Skill82 estrellas del repoactualizado 3d ago
neo4j-security-skill
Programmatic security management in Neo4j — RBAC/ABAC, user lifecycle (CREATE/ALTER/DROP USER),
Instalar en Claude Code
Copiargit clone --depth 1 https://github.com/neo4j-contrib/neo4j-skills /tmp/neo4j-security-skill && cp -r /tmp/neo4j-security-skill/neo4j-security-skill ~/.claude/skills/neo4j-security-skillDespués abre una sesión nueva de Claude Code; el skill carga automáticamente.
Definición
SKILL.md
## When to Use
- Creating, altering, suspending, or dropping users
- Creating roles, granting/revoking role membership
- Granting/denying/revoking graph, database, or DBMS privileges
- Inspecting current privileges (`SHOW PRIVILEGES`)
- Implementing property-level access control (read/write per property)
- Setting up ABAC rules against OIDC claims
- Referencing LDAP/SSO auth provider configuration
## When NOT to Use
- **Writing Cypher queries against application data** → `neo4j-cypher-skill`
- **Cluster ops, backups, server config** → `neo4j-cli-tools-skill`
- **Driver connection setup** → `neo4j-driver-*-skill`
---
## MCP Write Gate — MANDATORY
Before executing ANY of the following, show the planned command and wait for explicit confirmation:
- `CREATE USER` / `ALTER USER` / `DROP USER`
- `CREATE ROLE` / `DROP ROLE`
- `GRANT` / `DENY` / `REVOKE` (any privilege)
- `CREATE AUTH RULE` / `DROP AUTH RULE`
Never auto-execute privilege changes. Show exact Cypher, annotate impact, get "yes".
---
## Execution Context
All security Cypher runs against the **system** database:
```cypher
// Neo4j auto-routes CREATE/ALTER/SHOW USER|ROLE|PRIVILEGE to system
// If using cypher-shell: cypher-shell -d system
// If using driver: use database="system"
```
---
## 1. User Management
### Create user
```cypher
CREATE USER alice SET PASSWORD 'secret' CHANGE NOT REQUIRED;
// CHANGE REQUIRED (default): forces password change on first login
// CHANGE NOT REQUIRED: password valid immediately
// SET STATUS ACTIVE (default) | SUSPENDED
```
### Parameterised password (preferred in scripts)
```cypher
CREATE USER $username SET PASSWORD $password CHANGE NOT REQUIRED;
```
### Alter user
```cypher
ALTER USER alice SET PASSWORD $newPw CHANGE NOT REQUIRED;
ALTER USER alice SET STATUS SUSPENDED; // lock account
ALTER USER alice SET STATUS ACTIVE; // unlock
ALTER USER alice SET HOME DATABASE mydb; // default db on connect
ALTER USER alice IF EXISTS SET PASSWORD $pw; // safe if missing
```
### Show users
```cypher
SHOW USERS YIELD username, roles, passwordChangeRequired, suspended, homeDatabase
WHERE suspended = false
RETURN username, roles ORDER BY username;
```
### Drop user
```cypher
DROP USER alice IF EXISTS;
```
---
## 2. Role Management
### Create / drop role
```cypher
CREATE ROLE analyst;
CREATE ROLE analyst IF NOT EXISTS;
DROP ROLE analyst IF EXISTS;
```
### Assign / remove roles
```cypher
GRANT ROLE analyst TO alice;
GRANT ROLE analyst, writer TO alice, bob; // bulk
REVOKE ROLE analyst FROM alice;
```
### Inspect roles
```cypher
SHOW ROLES YIELD role, member ORDER BY role;
SHOW ROLE analyst PRIVILEGES AS COMMANDS; // returns runnable GRANT commands
SHOW POPULATED ROLES YIELD role; // only roles with members
```
---
## 3. Privilege Decision Table
| Goal | Command |
|---|---|
| Allow db connection | `GRANT ACCESS ON DATABASE mydb TO analyst` |
| Read all graph data | `GRANT MATCH {*} ON GRAPH mydb ELEMENTS * TO analyst` |
| Read specific label | `GRANT MATCH {*} ON GRAPH mydb NODES Person TO analyst` |
| Read specific rel type | `GRANT MATCH {*} ON GRAPH mydb RELATIONSHIPS KNOWS TO analyst` |
| Read one property | `GRANT READ {email} ON GRAPH mydb NODES Person TO analyst` |
| Traverse but hide properties | `GRANT TRAVERSE ON GRAPH mydb NODES Person TO analyst` |
| Write (create/set) | `GRANT WRITE ON GRAPH mydb TO writer` |
| Create nodes only | `GRANT CREATE ON GRAPH mydb NODES Person TO writer` |
| Delete nodes only | `GRANT DELETE ON GRAPH mydb NODES Person TO writer` |
| Execute procedure | `GRANT EXECUTE PROCEDURE apoc.* TO analyst` |
| Execute function | `GRANT EXECUTE USER DEFINED FUNCTION apoc.* TO analyst` |
| All on one db | `GRANT ALL ON DATABASE mydb TO dba` |
| Full DBMS admin | `GRANT ALL ON DBMS TO dba` |
| Manage users | `GRANT USER MANAGEMENT ON DBMS TO secadmin` |
| Manage roles | `GRANT ROLE MANAGEMENT ON DBMS TO secadmin` |
| Schema changes | `GRANT CREATE ELEMENT TYPES ON DATABASE mydb TO schemaadmin` |
### DENY overrides GRANT
```cypher
// Analyst can read Person but NOT the ssn property
GRANT MATCH {*} ON GRAPH mydb NODES Person TO analyst;
DENY READ {ssn} ON GRAPH mydb NODES Person TO analyst;
```
### REVOKE removes a specific grant or deny
```cypher
REVOKE GRANT READ {email} ON GRAPH mydb NODES Person FROM analyst;
REVOKE DENY READ {ssn} ON GRAPH mydb NODES Person FROM analyst;
REVOKE MATCH {*} ON GRAPH mydb NODES Person FROM analyst; // removes both grant+deny
```
---
## 4. Common Role Patterns
### Read-only analyst
```cypher
CREATE ROLE analyst IF NOT EXISTS;
GRANT ACCESS ON DATABASE mydb TO analyst;
GRANT MATCH {*} ON GRAPH mydb ELEMENTS * TO analyst;
GRANT EXECUTE PROCEDURE apoc.* TO analyst;
```
### Write role (no admin)
```cypher
CREATE ROLE writer IF NOT EXISTS;
GRANT ACCESS ON DATABASE mydb TO writer;
GRANT MATCH {*} ON GRAPH mydb ELEMENTS * TO writer;
GRANT WRITE ON GRAPH mydb TO writer;
```
### Read-only on specific labels only
```cypher
CREATE ROLE limited_reader IF NOT EXISTS;
GRANT ACCESS ON DATABASE mydb TO limited_reader;
GRANT TRAVERSE ON GRAPH mydb ELEMENTS * TO limited_reader; // can traverse
GRANT MATCH {*} ON GRAPH mydb NODES Person TO limited_reader; // Person props visible
GRANT MATCH {*} ON GRAPH mydb NODES Company TO limited_reader; // Company props visible
// Other labels: traversable but properties invisible
```
### DBA role (full admin)
```cypher
CREATE ROLE dba IF NOT EXISTS;
GRANT ALL ON DBMS TO dba;
GRANT ALL ON DATABASE * TO dba;
```
---
## 5. Property-Level Access Control (Enterprise)
Restrict read access to individual properties:
```cypher
// Grant read on all Person props, then deny sensitive ones
GRANT MATCH {*} ON GRAPH mydb NODES Person TO analyst;
DENY READ {ssn, dateOfBirth} ON GRAPH mydb NODES Person TO analyst;
```
Property-based pattern matching (sub-graph access):
```cypher
// Only see Person nodes where classification = 'publDel mismo repositorio
neo4j-agent-memory-skillSkill
Authoritative reference for the neo4j-agent-memory Python package — a graph-native memory system for AI agents built on Neo4j — and for the hosted service (NAMS) at memory.neo4jlabs.com. Use this skill whenever the user mentions neo4j-agent-memory, agent memory with Neo4j, context graphs, the POLE+O model, MemoryClient/MemorySettings, the memory MCP server, or any of the framework integrations (LangChain, PydanticAI, CrewAI, AWS Strands, Google ADK, Microsoft Agent Framework, OpenAI Agents, LlamaIndex). Also use when the user mentions the hosted service at memory.neo4jlabs.com, NAMS, the Neo4j Agent Memory Service, the `nams_` API key prefix, or the hosted MCP endpoint. Also use when writing documentation, blog posts, tutorials, PRDs, or code samples for the project, when comparing agent memory approaches, or when positioning graph-native memory against vector-only approaches — even if the user doesn't explicitly name the package.
neo4j-aura-agent-skillSkill
Manages Neo4j Aura Agents via the v2beta1 REST API — create, list, get, update, delete,
neo4j-aura-graph-analytics-skillSkill
Serverless Aura Graph Analytics (AGA) GDS Sessions — covers GdsSessions,
neo4j-aura-provisioning-skillSkill
Provisions and manages Neo4j Aura instances via CLI (aura-cli v1.7+) or REST API.
neo4j-cli-tools-skillSkill
Use when working with Neo4j command-line tools — neo4j-cli (modern unified
neo4j-cypher-skillSkill
Generates, optimizes, and validates Cypher 25 queries for Neo4j 2025.x and 2026.x.
neo4j-document-import-skillSkill
Ingests unstructured and semi-structured documents into Neo4j as a knowledge graph.
neo4j-driver-dotnet-skillSkill
Neo4j .NET Driver v6 — IDriver lifecycle, DI registration (singleton), ExecutableQuery