ABAC SHOW AUTH RULES #2827

HannesSandberg · 2026-01-27T12:28:02Z

The next part of ABAC documentation, based on top of #2728

This PR contains the documentation for the SHOW AUTH RULES command.

…d-access-control.adoc

phil198

looks nice. A couple of minor things

phil198 · 2026-01-27T15:29:55Z

modules/ROOT/pages/authentication-authorization/attribute-based-access-control.adoc

+| Type
+
+| name
+| The name of auth rule as defined in the `CREATE` or `RENAME AUTH RULE` command.


Suggested change

| The name of auth rule as defined in the `CREATE` or `RENAME AUTH RULE` command.

| The name of the auth rule as defined in the `CREATE` or `RENAME AUTH RULE` command.

phil198 · 2026-01-27T15:34:25Z

modules/ROOT/pages/authentication-authorization/attribute-based-access-control.adoc

+| STRING
+
+| enabled
+| Whether the auth rule is enabled or not. This column will have the value true when the auth rule is enabled, and false when it is not.


Suggested change

| Whether the auth rule is enabled or not. This column will have the value true when the auth rule is enabled, and false when it is not.

| Whether the auth rule is enabled or not. This column will have the value `true` when the auth rule is enabled, and `false` when it is not.

Do we normally do this for booleans?

Also, might be nice to add something like
When an auth rule is disabled it will not be evaluated and so users cannot receive its roles
even though this is somewhat stating the obvious.

phil198 · 2026-01-27T15:36:31Z

modules/ROOT/pages/authentication-authorization/attribute-based-access-control.adoc

+| BOOLEAN
+
+| roles
+| The roles which have been granted to the auth rule via one or more `GRANT ROLE … TO AUTH RULE …` commands. This column will return null if the executing user is missing or denied the `SHOW ROLES` privilege.


Suggested change

| The roles which have been granted to the auth rule via one or more `GRANT ROLE … TO AUTH RULE …` commands. This column will return null if the executing user is missing or denied the `SHOW ROLES` privilege.

| The roles which have been granted to the auth rule via one or more `GRANT ROLE … TO AUTH RULE …` commands. This column will return `null` if the executing user is missing or denied the `SHOW ROLES` privilege.

Hunterness

Comments 💬

modules/ROOT/pages/authentication-authorization/attribute-based-access-control.adoc

Hunterness · 2026-01-28T10:00:16Z

modules/ROOT/pages/authentication-authorization/attribute-based-access-control.adoc

+== Listing auth rules
+
+You can list all auth rules using the Cypher command `SHOW AUTH RULES`.
+It produces a table containing a single row per auth rule with the following columns:


might be nice to explicitly state that all columns are returned by default?

I'm not sure, to me it feels odd to explicitly state it, when we say it produces a table with the following columns.

I think we point it out in general, or have labels in the table for which are default when it's a mix

though looking at show users we don't seem to do it there 🤷

I looked at the users and the roles pages and could not find that we state it there.

modules/ROOT/pages/authentication-authorization/attribute-based-access-control.adoc

Hunterness · 2026-01-28T10:02:44Z

modules/ROOT/pages/authentication-authorization/attribute-based-access-control.adoc

 The functions, `date`, `datetime`, `localdatetime`, `localtime` and `time` are only supported when an input argument is used.
 ====

+== Listing auth rules


do we want a introduced in version label for this?

I don't think soo, since none of it is released yet (they are hiding behind a feature flag).

so the whole page should then get the label for when it's released, makes sense

...s/authentication-authorization/dbms-administration/dbms-auth-rule-management-privileges.adoc

Co-authored-by: Therese Magnusson <scout.therese@gmail.com>

neo4j-docops-agent · 2026-01-29T09:30:01Z

This PR includes documentation updates
View the updated docs at https://neo4j-docs-operations-2827.surge.sh

New pages:

Updated pages:

HannesSandberg and others added 18 commits January 19, 2026 12:58

abac page

b1fe178

fix code block

5c104ed

add link

45552f7

added that SHOW commands and alter commands are not supported yet.

ccf0801

updates to grant/revoke section in the ABAC page

aabfe55

fix heading

d1eb4e5

Update modules/ROOT/pages/authentication-authorization/attribute-base…

9b9fdc2

…d-access-control.adoc

add a temporal example

0e8a650

Play-day review suggestions

e3df800

Play-day review suggestions

136d8d6

Apply suggestions

d5aa9b9

Play-day review suggestions

f1d1e5b

Play-day review suggestions contd

18b748c

review fixes

e47b1d7

Re-add and fix stuff after the rebase

cba96c3

review fixes

ea9f03e

review fix

2cada46

SHOW AUTH RULES

3be38cf

HannesSandberg added the team-cypher-operations Cypher operations should review this label Jan 27, 2026

Hunterness self-assigned this Jan 27, 2026

phil198 reviewed Jan 27, 2026

View reviewed changes

HannesSandberg added 2 commits January 28, 2026 07:58

review fixes

03d2bc6

document OR REPLACE

5f447c8

Hunterness reviewed Jan 28, 2026

View reviewed changes

review fixes

79b2b0f

Hunterness reviewed Jan 28, 2026

View reviewed changes

...s/authentication-authorization/dbms-administration/dbms-auth-rule-management-privileges.adoc Outdated Show resolved Hide resolved

...s/authentication-authorization/dbms-administration/dbms-auth-rule-management-privileges.adoc Outdated Show resolved Hide resolved

Apply suggestions from code review

e61ee54

Co-authored-by: Therese Magnusson <scout.therese@gmail.com>

Hunterness approved these changes Jan 29, 2026

View reviewed changes

	\| The name of auth rule as defined in the `CREATE` or `RENAME AUTH RULE` command.
	\| The name of the auth rule as defined in the `CREATE` or `RENAME AUTH RULE` command.

	\| Whether the auth rule is enabled or not. This column will have the value true when the auth rule is enabled, and false when it is not.
	\| Whether the auth rule is enabled or not. This column will have the value `true` when the auth rule is enabled, and `false` when it is not.

	\| The roles which have been granted to the auth rule via one or more `GRANT ROLE … TO AUTH RULE …` commands. This column will return null if the executing user is missing or denied the `SHOW ROLES` privilege.
	\| The roles which have been granted to the auth rule via one or more `GRANT ROLE … TO AUTH RULE …` commands. This column will return `null` if the executing user is missing or denied the `SHOW ROLES` privilege.

ABAC SHOW AUTH RULES #2827

Are you sure you want to change the base?

ABAC SHOW AUTH RULES #2827

Uh oh!

Conversation

HannesSandberg commented Jan 27, 2026

Uh oh!

phil198 left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Hunterness left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

neo4j-docops-agent commented Jan 29, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants