diff --git a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc index 83db4e7e2..bd6f8f16e 100644 --- a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc @@ -875,57 +875,79 @@ If the built-in `admin` role has been altered or dropped and needs to be restore [[access-control-built-in-roles-admin-recreate]] === Recreating the `admin` role -To restore the role to its original capabilities two steps are needed. -First, execute `DROP ROLE admin`. -Secondly, run these queries: +To recreate the `admin` role with its original capabilities, follow these steps: -// cannot test as it would require deleting the role the test user is logged with -[source, cypher, role=noplay test-skip] +. Using a client such as xref:cypher-shell.adoc[Cypher Shell] or the Neo4j Browser, connect to the `system` database with a user that has the rights to manage roles and privileges. ++ +[source, shell] ---- -CREATE ROLE admin +bin/cypher-shell -d system -u -p ---- - +. Run the following command to list the privileges that are currently granted to the `admin` role as commands: ++ [source, cypher, role=noplay] ---- -GRANT ALL DBMS PRIVILEGES ON DBMS TO admin ----- - -[source, cypher, role=noplay] +SHOW ROLE admin PRIVILEGES AS COMMANDS; ---- -GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin ++ +[result] ---- ++-------------------------------------------------------------+ +| command | ++-------------------------------------------------------------+ +| "GRANT ACCESS ON DATABASE * TO `admin`" | +| "GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`" | +| "GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`" | +| "GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`" | +| "GRANT LOAD ON ALL DATA TO `admin`" | +| "GRANT MATCH {*} ON GRAPH * NODE * TO `admin`" | +| "GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`" | +| "GRANT NAME MANAGEMENT ON DATABASE * TO `admin`" | +| "GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`" | +| "GRANT SHOW INDEX ON DATABASE * TO `admin`" | +| "GRANT START ON DATABASE * TO `admin`" | +| "GRANT STOP ON DATABASE * TO `admin`" | +| "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`" | +| "GRANT WRITE ON GRAPH * TO `admin`" | ++-------------------------------------------------------------+ -[source, cypher, role=noplay] ----- -GRANT START ON DATABASE * TO admin +14 rows +ready to start consuming query after 39 ms, results consumed after another 0 ms ---- -[source, cypher, role=noplay] +. Drop the existing `admin` role: ++ +[source, cypher] ---- -GRANT STOP ON DATABASE * TO admin +DROP ROLE admin; ---- - -[source, cypher, role=noplay] +. Create a new `admin` role: ++ +[source, cypher] ---- -GRANT MATCH {*} ON GRAPH * TO admin +CREATE ROLE admin; ---- - -[source, cypher, role=noplay] ----- -GRANT WRITE ON GRAPH * TO admin ----- - -[source, cypher, role=noplay] ----- -GRANT LOAD ON ALL DATA TO admin ----- - -[source, cypher, role=noplay] ----- -GRANT ALL ON DATABASE * TO admin +. Run the commands from step 2 to recreate the `admin` role with its original capabilities: ++ +[source, cypher, role=noplay test-skip] ---- - +GRANT ACCESS ON DATABASE * TO `admin`; +GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`; +GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`; +GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`; +GRANT LOAD ON ALL DATA TO `admin`; +GRANT MATCH {*} ON GRAPH * NODE * TO `admin`; +GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`; +GRANT NAME MANAGEMENT ON DATABASE * TO `admin`; +GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`; +GRANT SHOW INDEX ON DATABASE * TO `admin`; +GRANT START ON DATABASE * TO `admin`; +GRANT STOP ON DATABASE * TO `admin`; +GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`; +GRANT WRITE ON GRAPH * TO `admin`; +---- ++ The resulting `admin` role now has the same effective privileges as the original built-in `admin` role. -Additional information about restoring the `admin` role can be found in the xref:authentication-authorization/password-and-user-recovery.adoc[ Recover the admin role]. +Additional information about restoring the `admin` role can be found in the xref:authentication-authorization/password-and-user-recovery.adoc[Recover the admin role]. diff --git a/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc b/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc index ea7433eb1..230ec1747 100644 --- a/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc +++ b/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc @@ -188,13 +188,20 @@ If you have specified a non-default port for your `bolt` connector, add `-a neo4 [source, cypher] ---- CREATE ROLE admin; -GRANT ALL DBMS PRIVILEGES ON DBMS TO admin; -GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin; -GRANT START ON DATABASE * TO admin; -GRANT STOP ON DATABASE * TO admin; -GRANT MATCH {*} ON GRAPH * TO admin; -GRANT WRITE ON GRAPH * TO admin; -GRANT ALL ON DATABASE * TO admin; +GRANT ACCESS ON DATABASE * TO `admin`; +GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`; +GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`; +GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`; +GRANT LOAD ON ALL DATA TO `admin`; +GRANT MATCH {*} ON GRAPH * NODE * TO `admin`; +GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`; +GRANT NAME MANAGEMENT ON DATABASE * TO `admin`; +GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`; +GRANT SHOW INDEX ON DATABASE * TO `admin`; +GRANT START ON DATABASE * TO `admin`; +GRANT STOP ON DATABASE * TO `admin`; +GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`; +GRANT WRITE ON GRAPH * TO `admin`; ---- . Grant the admin user role to an existing user. +