用户权限管理 #

安全特性：
├── 用户认证
├── 角色授权
├── 权限控制
├── 数据库访问控制
└── 图访问控制

CREATE USER tom SET PASSWORD 'password123'

CREATE USER tom SET PASSWORD 'password123' CHANGE REQUIRED

ALTER USER tom SET PASSWORD 'newpassword123'

ALTER USER tom SET PASSWORD 'newpassword123' CHANGE REQUIRED

ALTER USER tom SET STATUS SUSPENDED

ALTER USER tom SET STATUS ACTIVE

DROP USER tom

SHOW USERS

SHOW CURRENT USER

CREATE ROLE developer

CREATE ROLE developer AS COPY OF editor

DROP ROLE developer

SHOW ROLES

SHOW ROLE PRIVILEGES

GRANT ROLE editor TO tom

GRANT ROLE editor, publisher TO tom

REVOKE ROLE editor FROM tom

GRANT ACCESS ON DATABASE neo4j TO tom

GRANT TRAVERSE ON GRAPH neo4j TO reader
GRANT MATCH {*} ON GRAPH neo4j TO reader

GRANT CREATE {*} ON GRAPH neo4j TO editor
GRANT DELETE {*} ON GRAPH neo4j TO editor

GRANT TRAVERSE ON GRAPH neo4j NODES Person TO reader
GRANT MATCH {name} ON GRAPH neo4j NODES Person TO reader

GRANT TRAVERSE ON GRAPH neo4j RELATIONSHIPS KNOWS TO reader

REVOKE ACCESS ON DATABASE neo4j FROM tom
REVOKE MATCH {*} ON GRAPH neo4j FROM reader

SHOW USER PRIVILEGES

GRANT ACCESS ON DATABASE neo4j TO tom
GRANT ACCESS ON DATABASE * TO admin_user

GRANT CREATE DATABASE ON DBMS TO admin
GRANT DROP DATABASE ON DBMS TO admin
GRANT SHOW DATABASE ON DBMS TO admin

GRANT START DATABASE ON DATABASE neo4j TO admin
GRANT STOP DATABASE ON DATABASE neo4j TO admin

GRANT ACCESS ON GRAPH neo4j TO reader

GRANT TRAVERSE ON GRAPH neo4j NODES Person TO reader
GRANT MATCH {*} ON GRAPH neo4j NODES Person TO reader
GRANT CREATE ON GRAPH neo4j NODES Person TO editor
GRANT DELETE ON GRAPH neo4j NODES Person TO editor

GRANT TRAVERSE ON GRAPH neo4j RELATIONSHIPS KNOWS TO reader
GRANT CREATE ON GRAPH neo4j RELATIONSHIPS KNOWS TO editor
GRANT DELETE ON GRAPH neo4j RELATIONSHIPS KNOWS TO editor

GRANT MATCH {name, age} ON GRAPH neo4j NODES Person TO reader
GRANT SET PROPERTY {name, age} ON GRAPH neo4j NODES Person TO editor

CREATE USER readonly_user SET PASSWORD 'password123' CHANGE REQUIRED
GRANT ROLE reader TO readonly_user
GRANT ACCESS ON DATABASE neo4j TO readonly_user
GRANT TRAVERSE ON GRAPH neo4j TO readonly_user
GRANT MATCH {*} ON GRAPH neo4j TO readonly_user

CREATE USER editor_user SET PASSWORD 'password123' CHANGE REQUIRED
GRANT ROLE editor TO editor_user
GRANT ACCESS ON DATABASE neo4j TO editor_user
GRANT ALL ON GRAPH neo4j TO editor_user

CREATE USER admin_user SET PASSWORD 'password123' CHANGE REQUIRED
GRANT ROLE admin TO admin_user

建议：
├── 使用强密码
├── 定期更换密码
├── 首次登录强制修改
├── 禁用默认密码
└── 使用密码管理器

原则：
├── 只授予必要的权限
├── 使用角色管理权限
├── 定期审查权限
├── 及时撤销不需要的权限
└── 避免过度授权

建议：
├── 禁用默认用户neo4j或修改密码
├── 为每个用户创建独立账户
├── 禁用离职员工账户
├── 记录用户操作日志
└── 定期审计用户列表

CREATE USER app_user SET PASSWORD 'secure_password' CHANGE REQUIRED
GRANT ROLE editor TO app_user
GRANT ACCESS ON DATABASE production TO app_user
GRANT ALL ON GRAPH production TO app_user

CREATE USER analyst_user SET PASSWORD 'secure_password' CHANGE REQUIRED
GRANT ROLE reader TO analyst_user
GRANT ACCESS ON DATABASE analytics TO analyst_user
GRANT TRAVERSE ON GRAPH analytics TO analyst_user
GRANT MATCH {*} ON GRAPH analytics TO analyst_user

CREATE USER tenant_a_user SET PASSWORD 'password' CHANGE REQUIRED
GRANT ACCESS ON DATABASE tenant_a TO tenant_a_user
GRANT ALL ON GRAPH tenant_a TO tenant_a_user

CREATE USER tenant_b_user SET PASSWORD 'password' CHANGE REQUIRED
GRANT ACCESS ON DATABASE tenant_b TO tenant_b_user
GRANT ALL ON GRAPH tenant_b TO tenant_b_user