what is the best practice to store users that are going to do a bit of data entry. I think these users will change frequently so I thought maybe storing users in the database (is this even secure?) But you also have this 1 user neo4j that you get by default.
I'm assuming you're using Enterprise Edition?
If so, you can either use existing roles or create custom roles with the privileges you want, then create new users and grant the roles you want them to have:
No still having the normal one, still working with movies db.
But where are these users stored in neo4j and have nodes / relationships than attributed related to these 'external users', so eg you can see who added an entity.
This ldap could be nice, I guess this is not in community edition?
By "still having the normal one" do you mean you are using Community Edition?
You won't be able to create new users with Community Edition, so RBAC features will not be available to you. Such data would be stored in the system db, and would work seamlessly to do what you wanted.
LDAP integration is also Enterprise Edition only, sorry.
So the Enterprise has a 2nd database system and users are stored in there and if such user creates a node in the regular database this is recorded as extra hidden(?) property in the node, so it is linked to the user(?) node in the system db
And running queries is transparent on both these databases?
Yes for some of that, no for other parts.
The system db holds metadata for the dbms related to authentication and authorization. At a minimum this includes users, roles, and privileges, aspects that fulfill our Role-Based Access Control (RBAC) implementation.
All this is covered in our Authentication and Authorization section of our docs:
Roles can be granted and denied various privileges across multiple databases or specific to databases, for a variety of both read and write capabilities.
So Roles aggregate various (grant and deny) privileges.
A User can be assigned multiple Roles, which defines what they can and cannot do across the dbms and within each database.
You can create multiple Users with different login information, and assign them different roles.
All this administration on the system db is not done via regular Cypher queries and graph element manipulation, but through specific administrative commands that can only be run on the system db.
Neo4j uses all of this at runtime to ensure the privileges of these Roles assigned to these Users are enforced transparently during queries and activities performed by Users.
That said...Neo4j does not currently include audit metadata for graph elements. If a user creates or deletes or manipulates nodes or relationships or properties in the graph, there is no metadata that marks their edits or their involvement with such changes.
Ok so assume these users in the system db have a id
- and I can store this in eg created?
created: "2025-01-21T23:00:00.000Z",
createBy: 123123,
modified: "2025-01-21T23:00:00.000Z"
- what if I want to make a modified relationship from a node in the data db to the user in the system db. Is that possible?
In the system db, users do not have ids, just names.
It would be entirely up to you how to annotate your graph data with other graph elements for this kind of auditing, though you could also look for some kind of auditing plugin to do this for you.
Neo4j does also offer a Change Data Capture (CDC) capability here which can do some of that work, though it is again an Enterprise Edition product:
I just noticed this, should I be able to add ldap auth to CE with such plugins?
No, I don't believe so.
From the Install section of the readme:
Copy the output jar file into the plugins folder of Neo4j Enterprise Edition 4.0 or later:
Most Auth features beyond the basics require Enterprise Edition.