It seems to be a basic question, but couldn't find any answer in the doc.
I need admin to run dynamically created cypher commands.
For example:
// Create GlobalSearchFT index
CALL db.schema.nodeTypeProperties() YIELD nodeType, propertyName
WITH DISTINCT split(nodeType, ':')[1] AS label
WHERE label IS NOT NULL
WITH collect(label) AS labels
// Step 2: Generate and execute the index command
CALL apoc.cypher.run(
'CREATE FULLTEXT INDEX GlobalSearchFT IF NOT EXISTS ' +
'FOR (n:' + apoc.text.join(labels, '|') + ') ' +
'ON EACH [n.searchText]' +
'OPTIONS { indexConfig: { `fulltext.analyzer`: "standard" } }',
{}
)
YIELD value
RETURN value;
and the error message:
Neo.ClientError.Security.Forbidden
Schema operation 'create_index' on database 'neo4j' is not allowed for user 'neo4j' with FULL overridden by READ.
Roles and privilege management are only available in the Enterprise edition and Aura (with different tiers allowing different levels of granularity).
For the Community edition, all users are basically an admin and the roles column in SHOW USERS are set to null to indicate that there isn't really any separate roles available in Community.
Have you tried running your query and had it fail on lack of privileges? If so I'd think that might be an issue but the lack of reported roles (if on Community) isn't as such.
in their descriptions and are marked as not available/useful in the community column.
They are just returned with null to always have the same column set, regardless of edition.
Let's look into your exception and see what it tells us then (didn't look to closely before )
Neo.ClientError.Security.Forbidden
Schema operation 'create_index' on database 'neo4j' is not allowed for user 'neo4j' with FULL overridden by READ.
This is one of the confusing exceptions that comes from running procedures and how the procedure mode affects things.
So the with FULL part indicates that you have full access and no privilege restrictions (which makes sense for Community). However, it is then overridden (overridden by READ) with the privilege level of the procedure mode (READ/WRITE/...) when you run a procedure.
And since the READ level of privileges don't allow writes, even less so schema writes, the query fails.
So you are trying to do schema writes in a read-only procedure, that is the cause of your problem. You would likely need a procedure with SCHEMA mode to create indexes inside of a procedure.
Now I'm not familiar enough with the apoc procedures to know if there is anything that would fit your use case, I believe there is a WRITE version of apoc.cypher.run (maybe named apoc.cypher.doRun but not sure) but I don't think it would be enough to be able to run create index but feel free to try (likely to get the same error but with overridden by WRITE).
So to summarise, not a bug but expected behaviour from running a schema write command in a read-only procedure :(
Update: Checked with my colleague that has more knowledge of apoc and she found the apoc.cypher.runSchema procedure (documentation) which is probably the one you want.
)