Privilege to allow or forbid users to change their own password

[marco-brandizi]

Apparently, in Neo4j enterprise it's not possible to prevent a user from changing their own password. DENY SET PASSWORD seems to apply only to the management of other users, a user can always change their own password, regardless of such privilege associated with them (or with a role they have).

I have an on line demo database and I'd like to tell potential users (eg, via project wiki readers) something like: "use test/*** as credentials", without the need for them to ask for a new account just to play with a demo in read-only mode.

I managed to set up read-only powers for a 'test' user and also to grant it access to the demo DB only, however, I can't afford that anyone can change this user password.

I know that sharing credentials isn't good practice, besides, it would be fine in this case and support for anonymous or password-less user seems to be missing either.

A simple solution could be a new privilege, eg, SET OWN PASSWORD, which could be in a GRANT or DENY statement. This would be incompatible with CHANGE REQUIRED.

Note that I don't want to disable authentication altogether, since this is an enterprise DB, where I need to control access to other databases too.

[ncordon]

Hey @marco-brandizi, thanks for taking the time to write up this explanation. We'll look into it and keep you posted!