-errors/22NCE.adoc[]
 **** xref:errors/gql-errors/22NCF.adoc[]
+**** xref:errors/gql-errors/22ND1.adoc[]
+**** xref:errors/gql-errors/22ND2.adoc[]
 *** xref:errors/gql-errors/index.adoc#invalid-transaction-state[Invalid transaction state]
 **** xref:errors/gql-errors/25G02.adoc[]
 **** xref:errors/gql-errors/25N01.adoc[]

modules/ROOT/pages/errors/gql-errors/22ND1.adoc

@@ -0,0 +1,60 @@
+= 22ND1
+
+== Status description
+error: data exception - operation not allowed for roles that are granted to an `AUTH RULE`. Invalid input: `'{ <<query>> }'` is not allowed for roles that are granted to an `AUTH RULE`.
+
+== Explanation
+
+If an auth rule fails to evaluate, for example, because it depends on a claim that the user's auth token does not contain, Neo4j will default to not assigning that role to the user.
+
+When a role contains denied privileges, not assigning the role actually removes the denies, which means the user ends up with more privileges than they should.
+To avoid this, roles cannot have both `DENY` privileges and be granted to an auth rule.
+
+This exception is thrown when attempting to `DENY` a privilege from a role that is already used by an auth rule.
+
+[[example-scenario-22nd1]]
+== Example scenario
+
+Given that a role is used by an auth rule:
+[source, cypher]
+----
+CYPHER 25 GRANT ROLE role TO AUTH RULE authrule
+----
+
+When attempting to deny privileges from the role:
+[source, cypher]
+----
+DENY MATCH {*} ON GRAPH secret-db NODES * TO otherrole, role
+----
+
+The following error will be thrown:
+[source]
+----
+error: data exception - operation not allowed for roles that are granted to an AUTH RULE. Invalid input: 'DENY MATCH {*} ON GRAPH secret-db NODES * TO role' is not allowed for roles that are granted to an AUTH RULE.
+----
+
+[NOTE]
+====
+The error message contains a subset of the original query that caused the issue.
+Since `otherrole` is not granted to an auth rule, it is not included.
+====
+
+== Possible solutions
+
+Consider if it is possible to implement the security model without using denied privileges.
+
+For example, you can replace the generic grant from the <<example-scenario-22nd1, Example scenario>> with the following more fine-grained alternative:
+[source, cypher]
+----
+GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole
+----
+
+
+If a `DENY` is required, it must be set to a role that is directly assigned to users without using auth rules, to guarantee that it will always be applied.
+
+ifndef::backend-pdf[]
+[discrete.glossary]
+== Glossary
+
+include::partial$glossary.adoc[]
+endif::[]

modules/ROOT/pages/errors/gql-errors/22ND2.adoc

@@ -0,0 +1,60 @@
+= 22ND2
+
+== Status description
+error: data exception - operation not allowed for roles with `DENY` privileges. Invalid input: `'{ <<query>> }'` is not allowed for roles with `DENY` privileges.
+
+== Explanation
+
+If an auth rule fails to evaluate, for example, because it depends on a claim that the user's auth token does not contain, Neo4j will default to not assigning that role to the user.
+
+
+When a role contains denied privileges, not assigning the role actually removes the denies, which means the user ends up with more privileges than they should.
+To avoid this, roles cannot have both `DENY` privileges and be granted to an auth rule.
+
+This exception is thrown when attempting to grant a role to an auth rule when the role has denied privileges.
+
+[[example-scenario-22nd2]]
+== Example scenario
+
+Given that a role has denied privileges:
+[source, cypher]
+----
+DENY MATCH {*} ON GRAPH secret-db NODES * TO role
+----
+
+When attempting to assign the role to an auth rule:
+[source, cypher]
+----
+CYPHER 25 GRANT ROLE otherrole, role TO AUTH RULE authrule
+----
+
+The following error will be thrown:
+[source]
+----
+error: data exception - operation not allowed for roles with DENY privileges. Invalid input: 'CYPHER 25 GRANT ROLE role TO AUTH RULE authrule' is not allowed for roles with `DENY` privileges.
+----
+
+[NOTE]
+====
+The error message contains a subset of the original query that caused the issue.
+Since `otherrole` does not have denied privileges, it is not included.
+====
+
+== Possible solutions
+
+Consider whether it is possible to implement the security model without using denied privileges, for example, by revoking granted privileges or reducing the scope of the grant statements.
+
+For example, you can replace the generic grant from the <<example-scenario-22nd2, Example scenario>> with the following more fine-grained alternative:
+[source, cypher]
+----
+GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole
+----
+
+If a `DENY` is required, it must be set to a role that is directly assigned to users without using auth rules, to guarantee that it will always be applied.
+
+ifndef::backend-pdf[]
+[discrete.glossary]
+== Glossary
+
+include::partial$glossary.adoc[]
+endif::[]

modules/ROOT/pages/errors/gql-errors/index.adoc

@@ -706,6 +706,14 @@ Status description:: error: data exception - node element type in use. The node
 
 Status description:: error: data exception - graph type constraint not supported. Graph type constraint definitions are not supported in the `{ <<graphTypeOperation>> }` operation.
 
+=== xref:errors/gql-errors/22ND1.adoc[22ND1]
+
+Status description:: error: data exception - operation not allowed for roles that are granted to an `AUTH RULE`. Invalid input: `'{ <<query>> }'` is not allowed for roles that are granted to an `AUTH RULE`.
+
+=== xref:errors/gql-errors/22ND2.adoc[22ND2]
+
+Status description:: error: data exception - operation not allowed for roles with `DENY` privileges. Invalid input: `'{ <<query>> }'` is not allowed for roles with `DENY` privileges.
+
 
 [[invalid-transaction-state]]
 == Invalid transaction state