From d64df86ae8a41c67fe8d798e48abf4bcf33b526e Mon Sep 17 00:00:00 2001 From: Reneta Popova Date: Thu, 14 May 2026 17:32:31 +0200 Subject: [PATCH 1/6] Update the steps for recreating the admin role --- .../built-in-roles.adoc | 94 ++++++++++++------- .../password-and-user-recovery.adoc | 21 +++-- 2 files changed, 72 insertions(+), 43 deletions(-) diff --git a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc index 83db4e7e2d..bd6f8f16ed 100644 --- a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc @@ -875,57 +875,79 @@ If the built-in `admin` role has been altered or dropped and needs to be restore [[access-control-built-in-roles-admin-recreate]] === Recreating the `admin` role -To restore the role to its original capabilities two steps are needed. -First, execute `DROP ROLE admin`. -Secondly, run these queries: +To recreate the `admin` role with its original capabilities, follow these steps: -// cannot test as it would require deleting the role the test user is logged with -[source, cypher, role=noplay test-skip] +. Using a client such as xref:cypher-shell.adoc[Cypher Shell] or the Neo4j Browser, connect to the `system` database with a user that has the rights to manage roles and privileges. ++ +[source, shell] ---- -CREATE ROLE admin +bin/cypher-shell -d system -u -p ---- - +. Run the following command to list the privileges that are currently granted to the `admin` role as commands: ++ [source, cypher, role=noplay] ---- -GRANT ALL DBMS PRIVILEGES ON DBMS TO admin ----- - -[source, cypher, role=noplay] +SHOW ROLE admin PRIVILEGES AS COMMANDS; ---- -GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin ++ +[result] ---- ++-------------------------------------------------------------+ +| command | ++-------------------------------------------------------------+ +| "GRANT ACCESS ON DATABASE * TO `admin`" | +| "GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`" | +| "GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`" | +| "GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`" | +| "GRANT LOAD ON ALL DATA TO `admin`" | +| "GRANT MATCH {*} ON GRAPH * NODE * TO `admin`" | +| "GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`" | +| "GRANT NAME MANAGEMENT ON DATABASE * TO `admin`" | +| "GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`" | +| "GRANT SHOW INDEX ON DATABASE * TO `admin`" | +| "GRANT START ON DATABASE * TO `admin`" | +| "GRANT STOP ON DATABASE * TO `admin`" | +| "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`" | +| "GRANT WRITE ON GRAPH * TO `admin`" | ++-------------------------------------------------------------+ -[source, cypher, role=noplay] ----- -GRANT START ON DATABASE * TO admin +14 rows +ready to start consuming query after 39 ms, results consumed after another 0 ms ---- -[source, cypher, role=noplay] +. Drop the existing `admin` role: ++ +[source, cypher] ---- -GRANT STOP ON DATABASE * TO admin +DROP ROLE admin; ---- - -[source, cypher, role=noplay] +. Create a new `admin` role: ++ +[source, cypher] ---- -GRANT MATCH {*} ON GRAPH * TO admin +CREATE ROLE admin; ---- - -[source, cypher, role=noplay] ----- -GRANT WRITE ON GRAPH * TO admin ----- - -[source, cypher, role=noplay] ----- -GRANT LOAD ON ALL DATA TO admin ----- - -[source, cypher, role=noplay] ----- -GRANT ALL ON DATABASE * TO admin +. Run the commands from step 2 to recreate the `admin` role with its original capabilities: ++ +[source, cypher, role=noplay test-skip] ---- - +GRANT ACCESS ON DATABASE * TO `admin`; +GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`; +GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`; +GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`; +GRANT LOAD ON ALL DATA TO `admin`; +GRANT MATCH {*} ON GRAPH * NODE * TO `admin`; +GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`; +GRANT NAME MANAGEMENT ON DATABASE * TO `admin`; +GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`; +GRANT SHOW INDEX ON DATABASE * TO `admin`; +GRANT START ON DATABASE * TO `admin`; +GRANT STOP ON DATABASE * TO `admin`; +GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`; +GRANT WRITE ON GRAPH * TO `admin`; +---- ++ The resulting `admin` role now has the same effective privileges as the original built-in `admin` role. -Additional information about restoring the `admin` role can be found in the xref:authentication-authorization/password-and-user-recovery.adoc[ Recover the admin role]. +Additional information about restoring the `admin` role can be found in the xref:authentication-authorization/password-and-user-recovery.adoc[Recover the admin role]. diff --git a/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc b/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc index ea7433eb14..230ec17476 100644 --- a/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc +++ b/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc @@ -188,13 +188,20 @@ If you have specified a non-default port for your `bolt` connector, add `-a neo4 [source, cypher] ---- CREATE ROLE admin; -GRANT ALL DBMS PRIVILEGES ON DBMS TO admin; -GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin; -GRANT START ON DATABASE * TO admin; -GRANT STOP ON DATABASE * TO admin; -GRANT MATCH {*} ON GRAPH * TO admin; -GRANT WRITE ON GRAPH * TO admin; -GRANT ALL ON DATABASE * TO admin; +GRANT ACCESS ON DATABASE * TO `admin`; +GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`; +GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`; +GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`; +GRANT LOAD ON ALL DATA TO `admin`; +GRANT MATCH {*} ON GRAPH * NODE * TO `admin`; +GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`; +GRANT NAME MANAGEMENT ON DATABASE * TO `admin`; +GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`; +GRANT SHOW INDEX ON DATABASE * TO `admin`; +GRANT START ON DATABASE * TO `admin`; +GRANT STOP ON DATABASE * TO `admin`; +GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`; +GRANT WRITE ON GRAPH * TO `admin`; ---- . Grant the admin user role to an existing user. + From 7e1c3c17b85f10d2653e9eb3bbbe3f080cb3d192 Mon Sep 17 00:00:00 2001 From: Reneta Popova Date: Thu, 14 May 2026 17:33:09 +0200 Subject: [PATCH 2/6] Revert "Update the steps for recreating the admin role" This reverts commit 3aa4da956d0223b017bc6e8dd52f2f372f70bdb9. --- .../built-in-roles.adoc | 94 +++++++------------ .../password-and-user-recovery.adoc | 21 ++--- 2 files changed, 43 insertions(+), 72 deletions(-) diff --git a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc index bd6f8f16ed..83db4e7e2d 100644 --- a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc @@ -875,79 +875,57 @@ If the built-in `admin` role has been altered or dropped and needs to be restore [[access-control-built-in-roles-admin-recreate]] === Recreating the `admin` role -To recreate the `admin` role with its original capabilities, follow these steps: +To restore the role to its original capabilities two steps are needed. +First, execute `DROP ROLE admin`. +Secondly, run these queries: -. Using a client such as xref:cypher-shell.adoc[Cypher Shell] or the Neo4j Browser, connect to the `system` database with a user that has the rights to manage roles and privileges. -+ -[source, shell] +// cannot test as it would require deleting the role the test user is logged with +[source, cypher, role=noplay test-skip] ---- -bin/cypher-shell -d system -u -p +CREATE ROLE admin ---- -. Run the following command to list the privileges that are currently granted to the `admin` role as commands: -+ + [source, cypher, role=noplay] ---- -SHOW ROLE admin PRIVILEGES AS COMMANDS; +GRANT ALL DBMS PRIVILEGES ON DBMS TO admin +---- + +[source, cypher, role=noplay] ---- -+ -[result] +GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin ---- -+-------------------------------------------------------------+ -| command | -+-------------------------------------------------------------+ -| "GRANT ACCESS ON DATABASE * TO `admin`" | -| "GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`" | -| "GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`" | -| "GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`" | -| "GRANT LOAD ON ALL DATA TO `admin`" | -| "GRANT MATCH {*} ON GRAPH * NODE * TO `admin`" | -| "GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`" | -| "GRANT NAME MANAGEMENT ON DATABASE * TO `admin`" | -| "GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`" | -| "GRANT SHOW INDEX ON DATABASE * TO `admin`" | -| "GRANT START ON DATABASE * TO `admin`" | -| "GRANT STOP ON DATABASE * TO `admin`" | -| "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`" | -| "GRANT WRITE ON GRAPH * TO `admin`" | -+-------------------------------------------------------------+ -14 rows -ready to start consuming query after 39 ms, results consumed after another 0 ms +[source, cypher, role=noplay] +---- +GRANT START ON DATABASE * TO admin ---- -. Drop the existing `admin` role: -+ -[source, cypher] +[source, cypher, role=noplay] ---- -DROP ROLE admin; +GRANT STOP ON DATABASE * TO admin ---- -. Create a new `admin` role: -+ -[source, cypher] + +[source, cypher, role=noplay] ---- -CREATE ROLE admin; +GRANT MATCH {*} ON GRAPH * TO admin ---- -. Run the commands from step 2 to recreate the `admin` role with its original capabilities: -+ -[source, cypher, role=noplay test-skip] + +[source, cypher, role=noplay] +---- +GRANT WRITE ON GRAPH * TO admin +---- + +[source, cypher, role=noplay] ---- -GRANT ACCESS ON DATABASE * TO `admin`; -GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`; -GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`; -GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`; -GRANT LOAD ON ALL DATA TO `admin`; -GRANT MATCH {*} ON GRAPH * NODE * TO `admin`; -GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`; -GRANT NAME MANAGEMENT ON DATABASE * TO `admin`; -GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`; -GRANT SHOW INDEX ON DATABASE * TO `admin`; -GRANT START ON DATABASE * TO `admin`; -GRANT STOP ON DATABASE * TO `admin`; -GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`; -GRANT WRITE ON GRAPH * TO `admin`; ----- -+ +GRANT LOAD ON ALL DATA TO admin +---- + +[source, cypher, role=noplay] +---- +GRANT ALL ON DATABASE * TO admin +---- + The resulting `admin` role now has the same effective privileges as the original built-in `admin` role. -Additional information about restoring the `admin` role can be found in the xref:authentication-authorization/password-and-user-recovery.adoc[Recover the admin role]. +Additional information about restoring the `admin` role can be found in the xref:authentication-authorization/password-and-user-recovery.adoc[ Recover the admin role]. diff --git a/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc b/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc index 230ec17476..ea7433eb14 100644 --- a/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc +++ b/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc @@ -188,20 +188,13 @@ If you have specified a non-default port for your `bolt` connector, add `-a neo4 [source, cypher] ---- CREATE ROLE admin; -GRANT ACCESS ON DATABASE * TO `admin`; -GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`; -GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`; -GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`; -GRANT LOAD ON ALL DATA TO `admin`; -GRANT MATCH {*} ON GRAPH * NODE * TO `admin`; -GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`; -GRANT NAME MANAGEMENT ON DATABASE * TO `admin`; -GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`; -GRANT SHOW INDEX ON DATABASE * TO `admin`; -GRANT START ON DATABASE * TO `admin`; -GRANT STOP ON DATABASE * TO `admin`; -GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`; -GRANT WRITE ON GRAPH * TO `admin`; +GRANT ALL DBMS PRIVILEGES ON DBMS TO admin; +GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin; +GRANT START ON DATABASE * TO admin; +GRANT STOP ON DATABASE * TO admin; +GRANT MATCH {*} ON GRAPH * TO admin; +GRANT WRITE ON GRAPH * TO admin; +GRANT ALL ON DATABASE * TO admin; ---- . Grant the admin user role to an existing user. + From 6996979d713fbbf03ba8aeb47692a0ee0146e95c Mon Sep 17 00:00:00 2001 From: Reneta Popova Date: Thu, 14 May 2026 17:32:31 +0200 Subject: [PATCH 3/6] Update the steps for recreating the admin role --- .../built-in-roles.adoc | 94 ++++++++++++------- .../password-and-user-recovery.adoc | 21 +++-- 2 files changed, 72 insertions(+), 43 deletions(-) diff --git a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc index 83db4e7e2d..bd6f8f16ed 100644 --- a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc @@ -875,57 +875,79 @@ If the built-in `admin` role has been altered or dropped and needs to be restore [[access-control-built-in-roles-admin-recreate]] === Recreating the `admin` role -To restore the role to its original capabilities two steps are needed. -First, execute `DROP ROLE admin`. -Secondly, run these queries: +To recreate the `admin` role with its original capabilities, follow these steps: -// cannot test as it would require deleting the role the test user is logged with -[source, cypher, role=noplay test-skip] +. Using a client such as xref:cypher-shell.adoc[Cypher Shell] or the Neo4j Browser, connect to the `system` database with a user that has the rights to manage roles and privileges. ++ +[source, shell] ---- -CREATE ROLE admin +bin/cypher-shell -d system -u -p ---- - +. Run the following command to list the privileges that are currently granted to the `admin` role as commands: ++ [source, cypher, role=noplay] ---- -GRANT ALL DBMS PRIVILEGES ON DBMS TO admin ----- - -[source, cypher, role=noplay] +SHOW ROLE admin PRIVILEGES AS COMMANDS; ---- -GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin ++ +[result] ---- ++-------------------------------------------------------------+ +| command | ++-------------------------------------------------------------+ +| "GRANT ACCESS ON DATABASE * TO `admin`" | +| "GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`" | +| "GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`" | +| "GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`" | +| "GRANT LOAD ON ALL DATA TO `admin`" | +| "GRANT MATCH {*} ON GRAPH * NODE * TO `admin`" | +| "GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`" | +| "GRANT NAME MANAGEMENT ON DATABASE * TO `admin`" | +| "GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`" | +| "GRANT SHOW INDEX ON DATABASE * TO `admin`" | +| "GRANT START ON DATABASE * TO `admin`" | +| "GRANT STOP ON DATABASE * TO `admin`" | +| "GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`" | +| "GRANT WRITE ON GRAPH * TO `admin`" | ++-------------------------------------------------------------+ -[source, cypher, role=noplay] ----- -GRANT START ON DATABASE * TO admin +14 rows +ready to start consuming query after 39 ms, results consumed after another 0 ms ---- -[source, cypher, role=noplay] +. Drop the existing `admin` role: ++ +[source, cypher] ---- -GRANT STOP ON DATABASE * TO admin +DROP ROLE admin; ---- - -[source, cypher, role=noplay] +. Create a new `admin` role: ++ +[source, cypher] ---- -GRANT MATCH {*} ON GRAPH * TO admin +CREATE ROLE admin; ---- - -[source, cypher, role=noplay] ----- -GRANT WRITE ON GRAPH * TO admin ----- - -[source, cypher, role=noplay] ----- -GRANT LOAD ON ALL DATA TO admin ----- - -[source, cypher, role=noplay] ----- -GRANT ALL ON DATABASE * TO admin +. Run the commands from step 2 to recreate the `admin` role with its original capabilities: ++ +[source, cypher, role=noplay test-skip] ---- - +GRANT ACCESS ON DATABASE * TO `admin`; +GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`; +GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`; +GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`; +GRANT LOAD ON ALL DATA TO `admin`; +GRANT MATCH {*} ON GRAPH * NODE * TO `admin`; +GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`; +GRANT NAME MANAGEMENT ON DATABASE * TO `admin`; +GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`; +GRANT SHOW INDEX ON DATABASE * TO `admin`; +GRANT START ON DATABASE * TO `admin`; +GRANT STOP ON DATABASE * TO `admin`; +GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`; +GRANT WRITE ON GRAPH * TO `admin`; +---- ++ The resulting `admin` role now has the same effective privileges as the original built-in `admin` role. -Additional information about restoring the `admin` role can be found in the xref:authentication-authorization/password-and-user-recovery.adoc[ Recover the admin role]. +Additional information about restoring the `admin` role can be found in the xref:authentication-authorization/password-and-user-recovery.adoc[Recover the admin role]. diff --git a/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc b/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc index ea7433eb14..230ec17476 100644 --- a/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc +++ b/modules/ROOT/pages/authentication-authorization/password-and-user-recovery.adoc @@ -188,13 +188,20 @@ If you have specified a non-default port for your `bolt` connector, add `-a neo4 [source, cypher] ---- CREATE ROLE admin; -GRANT ALL DBMS PRIVILEGES ON DBMS TO admin; -GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin; -GRANT START ON DATABASE * TO admin; -GRANT STOP ON DATABASE * TO admin; -GRANT MATCH {*} ON GRAPH * TO admin; -GRANT WRITE ON GRAPH * TO admin; -GRANT ALL ON DATABASE * TO admin; +GRANT ACCESS ON DATABASE * TO `admin`; +GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin`; +GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin`; +GRANT INDEX MANAGEMENT ON DATABASE * TO `admin`; +GRANT LOAD ON ALL DATA TO `admin`; +GRANT MATCH {*} ON GRAPH * NODE * TO `admin`; +GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin`; +GRANT NAME MANAGEMENT ON DATABASE * TO `admin`; +GRANT SHOW CONSTRAINT ON DATABASE * TO `admin`; +GRANT SHOW INDEX ON DATABASE * TO `admin`; +GRANT START ON DATABASE * TO `admin`; +GRANT STOP ON DATABASE * TO `admin`; +GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`; +GRANT WRITE ON GRAPH * TO `admin`; ---- . Grant the admin user role to an existing user. + From d86c44ad6af54b663e8463f97b6bb978e065fd4c Mon Sep 17 00:00:00 2001 From: Reneta Popova Date: Wed, 20 May 2026 12:46:41 +0100 Subject: [PATCH 4/6] add a missing comma --- .../ROOT/pages/authentication-authorization/built-in-roles.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc index bd6f8f16ed..7379abe428 100644 --- a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc @@ -877,7 +877,7 @@ If the built-in `admin` role has been altered or dropped and needs to be restore To recreate the `admin` role with its original capabilities, follow these steps: -. Using a client such as xref:cypher-shell.adoc[Cypher Shell] or the Neo4j Browser, connect to the `system` database with a user that has the rights to manage roles and privileges. +. Using a client, such as xref:cypher-shell.adoc[Cypher Shell] or the Neo4j Browser, connect to the `system` database with a user that has the rights to manage roles and privileges. + [source, shell] ---- From 18a689b64caf241297b5fc19de34e5f4da57a5ae Mon Sep 17 00:00:00 2001 From: Reneta Popova Date: Thu, 28 May 2026 13:29:41 +0200 Subject: [PATCH 5/6] update the steps for recreating the admin role --- .../built-in-roles.adoc | 79 ++++++++++++++++++- 1 file changed, 75 insertions(+), 4 deletions(-) diff --git a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc index 7379abe428..7f8be0a228 100644 --- a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc @@ -875,13 +875,18 @@ If the built-in `admin` role has been altered or dropped and needs to be restore [[access-control-built-in-roles-admin-recreate]] === Recreating the `admin` role -To recreate the `admin` role with its original capabilities, follow these steps: +You might need to recreate the `admin` role, for example, because you want to revoke the role-user mappings, or because its privileges have been modified and you want to restore it to its original capabilities. -. Using a client, such as xref:cypher-shell.adoc[Cypher Shell] or the Neo4j Browser, connect to the `system` database with a user that has the rights to manage roles and privileges. +[[access-control-built-in-roles-admin-recreate-after-drop]] +==== Recreate the `admin` role after being dropped + +This example assumes that you want to revoke all role-user mappings of the `admin` role and then recreate it with the same capabilities. + +. Using a client such as xref:cypher-shell.adoc[Cypher Shell] or the Neo4j Browser, connect as a user with rights to manage roles and privileges: + [source, shell] ---- -bin/cypher-shell -d system -u -p +bin/cypher-shell -d -u -p ---- . Run the following command to list the privileges that are currently granted to the `admin` role as commands: + @@ -947,7 +952,73 @@ GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin`; GRANT WRITE ON GRAPH * TO `admin`; ---- + -The resulting `admin` role now has the same effective privileges as the original built-in `admin` role. +The resulting `admin` role now has the same effective privileges as the original `admin` role. Additional information about restoring the `admin` role can be found in the xref:authentication-authorization/password-and-user-recovery.adoc[Recover the admin role]. +[[access-control-built-in-roles-admin-recreate-after-modification]] +==== Recreate the `admin` role after being modified + +This example assumes that the `admin` role still exists, but its privileges have been modified, and you want to restore it to the original capabilities of the built-in `admin` role. + +. Using a client such as xref:cypher-shell.adoc[Cypher Shell] or the Neo4j Browser, connect as a user with rights to manage roles and privileges: ++ +[source, shell] +---- +bin/cypher-shell -d -u -p +---- + +. Create a new `admin2` role: ++ +[source, cypher] +---- +CREATE ROLE admin2; +---- +. Run the following commands to recreate the `admin2` role with the original capabilities of the built-in `admin` role: ++ +[source, cypher, role=noplay test-skip] +---- +GRANT ACCESS ON DATABASE * TO `admin2`; +GRANT ALL DBMS PRIVILEGES ON DBMS TO `admin2`; +GRANT CONSTRAINT MANAGEMENT ON DATABASE * TO `admin2`; +GRANT INDEX MANAGEMENT ON DATABASE * TO `admin2`; +GRANT LOAD ON ALL DATA TO `admin2`; +GRANT MATCH {*} ON GRAPH * NODE * TO `admin2`; +GRANT MATCH {*} ON GRAPH * RELATIONSHIP * TO `admin2`; +GRANT NAME MANAGEMENT ON DATABASE * TO `admin2`; +GRANT SHOW CONSTRAINT ON DATABASE * TO `admin2`; +GRANT SHOW INDEX ON DATABASE * TO `admin2`; +GRANT START ON DATABASE * TO `admin2`; +GRANT STOP ON DATABASE * TO `admin2`; +GRANT TRANSACTION MANAGEMENT (*) ON DATABASE * TO `admin2`; +GRANT WRITE ON GRAPH * TO `admin2`; +---- ++ +The resulting `admin2` role now has the same effective privileges as the built-in `admin` role. + +. Assign the `admin2` role to the users that you want to have the same privileges as the original `admin` role: ++ +[source, cypher] +---- +GRANT ROLE admin2 TO , , ...; +---- ++ +[NOTE] +==== +The `GRANT ROLE` command requires the `ASSIGN ROLE` privilege. +See xref:authentication-authorization/dbms-administration/dbms-role-management-privileges.adoc#access-control-dbms-administration-role-assignment[Grant privilege to assign roles] for details on how to grant this privilege. +==== +. Drop the existing `admin` role: ++ +[source, cypher] +---- +DROP ROLE admin; +---- +. Finally, you can rename the `admin2` role to `admin`: ++ +[source, cypher, role=noplay] +---- +RENAME ROLE admin2 TO admin; +---- + +Additional information about restoring the `admin` role can be found in the xref:authentication-authorization/password-and-user-recovery.adoc[Recover the admin role]. \ No newline at end of file From 760e2e19f10a35105b48d3964d05946558649c20 Mon Sep 17 00:00:00 2001 From: Reneta Popova Date: Thu, 28 May 2026 16:20:55 +0200 Subject: [PATCH 6/6] remove -d --- .../pages/authentication-authorization/built-in-roles.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc index 7f8be0a228..7dc5824602 100644 --- a/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc +++ b/modules/ROOT/pages/authentication-authorization/built-in-roles.adoc @@ -886,7 +886,7 @@ This example assumes that you want to revoke all role-user mappings of the `admi + [source, shell] ---- -bin/cypher-shell -d -u -p +bin/cypher-shell -u -p ---- . Run the following command to list the privileges that are currently granted to the `admin` role as commands: + @@ -965,7 +965,7 @@ This example assumes that the `admin` role still exists, but its privileges have + [source, shell] ---- -bin/cypher-shell -d -u -p +bin/cypher-shell -u -p ---- . Create a new `admin2` role: