Neo4j Security Skill
Apply Neo4j RBAC, privileges, and Enterprise auth patterns with correct Cypher so your graph database users and roles match least privilege before and after go-live.
Install
npx skills add https://github.com/neo4j-contrib/neo4j-skills --skill neo4j-security-skillWhat is this skill?
- User lifecycle: CREATE/ALTER/DROP USER, password, status, home database, SHOW USERS
- Roles: CREATE ROLE, GRANT/REVOKE ROLE, DROP ROLE, SHOW ROLES
- GRANT/DENY/REVOKE for graph, database, and DBMS privileges with SHOW PRIVILEGES including AS COMMANDS
- Enterprise: property-level READ grants/denies, sub-graph FOR (n:Label) WHERE restrictions, ABAC via CREATE AUTH RULE + O
- Auth provider reference: native, LDAP, OIDC/SSO (operational config, not app queries)
Adoption & trust: 1 installs on skills.sh; 80 GitHub stars; 2/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
Recommended Skills
Azure Compliancemicrosoft/azure-skills
Openclaw Secure Linux Cloudxixu-me/skills
Entra Agent Idmicrosoft/azure-skills
Firebase Security Rules Auditorfirebase/agent-skills
Firestore Security Rules Auditorfirebase/agent-skills
Skill Vetteruseai-pro/openclaw-skills-security
Journey fit
Ship → security is where graph access models must be enforced—users, roles, grants, and audit-friendly SHOW output—before production traffic and during hardening sprints. Security subphase captures programmatic user/role/privilege management distinct from everyday Cypher querying or driver session setup covered by sibling Neo4j skills.
Common Questions / FAQ
Is Neo4j Security Skill safe to install?
skills.sh reports 2 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.
SKILL.md
READMESKILL.md - Neo4j Security Skill
# neo4j-security-skill Skill for programmatic security management in Neo4j — users, roles, privileges, and auth configuration. **Covers:** - **User management**: `CREATE USER`, `ALTER USER` (password, status, home database), `DROP USER`, `SHOW USERS` - **Role management**: `CREATE ROLE`, `GRANT ROLE`, `REVOKE ROLE`, `DROP ROLE`, `SHOW ROLES` - **Privilege grants**: GRANT/DENY/REVOKE for graph, database, and DBMS privileges - **Property-level access control**: `GRANT READ {prop}`, `DENY READ {prop}` per label/type (Enterprise) - **Sub-graph access control**: `FOR (n:Label) WHERE n.prop = val` pattern restrictions (Enterprise) - **ABAC**: `CREATE AUTH RULE` with OIDC claim conditions → dynamic role assignment (Enterprise) - **SHOW PRIVILEGES**: inspection patterns including `AS COMMANDS` for audit/export - **Auth provider config reference**: native, LDAP, OIDC/SSO (operational config — not Cypher) **Edition requirements:** - Basic RBAC: Community and Enterprise - Property-level, sub-graph, ABAC, LDAP, SSO: Enterprise only **Not covered:** - Writing application Cypher queries → `neo4j-cypher-skill` - Cluster ops, backups, neo4j-admin → `neo4j-cli-tools-skill` - Driver connection and session management → `neo4j-driver-*-skill` **References:** - [privilege-reference.md](references/privilege-reference.md) — full GRANT/DENY/REVOKE syntax for all privilege types **Install:** ```bash npx skills add https://github.com/neo4j-contrib/neo4j-skills --skill neo4j-security-skill ``` Or paste this link into your coding assistant: https://github.com/neo4j-contrib/neo4j-skills/tree/main/neo4j-security-skill # Neo4j Privilege Reference Full GRANT / DENY / REVOKE syntax for all privilege types. All commands execute against the **system** database. --- ## General Syntax ``` {GRANT | DENY} [IMMUTABLE] <privilege> ON { GRAPH[S] {* | name[,...]} | DATABASE[S] {* | name[,...]} | HOME GRAPH | DBMS } [<entity>] TO <role>[,...] REVOKE [IMMUTABLE] [GRANT | DENY] <privilege> ON { GRAPH[S] ... | DATABASE[S] ... | DBMS } [<entity>] FROM <role>[,...] ``` `IMMUTABLE` — privilege cannot be revoked by non-admin users; only `admin` can remove. --- ## Graph Privileges ### Entity scope | Entity | Meaning | |---|---| | `NODES Label` | Nodes with label (can list: `NODES Person, Company`) | | `RELATIONSHIPS Type` | Relationships of type | | `ELEMENTS Label` | Both nodes and relationships | | `FOR (n:Label) WHERE n.prop = val` | Pattern-matched nodes (read only) | | *(omit)* | Defaults to `ELEMENTS *` | ### Read privileges ```cypher GRANT TRAVERSE ON GRAPH mydb NODES Person TO role; -- can see node, not properties GRANT READ {*} ON GRAPH mydb NODES Person TO role; -- read all properties GRANT READ {name, email} ON GRAPH mydb NODES Person TO role; -- read specific properties GRANT MATCH {*} ON GRAPH mydb NODES Person TO role; -- TRAVERSE + READ combined GRANT MATCH {*} ON GRAPH mydb ELEMENTS * TO role; -- all nodes + rels ``` ### Write privileges ```cypher GRANT WRITE ON GRAPH mydb TO role; -- all writes (shorthand) GRANT CREATE ON GRAPH mydb NODES Person TO role; -- create Person nodes GRANT SET PROPERTY {name} ON GRAPH mydb NODES Person TO role; GRANT MERGE ON GRAPH mydb NODES Person TO role; -- MERGE statement GRANT DELETE ON GRAPH mydb NODES Person TO role; GRANT SET LABEL Person ON GRAPH mydb TO role; GRANT REMOVE LABEL Person ON GRAPH mydb TO role; GRANT CREATE ON GRAPH mydb RELATIONSHIPS KNOWS TO role; GRANT DELETE ON GRAPH mydb RELATIONSHIPS KNOWS TO role; ``` ### Property-based (sub-graph) read ```cypher // Pattern in FOR clause must have exactly one property condition GRANT MATCH {*} ON GRAPH mydb FOR (n:Document) WHERE n.visibility = 'public' TO reader; DENY MATCH {*} ON GRAPH mydb FOR (n) WHERE n.classification <> 'UNCLASSIFIED' TO regularUsers; GRANT READ { address } ON GRAPH * FOR (n:Email|Website) WHERE n.domain = 'example.com' TO reg