{"__v":0,"_id":"58767d4ed89ef20f003b6f1d","category":{"__v":0,"_id":"58767da4d89ef20f003b6f1e","project":"566c97797831040d003eb3bc","version":"566c97797831040d003eb3bf","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2017-01-11T18:47:00.124Z","from_sync":false,"order":2,"slug":"connecting-to-your-database","title":"Connecting"},"parentDoc":null,"project":"566c97797831040d003eb3bc","user":"57167c775d90dc170060ef97","version":{"__v":10,"_id":"566c97797831040d003eb3bf","project":"566c97797831040d003eb3bc","createdAt":"2015-12-12T21:54:01.970Z","releaseDate":"2015-12-12T21:54:01.970Z","categories":["566c977a7831040d003eb3c0","5716338cb5af590e00a0ff1d","57163947893cbe0e002d75fc","57163f41b5af590e00a0ff35","57cd74d2873de50e00724a2f","57cd7de8baaee30e0093ecc3","57d6ada046dcc30e007dd15e","57fdc2b31646dc0e0010480a","57fdd8b86c9d141900d87bf1","58767da4d89ef20f003b6f1e"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2017-01-11T18:45:34.109Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":1,"body":"For higher security, GrapheneDB uses a custom authentication system to manage database connections. Much like Neo4j's built-in system, authentication is handled using a username/password combination.\n\nWith GrapheneDB, a *Database User* consists of a:\n\n* Label to identify it among others\n* Username, that is automatically generated based on the assigned label.\n* Password, also automatically generated and only visible once upon creation.\n\nThis system allows you to:\n\n* [Create multiple users](#section-creating-a-database-user) and avoid sharing credentials across applications and developers\n* [Drop users](#section-dropping-a-user) whenever you think a particular password may have been compromised or is no longer necessary.\n* Create [temporary database users](#section-temporary-database-users) that expire after a certain time.\n\n[block:callout]\n{\n  \"type\": \"info\",\n  \"body\": \"All database users have read and write permissions.\",\n  \"title\": \"Note\"\n}\n[/block]\n## Creating a database user\n\nAfter creating a new database, it will not accept any incoming connections, except for [Neo4j Browser sessions](accesing-the-neo4j-browser) launched from the database management interface, for which temporary users are created. Create a database user and store its username and password to connect your application, or CLI.\n\nAdd new users using the* Create user* button in the Database users section in the Connection tab.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/1d11218-no_users.png\",\n        \"no_users.png\",\n        908,\n        623,\n        \"#f8f8f8\"\n      ]\n    }\n  ]\n}\n[/block]\nA new window will be displayed:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/2472f95-new_user_1.png\",\n        \"new_user_1.png\",\n        398,\n        466,\n        \"#f1f1f1\"\n      ]\n    }\n  ]\n}\n[/block]\n\nEnter a label to identify the user and optionally set an expiration time. If the Expiration field is set to “Doesn’t expire”, a permanent user will be created. You can read more on temporary users [here](#temporary-database-users).\n\nAfter submitting the form using the *Create user* button, the user will be created and its username and password displayed.\n\n[block:callout]\n{\n  \"type\": \"info\",\n  \"body\": \"The password is only visible once in this step, so it should be copied and safely stored at this time. If the password can no longer be retrieved or is lost, the user should be [deleted](#section-dropping-a-user) and a new one created.\",\n  \"title\": \"Note\"\n}\n[/block]\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/bdaa28c-new_user_2.png\",\n        \"new_user_2.png\",\n        424,\n        470,\n        \"#667e89\"\n      ]\n    }\n  ]\n}\n[/block]\nUpon confirmation, the window will be closed and the new user will be visible in the Database users section. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/67c0e87-temporary.png\",\n        \"temporary.png\",\n        423,\n        498,\n        \"#f1f1f1\"\n      ]\n    }\n  ]\n}\n[/block]\nAlthough you won’t be able to see the password again, you will find some useful information here:\n\n* Created by: the GrapheneDB user that created the user,  useful if you are using our [team collaboration feature](http://docs.graphenedb.com/docs/graphenedb-account-management#section-team-collaboration).\n* Created: The date the user was created\n* Last access: The last date the credentials were used to connect to the database\n* Expires: Expiration date in case of a temporary user\n\n\n## Retrieving username and password of a user\n\nWhen creating a database user, its username and password are automatically generated. For better security, passwords are stored encrypted and only visible once upon creation. Use View to retrieve the username for a database user\n\nBecause password are stored encrypted, it is not possible to retrieve the password at a moment other than upon creating the user. If a password is lost  the user should be [deleted](#section-dropping-a-user) and a new one created.\n\n## Dropping a user\n\nIf credentials have been accidentally leaked, the user no longer necessary or someone with access to it left your team, it is a good idea to delete the database user.\n\nYou can do so by following the *Drop* next to the database user you want to remove in the Database users section in the *Connection* tab.\n[block:callout]\n{\n  \"type\": \"danger\",\n  \"body\": \"If the user is in use and you want to delete it, it is a good idea to create a new user first, update the credentials in your app and verify that the new connection is working correctly before proceeding.\",\n  \"title\": \"Important\"\n}\n[/block]\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/8ee0cf6-drop_user.png\",\n        \"drop_user.png\",\n        413,\n        418,\n        \"#656564\"\n      ]\n    }\n  ]\n}\n[/block]\n## Temporary database users\n\nThere are cases where a connection is only needed temporarily, for instance:\n\n* using the Neo4j Browser or CLI to run queries \n* running short-lived scripts for reporting, migrating data or schema\n\nIn such cases temporary database users can be used. They expire automatically after a certain time, without the need to manually drop the user.\n\nYou can create a new temporary user by selecting an expiration time in the Create new user form. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/342c1ef-temporary.png\",\n        \"temporary.png\",\n        423,\n        498,\n        \"#f1f1f1\"\n      ]\n    }\n  ]\n}\n[/block]\nAfter creation, the temporary user will appear in the database user list with its expiration date and a special icon for easy recognition.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/8bcbb21-legacy.png\",\n        \"legacy.png\",\n        824,\n        311,\n        \"#fafaea\"\n      ]\n    }\n  ]\n}\n[/block]\n\n[block:callout]\n{\n  \"type\": \"info\",\n  \"body\": \"When opening the Neo4j Browser from the database management interface, a new temporary user will be created. Read [more](accessing-the-neo4j-browser).\",\n  \"title\": \"Note\"\n}\n[/block]\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Accessing the Neo4j Browser\"\n}\n[/block]\nLaunching the Neo4j Browser through the link in Overview automatically creates a new temporary set of credentials that expires 1 hour after. A user is created every time the Neo4j Browser is accessed, even if a previously generated user has not yet expired.\n\nAfter the temporary user expires, Neo4j Browser might display an authentication-related error. Should you want to continue using it, you will need to launch the Neo4j Browser again from Overview.\n\nTemporary users are visible until they expire, can be audited from the Database users section and can be optionally dropped before they have automatically expired. \n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Transitioning from legacy user to new database users\"\n}\n[/block]\nThe new GrapheneDB database user authentication system will be rolled out in February 2017. All databases created after its release support only this new system. Please read more on how to manage database users [here](doc:graphenedb-database-users).\n\nHowever, previously created databases will continue supporting legacy users indefinitely. Legacy users will be also displayed in the Database users section:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/8574c42-legacy.png\",\n        \"legacy.png\",\n        824,\n        311,\n        \"#fafaea\"\n      ]\n    }\n  ]\n}\n[/block]\n\n[block:callout]\n{\n  \"type\": \"warning\",\n  \"body\": \"The legacy user will continue working, but for security reasons the password will not be displayed. If you have lost your password, please follow the steps below.\",\n  \"title\": \"Important\"\n}\n[/block]\nTo improve the security of your database, we recommend that you to transition to the new database users system by following these steps:\n\n1. Create a new user\n2. Update your application to use the new username and password\n3. Verify that the application is connecting without issues using the new credentials\n4. Finally delete the Legacy user using the *Drop* link","excerpt":"","slug":"graphenedb-database-users","type":"basic","title":"GrapheneDB database users"}

GrapheneDB database users


For higher security, GrapheneDB uses a custom authentication system to manage database connections. Much like Neo4j's built-in system, authentication is handled using a username/password combination. With GrapheneDB, a *Database User* consists of a: * Label to identify it among others * Username, that is automatically generated based on the assigned label. * Password, also automatically generated and only visible once upon creation. This system allows you to: * [Create multiple users](#section-creating-a-database-user) and avoid sharing credentials across applications and developers * [Drop users](#section-dropping-a-user) whenever you think a particular password may have been compromised or is no longer necessary. * Create [temporary database users](#section-temporary-database-users) that expire after a certain time. [block:callout] { "type": "info", "body": "All database users have read and write permissions.", "title": "Note" } [/block] ## Creating a database user After creating a new database, it will not accept any incoming connections, except for [Neo4j Browser sessions](accesing-the-neo4j-browser) launched from the database management interface, for which temporary users are created. Create a database user and store its username and password to connect your application, or CLI. Add new users using the* Create user* button in the Database users section in the Connection tab. [block:image] { "images": [ { "image": [ "https://files.readme.io/1d11218-no_users.png", "no_users.png", 908, 623, "#f8f8f8" ] } ] } [/block] A new window will be displayed: [block:image] { "images": [ { "image": [ "https://files.readme.io/2472f95-new_user_1.png", "new_user_1.png", 398, 466, "#f1f1f1" ] } ] } [/block] Enter a label to identify the user and optionally set an expiration time. If the Expiration field is set to “Doesn’t expire”, a permanent user will be created. You can read more on temporary users [here](#temporary-database-users). After submitting the form using the *Create user* button, the user will be created and its username and password displayed. [block:callout] { "type": "info", "body": "The password is only visible once in this step, so it should be copied and safely stored at this time. If the password can no longer be retrieved or is lost, the user should be [deleted](#section-dropping-a-user) and a new one created.", "title": "Note" } [/block] [block:image] { "images": [ { "image": [ "https://files.readme.io/bdaa28c-new_user_2.png", "new_user_2.png", 424, 470, "#667e89" ] } ] } [/block] Upon confirmation, the window will be closed and the new user will be visible in the Database users section. [block:image] { "images": [ { "image": [ "https://files.readme.io/67c0e87-temporary.png", "temporary.png", 423, 498, "#f1f1f1" ] } ] } [/block] Although you won’t be able to see the password again, you will find some useful information here: * Created by: the GrapheneDB user that created the user, useful if you are using our [team collaboration feature](http://docs.graphenedb.com/docs/graphenedb-account-management#section-team-collaboration). * Created: The date the user was created * Last access: The last date the credentials were used to connect to the database * Expires: Expiration date in case of a temporary user ## Retrieving username and password of a user When creating a database user, its username and password are automatically generated. For better security, passwords are stored encrypted and only visible once upon creation. Use View to retrieve the username for a database user Because password are stored encrypted, it is not possible to retrieve the password at a moment other than upon creating the user. If a password is lost the user should be [deleted](#section-dropping-a-user) and a new one created. ## Dropping a user If credentials have been accidentally leaked, the user no longer necessary or someone with access to it left your team, it is a good idea to delete the database user. You can do so by following the *Drop* next to the database user you want to remove in the Database users section in the *Connection* tab. [block:callout] { "type": "danger", "body": "If the user is in use and you want to delete it, it is a good idea to create a new user first, update the credentials in your app and verify that the new connection is working correctly before proceeding.", "title": "Important" } [/block] [block:image] { "images": [ { "image": [ "https://files.readme.io/8ee0cf6-drop_user.png", "drop_user.png", 413, 418, "#656564" ] } ] } [/block] ## Temporary database users There are cases where a connection is only needed temporarily, for instance: * using the Neo4j Browser or CLI to run queries * running short-lived scripts for reporting, migrating data or schema In such cases temporary database users can be used. They expire automatically after a certain time, without the need to manually drop the user. You can create a new temporary user by selecting an expiration time in the Create new user form. [block:image] { "images": [ { "image": [ "https://files.readme.io/342c1ef-temporary.png", "temporary.png", 423, 498, "#f1f1f1" ] } ] } [/block] After creation, the temporary user will appear in the database user list with its expiration date and a special icon for easy recognition. [block:image] { "images": [ { "image": [ "https://files.readme.io/8bcbb21-legacy.png", "legacy.png", 824, 311, "#fafaea" ] } ] } [/block] [block:callout] { "type": "info", "body": "When opening the Neo4j Browser from the database management interface, a new temporary user will be created. Read [more](accessing-the-neo4j-browser).", "title": "Note" } [/block] [block:api-header] { "type": "basic", "title": "Accessing the Neo4j Browser" } [/block] Launching the Neo4j Browser through the link in Overview automatically creates a new temporary set of credentials that expires 1 hour after. A user is created every time the Neo4j Browser is accessed, even if a previously generated user has not yet expired. After the temporary user expires, Neo4j Browser might display an authentication-related error. Should you want to continue using it, you will need to launch the Neo4j Browser again from Overview. Temporary users are visible until they expire, can be audited from the Database users section and can be optionally dropped before they have automatically expired. [block:api-header] { "type": "basic", "title": "Transitioning from legacy user to new database users" } [/block] The new GrapheneDB database user authentication system will be rolled out in February 2017. All databases created after its release support only this new system. Please read more on how to manage database users [here](doc:graphenedb-database-users). However, previously created databases will continue supporting legacy users indefinitely. Legacy users will be also displayed in the Database users section: [block:image] { "images": [ { "image": [ "https://files.readme.io/8574c42-legacy.png", "legacy.png", 824, 311, "#fafaea" ] } ] } [/block] [block:callout] { "type": "warning", "body": "The legacy user will continue working, but for security reasons the password will not be displayed. If you have lost your password, please follow the steps below.", "title": "Important" } [/block] To improve the security of your database, we recommend that you to transition to the new database users system by following these steps: 1. Create a new user 2. Update your application to use the new username and password 3. Verify that the application is connecting without issues using the new credentials 4. Finally delete the Legacy user using the *Drop* link