neo4j-security-skill
Programmatic security management in Neo4j — RBAC/ABAC, user lifecycle (CREATE/ALTER/DROP USER), role lifecycle (CREATE/GRANT ROLE/DROP ROLE), privilege grants and denies (GRANT/DENY/REVOKE on graph, database, DBMS), property-level access control, sub-graph access control, SHOW PRIVILEGES inspection, and auth provider config reference (LDAP, OIDC/SSO). Use when an agent needs to manage users, roles, or privileges programmatically via Cypher on the system database. Does NOT handle Cypher query writing — use neo4j-cypher-skill. Does NOT handle cluster ops or backups — use neo4j-cli-tools-skill. Property-level security and ABAC require Enterprise Edition.
95
96%
Does it follow best practices?
Impact
92%
1.13xAverage score across 3 eval scenarios
Risky
Do not use without reviewing
Evaluation results
92%
15%Healthcare Data Access Roles
Multi-role RBAC setup with property-level restrictions
IF NOT EXISTS guards
100%
100%
ACCESS granted first
100%
100%
Analyst MATCH all elements
50%
100%
DENY sensitive properties
100%
100%
Writer MATCH + WRITE
87%
100%
Admissions TRAVERSE all
90%
100%
Admissions MATCH specific labels
80%
100%
System database context
0%
0%
SHOW ROLE PRIVILEGES AS COMMANDS
30%
100%
No hardcoded passwords
100%
100%
No built-in role drops
100%
100%
100%
21%Privilege Cleanup After Organizational Restructure
Privilege revocation variants and IMMUTABLE grant
REVOKE GRANT for MATCH removal
100%
100%
TRAVERSE replaces MATCH
100%
100%
REVOKE DENY (not REVOKE GRANT)
100%
100%
IF NOT EXISTS for new role
100%
100%
IMMUTABLE read privilege
100%
100%
ACCESS on database
100%
100%
EXECUTE PROCEDURE apoc.*
100%
100%
EXECUTE BOOSTED PROCEDURE
100%
100%
EXECUTE USER DEFINED FUNCTION
25%
100%
SHOW ROLE PRIVILEGES AS COMMANDS
0%
100%
System database context
33%
100%
84%
-3%Dynamic Role Assignment via OIDC Claims
ABAC auth rules with OIDC claims
CREATE OR REPLACE AUTH RULE
37%
100%
abac.oidc.user_attribute for department
100%
100%
Compound condition for Rule 2
100%
100%
GRANT ROLE to AUTH RULE
100%
100%
Prerequisite config comment
100%
0%
Missing claim evaluates to NULL
100%
100%
OIDC-only compatibility
100%
100%
LDAP incompatibility noted
100%
100%
System database context
0%
0%
No native auth claim usage
100%
100%
- Repository
- neo4j-contrib/neo4j-skills
- Commit
6d44d31
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.