Neo4j Security

Cypher Workbench uses a single Neo4j user to execute all read and write commands to the Cypher Workbench Neo4j database. The username and password for the database are defined in the docker-compose.yml file.

Authentication and Authorization

The Labs distribution is configured to authenticate users against a stored User node. The User node contains the encrypted password of the user. Users will enter their username and password on the login screen. Upon successful authentication, a session token will be generated and stored in the user’s local browser storage.

The GraphQL API will check the contents of the Authorization HTTP header to check that the session token is valid. Besides the default configuration there are several different types of Authorization headers supported as described in this table:

Table 1. Authentication and Authorization Types
Type Example Notes

local Basic

Bearer {"type":"Basic", "credentials":"<base64 encoded username:password>"}

This will look for a User node in the Neo4j database where the base64 encoded plain text password is compared to the user’s stored password.

local SWToken

Bearer {"type":"SWToken", "credentials":"<session token>"}

Default. During authentication, SWToken credentials will be created and passed back to the React client.


Bearer <JWT token>

You need an auth0 tenant setup to use this type. Contact Professional Services to get instructions or assistance to set this up.


Contact Professional Services for assistance on custom authorization and authentication types.

Security Organizations

The Neo4j Labs set up comes with a single Security Organization, called Neo4j. Security Organizations are stored as SecurityOrganization nodes in the database, and their name is also used as an additional Node Label on every node created by a user. Any read and write operations use the User’s primaryOrganization to verify they can read or write to a Security Organization’s nodes.

It is possible to configure more Security Organizations and for users to switch between security organizations. For more information, please contact Professional Services.


Users are stored as User nodes in the database. Users connect to SecurityOrganization nodes via the MEMBER and OWNER relationships. These relationships determine the privilege level for certain operations - MEMBERs can create, edit, and delete models and database cards. OWNERs have the privilege to add additional users to the Security Organization.

There is also an Admin label which can be assigned to a User node. The Admin label provides access to all Security Organizations and enables all privileges. Adding the Admin label has to be done directly in the database itself using Cypher. There are also a number of Cypher statements that can be used to manage organizations and users. Additionally, there is an administrative React app that can manage organizations and users which is not provided as part of the Labs distribution. Please contact Professional Services for more details.

Model Security

Data models have a central node with the label DataModel. The information contained in a data model - node labels, relationship types, and properties are stored as a subgraph linked to this central node. User nodes are related to the DataModel nodes via these relationships:

Table 2. Model Security relationships
RelationshipType Notes


Designates the CREATOR of the model for documentation purposes.


Owners can view the model and perform model operations such as adding, editing, or deleting information. They can add or remove additional users or change their role. Additionally, they can delete the model.


Members can view the model and perform model operations such as adding, editing, or deleting information.


Viewers can view the model.

Licensing Model

The Labs distribution comes with a Labs license. This turns on the Model and Databases tool. Other license types such as Premium and Enterprise provide more tools. Please contact Professional Services for more information.