Manage users

Users can be created and managed using a set of Cypher administration commands executed against the system database. When connected to the DBMS over bolt, administration commands are automatically routed to the system database.

User states

There are two types of user states in the system database:

ACTIVE state

(default for new users) Users can log into Neo4j and perform queries according to their privileges.

SUSPENDED state Enterprise Edition

  • Native users who authenticate and authorize against the system graph cannot log into Neo4j. If suspended while using Neo4j, they lose all assigned roles with their privileges, including the PUBLIC role, until reactivated.

  • Users who authenticate and authorize against an external ID provider (e.g., LDAP) can still log in. If suspended while using Neo4j, they retain the roles and the privileges assigned by the external provider, including the PUBLIC role. To prevent any of these, you need to use the mechanisms of their identity provider.

  • Users who authenticate and authorize against an external ID provider and have user auth providers set up cannot log into Neo4j. If suspended while using Neo4j, they lose all assigned roles and associated privileges, including the PUBLIC role, until reactivated.

User management command syntax

For more details about the syntax descriptions, see Database management command syntax.

Command

SHOW CURRENT USER

Syntax

 
SHOW CURRENT USER
  [YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]

Description

Lists the current user.

When using the RETURN clause, the YIELD clause is mandatory and must not be omitted.

For more information, see Showing current user.

Required privilege

None.

However, the SHOW USER METADATA privilege is required to see the values in the tags column returned by SHOW CURRENT USER YIELD *; without it, the column returns null.

SET TAGS and SHOW USER METADATA are Enterprise Edition features introduced in Neo4j 2026.06. For more information, see Creating users and Grant privilege to show user metadata.

Command

SHOW USERS

Syntax

 
SHOW USER[S]
  [WITH AUTH]
  [YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]

Description

Lists all users.

When using the RETURN clause, the YIELD clause is mandatory and must not be omitted.

For more information, see Showing users.

Required privilege

 
GRANT SHOW USER

For more information, see DBMS USER MANAGEMENT privileges.

GRANT SHOW USER METADATA

The SHOW USER METADATA privilege is additionally required to see the values in the tags column returned by SHOW USERS YIELD *; without it, the column returns null.

SET TAGS and SHOW USER METADATA are Enterprise Edition features introduced in Neo4j 2026.06. For more information, see Creating users and Grant privilege to show user metadata.

Command

SHOW USER PRIVILEGES

Syntax

 
SHOW USER[S] [name[, ...]] PRIVILEGE[S] [AS [REVOKE] COMMAND[S]]
  [YIELD { * | field[, ...] } [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]
  [WHERE expression]
  [RETURN field[, ...] [ORDER BY field[, ...]] [SKIP n] [LIMIT n]]

Description

Lists the privileges granted to the specified users or the current user if no user is specified.

When using the RETURN clause, the YIELD clause is mandatory and must not be omitted.

The SHOW USER name PRIVILEGES command is described in Showing privileges.

Required privilege

 
GRANT SHOW PRIVILEGE

For more information, see DBMS PRIVILEGE MANAGEMENT privileges.

GRANT SHOW USER

For more information, see DBMS USER MANAGEMENT privileges.

Command

CREATE USER

Syntax

 
CREATE USER name [IF NOT EXISTS]
  [SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password']
  [[SET PASSWORD] CHANGE [NOT] REQUIRED]
  [SET STATUS {ACTIVE | SUSPENDED}]
  [SET HOME DATABASE name]
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]...
  [SET TAG[S] tag[, ...]]

<key><value> pairs for the SET AUTH clause could include:

SET AUTH [PROVIDER] 'provider' "{"
    {
        SET ID 'id' # a unique identifier of the user in an external system
        | SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password' # only applicable to the 'native' provider
        | SET PASSWORD CHANGE [NOT] REQUIRED # only applicable to the 'native' provider
    }
"}"

Description

Creates a new user.

It is mandatory to specify a SET PASSWORD and/or at least one SET AUTH clause because users must have at least one auth provider.

For more information, see Creating users.

Required privilege

 
GRANT CREATE USER

For more information, see Grant privilege to create users.

GRANT SET USER METADATA

The SET USER METADATA privilege is only required when attaching tags with the SET TAG[S] clause.

SET TAGS and SET USER METADATA are Enterprise Edition features introduced in Neo4j 2026.06. For more information, see Creating users and Grant privilege to show user metadata.

Command

CREATE OR REPLACE USER

Syntax

 
CREATE OR REPLACE USER name
  [SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password']
  [[SET PASSWORD] CHANGE [NOT] REQUIRED]
  [SET STATUS {ACTIVE | SUSPENDED}]
  [SET HOME DATABASE name]
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]...
  [SET TAG[S] tag[, ...]]

<key><value> pairs for the SET AUTH clause could include:

SET AUTH [PROVIDER] 'provider' "{"
    {
        SET ID 'id' # a unique identifier of the user in an external system
        | SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password' # only applicable to the 'native' provider
        | SET PASSWORD CHANGE [NOT] REQUIRED # only applicable to the 'native' provider
    }
"}"

Description

Creates a new user, or if a user with the same name exists, replace it.

It is mandatory to specify a SET PASSWORD and/or at least one SET AUTH clause because users must have at least one auth provider.

For more information, see Creating users.

Required privilege

 
GRANT CREATE USER

For more information, see Grant privilege to create users.

GRANT DROP USER

For more information, see Grant privilege to delete users.

GRANT SET USER METADATA

The SET USER METADATA privilege is only required when attaching tags with the SET TAG[S] clause.

SET TAGS and SET USER METADATA are Enterprise Edition features introduced in Neo4j 2026.06. For more information, see Creating users and Grant privilege to show user metadata.

Command

RENAME USER

Syntax

 
RENAME USER name [IF EXISTS] TO otherName

Description

Changes the name of a user.

For more information, see Renaming users.

Required privilege

 
GRANT RENAME USER

For more information, see DBMS USER MANAGEMENT privileges.

Command

ALTER USER

Syntax

 
ALTER USER name [IF EXISTS]
  [REMOVE HOME DATABASE]
  [REMOVE { AUTH [PROVIDER[S]] provider[, ...] | ALL AUTH [PROVIDER[S]] }]...
  [REMOVE { TAG[S] tag[, ...] | ALL TAG[S] }]...
  [ADD TAG[S] tag[, ...]]...
  [SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password']
  [[SET PASSWORD] CHANGE [NOT] REQUIRED]
  [SET STATUS {ACTIVE | SUSPENDED} ]
  [SET HOME DATABASE name]
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]...
  [SET TAG[S] tag[, ...]]

<key><value> pairs for the SET AUTH clause could include:

SET AUTH [PROVIDER] 'provider' "{"
    {
        SET ID 'id' # a unique identifier of the user in an external system
        | SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password' # PASSWORD clauses are only applicable to the 'native' provider
        | SET PASSWORD CHANGE [NOT] REQUIRED # PASSWORD clauses are only applicable to the 'native' provider
    }
"}"

Description

Modifies the settings for an existing user.

  • At least one SET, ADD, or REMOVE clause is required.

  • Any REMOVE clause(s) must appear first, followed by any ADD clause(s), and then any SET clause(s). For more information, see Modifying users.

SET TAG[S], ADD TAG[S], REMOVE TAG[S], REMOVE ALL TAG[S], and SET USER METADATA are Enterprise Edition features introduced in Neo4j 2026.06. For more information, see Creating users, Modifying users, Modifying multiple users' tags, and Grant privilege to show user metadata.

Required privilege

 
GRANT SET PASSWORD
GRANT SET USER STATUS
GRANT SET USER HOME DATABASE
GRANT SET AUTH

For more information, see DBMS USER MANAGEMENT privileges.

GRANT SET USER METADATA

Introduced in 2026.06 Enterprise Edition The SET USER METADATA privilege is only required when setting, adding, or removing tags. For more information, see Grant privilege to set user metadata.

Enterprise Edition Introduced in 2026.06

Command

ALTER USERS

Syntax

 
ALTER USERS name[, ...] [IF EXISTS]
  [REMOVE { TAG[S] tag[, ...] | ALL TAG[S] }]...
  [ADD TAG[S] tag[, ...]]...
  [SET TAG[S] tag[, ...]]

Description

Modifies the tags of several existing users in a single command.

  • At least one SET, ADD, or REMOVE clause is required.

  • Any REMOVE clause(s) must appear first, followed by any ADD clause(s), and then any SET clause(s).

For more information, see Modifying multiple users' tags.

Required privilege

 
GRANT ALTER USER

For more information, see DBMS USER MANAGEMENT privileges.

GRANT SET USER METADATA

For more information, see Grant privilege to set user metadata.

Command

ALTER CURRENT USER SET PASSWORD

Syntax

 
ALTER CURRENT USER SET PASSWORD FROM 'oldPassword' TO 'newPassword'

Description

Changes the current user’s password.

For more information, see Changing the current user’s password.

Required privilege

None

Command

DROP USER

Syntax

 
DROP USER name [IF EXISTS]

Description

Removes an existing user.

For more information, see Delete users.

Required privilege

 
GRANT DROP USER

For more information, see Grant privilege to delete users.
Enterprise Edition

The SHOW USER[S] PRIVILEGES command is described in Showing privileges.

Showing current user

You can view the currently logged-in user using the Cypher command SHOW CURRENT USER. It produces a table with the following columns:

Column Description Type Community Edition Enterprise Edition

user

User name

STRING

roles

Roles granted to the user.

It returns null in Community edition.

LIST OF STRING

passwordChangeRequired

If true, the user must change their password at the next login. This is null if the user has native auth disabled.

BOOLEAN

suspended

If true, the user is currently suspended.

It returns null in Community edition.

BOOLEAN

home

The home database configured by the user, or null if no home database has been configured. If this database is unavailable and the user does not specify a database to use, they will not be able to log in.

It returns null in Community edition.

STRING

tags

Enterprise Edition Introduced in 2026.06 The ABAC tags attached to the user. This column is returned only by SHOW CURRENT USER YIELD *, or when you explicitly yield the tags column.

Seeing the tag values requires the SHOW USER METADATA privilege; without it, the column returns null.

It returns null in Community edition.

LIST OF STRING

 

SHOW CURRENT USER;
Table 1. Result
user roles passwordChangeRequired suspended home

"jake"

["PUBLIC"]

false

false

<null>

Rows: 1

This command is only supported for a logged-in user and returns an empty result if authorization has been disabled.

Showing users

You can list all available users using the Cypher command SHOW USERS. It produces a table containing a single row per user with the following columns:

Column Description Type Community Edition Enterprise Edition

user

User name

STRING

roles

Native roles granted to the user using the GRANT ROLE command.

The set of roles a user receives in practice may differ from those in this column. It depends on DMBS configuration and the user’s auth providers.

For example, if they use external (e.g. LDAP or OIDC) auth, or if native is not listed in the dbms.security.authorization_providers configuration setting.

It returns null in Community edition.

LIST OF STRING

passwordChangeRequired

If true, the user must change their password at the next login. This is null if the user has native auth disabled.

BOOLEAN

suspended

If true, the user is currently suspended.

It returns null in Community edition.

BOOLEAN

home

The home database configured for the user, otherwise null. A home database is resolved if it is pointing to a database or a database alias. Constituents, graph or property shards are not supported as a home database. If the configured home database is unavailable and the user does not specify another database, the login will fail.

It returns null in Community edition.

STRING

tags

Enterprise Edition Introduced in 2026.06 The ABAC tags attached to the user. This column is returned only by SHOW USERS YIELD *, or when you explicitly yield the tags column.

Seeing the tag values requires the SHOW USER METADATA privilege; without it, the column returns null.

It returns null in Community edition.

LIST OF STRING

When first starting a Neo4j DBMS, there is always a single default user neo4j with administrative privileges. It is possible to set the initial password using neo4j-admin dbms set-initial-password <password>, otherwise you must change the password after the first login.

Show all users

SHOW USERS;
Table 2. Result
user roles passwordChangeRequired suspended home

"neo4j"

["admin","PUBLIC"]

false

false

<null>

"jake"

["PUBLIC"]

false

false

<null>

Rows: 2

Show user with column reorder and filtering

This example shows how to:

  • Reorder the columns using a YIELD clause.

  • Filter the results using a WHERE clause.

SHOW USER YIELD user, suspended, passwordChangeRequired, roles, home
WHERE user = 'jake';
Table 3. Result
user suspended passwordChangeRequired roles home

"jake"

false

false

["PUBLIC"]

<null>

Rows: 1

Show user with RETURN clause

It is possible to add a RETURN clause to further manipulate the results after filtering. In this example, the RETURN clause is used to filter out the roles column and rename the user column to adminUser.

SHOW USERS YIELD roles, user
WHERE 'admin' IN roles
RETURN user AS adminUser;
Table 4. Result
adminUser

"neo4j"

Rows: 1

Show users with their tags
Enterprise EditionIntroduced in 2026.06

The tags column is not part of the default output of SHOW USERS. It is returned by SHOW USERS YIELD *, or when the tags column is yielded explicitly.

Assuming jake has been assigned the tags finance and auditor (tags are managed using the ALTER USER command):

SHOW USERS YIELD user, roles, tags;
Table 5. Result
user roles tags

"neo4j"

["admin","PUBLIC"]

[]

"jake"

["PUBLIC"]

["finance","auditor"]

Rows: 2

Seeing the values in the tags column requires the SHOW USER METADATA privilege, in addition to the SHOW USER privilege required to run SHOW USERS. Without SHOW USER METADATA, the tags column returns null for every row.

Showing user auth providers

To inspect available user auth providers, use SHOW USERS WITH AUTH. The command produces a row per user per auth provider and yields the following two columns in addition to those output by SHOW USERS:

Column Description Type Community Edition Enterprise Edition

provider

The name of the auth provider.

STRING

auth

A map containing configuration for the user. For example, dn of the user for an ldap auth provider, the unique external identifier for an oidc auth provider, or password status for a native auth provider.

MAP

Show users with auth

SHOW USERS WITH AUTH;
Table 6. Result
user roles passwordChangeRequired suspended home provider auth

"neo4j"

["admin","PUBLIC"]

false

false

<null>

"native"

{ "password": "***", "changeRequired": false }

"jack"

["PUBLIC"]

false

false

<null>

"native"

{ "password": "***", "changeRequired": false }

"jack"

["PUBLIC"]

false

false

<null>

"oidc1"

{ "id": "jacksIdForOidc1" }

Rows: 3

Show user with auth using filtering

Show all users with the oidc auth provider.

SHOW USERS WITH AUTH
WHERE provider = 'oidc1';
Table 7. Result
user roles passwordChangeRequired suspended home provider auth

"jack"

["PUBLIC"]

false

false

<null>

"oidc1"

{ "id": "jacksIdForOidc1" }

Rows: 1

For more information about auth providers, see User auth providers.

Creating users

You can create users using one of the following Cypher commands, depending on whether you want to create a new user or replace an existing one. In both cases, you can specify the user’s password, whether they must change it at the next login, their status, home database, and auth provider settings. The SET clauses can be applied in any order. It is mandatory to specify a SET PASSWORD and/or at least one SET AUTH clause because users must have at least one auth provider.

CREATE USER syntax

CREATE USER name [IF NOT EXISTS] (1)
  [SET [PLAINTEXT \| ENCRYPTED] PASSWORD 'password'] (2)
  [[SET PASSWORD] CHANGE [NOT] REQUIRED] (3)
  [SET STATUS {ACTIVE \| SUSPENDED}] (4)
  [SET HOME DATABASE name] (5)
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]... (6)
  [SET TAG[S] tag[, ...]] (7)

CREATE OR REPLACE USER syntax

CREATE OR REPLACE USER name (1)
  [SET [PLAINTEXT \| ENCRYPTED] PASSWORD 'password'] (2)
  [[SET PASSWORD] CHANGE [NOT] REQUIRED] (3)
  [SET STATUS {ACTIVE \| SUSPENDED}] (4)
  [SET HOME DATABASE name] (5)
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]... (6)
  [SET TAG[S] tag[, ...]] (7)

Where:

1 Specifies the command to create a user.
2 Specifies the password for the user. The 'password' can either be a string value or a string parameter with default value length of at least 8 characters.
The PLAINTEXT and ENCRYPTED keywords are optional and can be used to specify the format of the password, i.e. whether Neo4j needs to hash it or it has already been hashed. By default, all passwords are encrypted (hashed) when stored in the Neo4j system database.

  • The optional PLAINTEXT in SET PLAINTEXT PASSWORD has the same behavior as SET PASSWORD.

  • The optional ENCRYPTED is used to recreate an existing user when the plaintext password is unknown, but the encrypted password is available in the /data/scripts/databasename/restore_metadata.cypher file of restored database backup. See Restore users and roles metadata.
    With ENCRYPTED, the password string is expected to be in the format of <encryption-version>,<hash>,<salt>, where, for example:

    • 0 is the first version and refers to the SHA-256 cryptographic hash function with iterations 1.

    • 1 is the second version and refers to the SHA-256 cryptographic hash function with iterations 1024.
3 Specifies whether the user must change their password at the next login. If the optional SET PASSWORD CHANGE [NOT] REQUIRED is omitted but a password is given, the default is CHANGE REQUIRED. The SET PASSWORD prefix of the CHANGE [NOT] REQUIRED clause is only optional if it directly follows the SET PASSWORD 'password' clause and is not part of a SET AUTH clause.
4 Specifies the user’s status. If not set, the default is ACTIVE.
5 Specifies a home database for a user. A home database is resolved if it is pointing to a database or a database alias. Constituents and shards are not supported. If no home database is set, the DBMS default database is used as the home database for that user.
6 One or more SET AUTH clause can be used to configure external auth providers, such as LDAP or OIDC, which define authentication/authorization providers for that user. SET AUTH can also be used as an alternative way to set the native (password-based) auth settings like SET PASSWORD and SET PASSWORD CHANGE REQUIRED. For further informations, see the examples in this section, as well as Configure SSO at the user level using auth providers for OIDC, and Configure authentication/authorization at the user level using auth providers for LDAP. 
SET AUTH [PROVIDER] 'provider' "{"
    {
        SET ID 'id' # a unique identifier of the user in an external system.
        \| SET [PLAINTEXT \| ENCRYPTED] PASSWORD 'password' # only applicable to the 'native' provider.
        \| SET PASSWORD CHANGE [NOT] REQUIRED # only applicable to the 'native' provider.
    }
"}"
7 Introduced in 2026.06 Enterprise Edition One or more tags can be attached to the user with the SET TAG[S] clause. The value is either a single string or a comma-separated list of strings. Tags are arbitrary labels attached to the native user object that can be evaluated in attribute-based access control (ABAC) auth rules through the abac.native.user_tags() function. ADD TAGS idempotently adds the specified tags to any existing tags, REMOVE TAGS idempotently removes the specified tags, and SET TAGS replaces any tags the user already has with the specified tags.

Usernames are case sensitive. The created user will appear on the list provided by SHOW USERS.

  • In Neo4j Community Edition there are no roles, but all users have implied administrator privileges.

  • In Neo4j Enterprise Edition all users are automatically assigned the PUBLIC role, giving them a base set of privileges.

Create user with password, status, and home database

For example, you can create the user jake in a suspended state, with the home database anotherDb, and the requirement to change the password by using the command:

CREATE USER jake
SET PASSWORD 'abcd1234' CHANGE REQUIRED
SET STATUS SUSPENDED
SET HOME DATABASE anotherDb;

The equivalent command using the auth providers syntax would be:

CREATE USER jake
SET STATUS SUSPENDED
SET HOME DATABASE anotherDb
SET AUTH 'native' {SET PASSWORD 'abcd1234' SET PASSWORD CHANGE REQUIRED};

Create user with an encrypted password

You can create the user Jake in an active state, with an encrypted password (taken from the /data/scripts/databasename/restore_metadata.cypher of a restored database backup), and the requirement to not change the password by running:

CREATE USER Jake
SET ENCRYPTED PASSWORD '1,6d57a5e0b3317055454e455f96c98c750c77fb371f3f0634a1b8ff2a55c5b825,190ae47c661e0668a0c8be8a21ff78a4a34cdf918cae3c407e907b73932bd16c' CHANGE NOT REQUIRED
SET STATUS ACTIVE;

The equivalent command using the auth providers syntax would be:

CREATE USER jake
SET STATUS ACTIVE
SET AUTH 'native' {
  SET ENCRYPTED PASSWORD '1,6d57a5e0b3317055454e455f96c98c750c77fb371f3f0634a1b8ff2a55c5b825,190ae47c661e0668a0c8be8a21ff78a4a34cdf918cae3c407e907b73932bd16c'
  SET PASSWORD CHANGE NOT REQUIRED
};
Enterprise Edition

The SET STATUS {ACTIVE | SUSPENDED}, SET HOME DATABASE parts of the commands are only available in Neo4j Enterprise Edition. The SET AUTH clause for external providers is only available in Neo4j Enterprise Edition. However, SET AUTH 'native' can be used in Neo4j Community Edition.

The CREATE USER command is optionally idempotent, with the default behavior to throw an exception if the user already exists. Appending IF NOT EXISTS to the CREATE USER command will ensure that no exception is thrown and nothing happens should the user already exist.

Create user if not exists

CREATE USER jake IF NOT EXISTS
SET PLAINTEXT PASSWORD 'abcd1234';

The equivalent command using the auth providers syntax would be:

CREATE USER jake IF NOT EXISTS
SET AUTH 'native' {SET PLAINTEXT PASSWORD 'abcd1234'};

The CREATE OR REPLACE USER command will result in any existing user being deleted and a new one created.

Create or replace user

CREATE OR REPLACE USER jake
SET PLAINTEXT PASSWORD 'abcd1234';

This is equivalent to running DROP USER jake IF EXISTS followed by CREATE USER jake SET PASSWORD 'abcd1234'.

The equivalent command using the auth providers syntax would be:

CREATE OR REPLACE USER jake
SET AUTH 'native' {SET PLAINTEXT PASSWORD 'abcd1234'};

Create a user with tags
Enterprise EditionIntroduced in 2026.06

For example, you can create the user jake and attach the tags finance and auditor, which can then be evaluated in ABAC auth rules:

CREATE USER jake
SET PASSWORD 'abcd1234'
SET TAGS 'finance', 'auditor';

The CREATE OR REPLACE USER command does not allow the use of IF NOT EXISTS.

Renaming users

Users can be renamed with the RENAME USER command.

RENAME USER jake TO bob;

To verify the change, you can use the SHOW USERS command:

SHOW USERS;
Table 8. Result
user roles passwordChangeRequired suspended home

"bob"

["PUBLIC"]

true

false

<null>

"neo4j"

["admin","PUBLIC"]

true

false

<null>

Rows: 2

The RENAME USER command is only available when using native authentication and authorization.

Modifying users

You can modify users with the ALTER USER command. The command allows you to change the user’s password, status, home database, auth provider settings, and tags. Within each group, the REMOVE, ADD, and SET clauses can be applied in any order. However, all REMOVE clauses must come before any ADD clause, which in turn must come before the first SET clause, and at least one SET, ADD, or REMOVE clause is required for the command. If any of the SET, ADD, or REMOVE clauses are omitted, the corresponding settings will not be changed.

ALTER USER syntax

ALTER USER name [IF EXISTS] (1)
  [REMOVE HOME DATABASE] (2)
  [REMOVE { AUTH [PROVIDER[S]] provider[, ...] \| ALL AUTH [PROVIDER[S]] }]... (3)
  [REMOVE { TAG[S] tag[, ...] \| ALL TAG[S] }]... (4)
  [ADD TAG[S] tag[, ...]]... (5)
  [SET [PLAINTEXT | ENCRYPTED] PASSWORD 'password'] (6)
  [[SET PASSWORD] CHANGE [NOT] REQUIRED] (7)
  [SET STATUS {ACTIVE | SUSPENDED}] (8)
  [SET HOME DATABASE name] (9)
  [SET AUTH [PROVIDER] 'provider' "{"{SET <key> <value>}..."}"]... (10)
  [SET TAG[S] tag[, ...]] (11)

Where:

1 Specifies the command to alter a user.
2 Removes the home database for the user. As a result, the DBMS default database will be used as the home database for that user.
3 Removes one, several, or all existing auth provider(s) from a user. However, a user must always have at least one auth provider. Therefore, REMOVE ALL AUTH must be used in conjunction with at least one SET AUTH clause in order to meet this requirement.
4 Introduced in 2026.06 Enterprise Edition Removes one, several, or all existing tags from the user. Use REMOVE TAG[S] tag[, …​] to remove specific tags, or REMOVE ALL TAG[S] to remove every tag from the user. Removing a tag that the user does not have has no effect.
5 Introduced in 2026.06 Enterprise Edition Adds one or more tags to the user, keeping any existing tags. The value is either a single string or a comma-separated list of strings.
6 Specifies the password for the user. The 'password' can either be a string value or a string parameter with default value length of at least 8 characters.
The PLAINTEXT and ENCRYPTED keywords are optional and can be used to specify the format of the password, i.e. whether Neo4j needs to hash it or it has already been hashed. By default, all passwords are encrypted (hashed) when stored in the Neo4j system database.

  • The optional PLAINTEXT in SET PLAINTEXT PASSWORD has the same behavior as SET PASSWORD.

  • The optional ENCRYPTED is used to recreate an existing user when the plaintext password is unknown, but the encrypted password is available in the /data/scripts/databasename/restore_metadata.cypher file when you restore a database backup. See Restore users and roles metadata.
    With ENCRYPTED, the password string is expected to be in the format of <encryption-version>,<hash>,<salt>, where, for example:

    • 0 is the first version and refers to the SHA-256 cryptographic hash function with iterations 1.

    • 1 is the second version and refers to the SHA-256 cryptographic hash function with iterations 1024.
7 Specifies whether the user must change their password at the next login. If the optional SET PASSWORD CHANGE [NOT] REQUIRED is omitted when adding native auth to a user (either by first removing pre-existing native auth or if the user does not have native auth to start with), the default is CHANGE REQUIRED. The SET PASSWORD prefix of the CHANGE [NOT] REQUIRED clause is only optional if it directly follows the SET PASSWORD 'password' clause and is not part of a SET AUTH clause.
8 Specifies the user’s status.
9 Specifies a home database for a user. A home database is resolved if it is pointing to a database or a database alias. If no home database is set, the DBMS default database is used as the home database for that user.
10 One or more SET AUTH clauses can be used to set auth providers, which define authentication / authorization providers for that user. This might be used to configure external auth providers like LDAP or OIDC, but can also be used as an alternative way to set the native (password-based) auth settings like SET PASSWORD and SET PASSWORD CHANGE REQUIRED. For further informations, see the examples in this section, as well as Configure SSO at the user level using auth providers, and Configure authentication/authorization at the user level using auth providers. 
SET AUTH [PROVIDER] 'provider' "{"
    {
        SET ID 'id' # a unique identifier of the user in an external system
        \| SET [PLAINTEXT \| ENCRYPTED] PASSWORD 'password' # only applicable to the 'native' provider
        \| SET PASSWORD CHANGE [NOT] REQUIRED # only applicable to the 'native' provider
    }
"}"
11 Introduced in 2026.06 Enterprise Edition Sets the user’s tags, replacing any tags the user already has. To add tags without removing existing ones, use the ADD TAG[S] clause instead. Tags can be evaluated in attribute-based access control (ABAC) auth rules using the abac.native.user_tags() function.

Modify a user’s password and status

For example, you can modify the user bob by setting a new password and active status, and removing the requirement to change his password by running:

ALTER USER bob
SET PASSWORD 'abcd5678' CHANGE NOT REQUIRED
SET STATUS ACTIVE;

The equivalent command using the auth providers syntax would be:

ALTER USER bob
SET AUTH 'native' {SET PASSWORD 'abcd5678' SET PASSWORD CHANGE NOT REQUIRED}
SET STATUS ACTIVE;

Modify a user to expire their current password

For example, you can modify the user bob to expire his current password so that he must change it the next time he logs in:

ALTER USER bob
SET PASSWORD CHANGE REQUIRED;

The equivalent command using the auth providers syntax would be:

ALTER USER bob
SET AUTH 'native' {SET PASSWORD CHANGE REQUIRED};

Modify a user to use an external OIDC auth provider
Enterprise Edition

For example, you can modify the user bob by removing his native auth provider and adding an external OIDC auth provider:

ALTER USER bob
REMOVE AUTH 'native'
SET AUTH 'oidc-mysso1' {SET ID 'bobsUniqueMySso1Id'};

Modify a user to use multiple external OIDC auth providers
Enterprise Edition

For example, you can modify the user bob by removing all of his existing auth providers and adding two external OIDC auth providers:

ALTER USER bob
REMOVE ALL AUTH
SET AUTH 'oidc-mysso1' {SET ID 'bobsUniqueMySso1Id'}
SET AUTH 'oidc-mysso2' {SET ID 'bobsUniqueMySso2Id'};

Assign a user a different home database

For example, you can modify the user bob by assigning him a different home database:

ALTER USER bob
SET HOME DATABASE anotherDbOrAlias;

Remove the home database from a user and set their status to suspended

For example, you can modify the user bob by removing his home database and setting his status to suspended:

ALTER USER bob
REMOVE HOME DATABASE
SET STATUS SUSPENDED;

Add and remove tags on a user
Enterprise EditionIntroduced in 2026.06

For example, you can modify the user bob by adding the on-call tag while removing the auditor tag:

ALTER USER bob
REMOVE TAG 'auditor'
ADD TAG 'on-call';

Any REMOVE clause(s) must come before any ADD clause(s), which must come before any SET clause(s).

Replace all of a user’s tags
Enterprise EditionIntroduced in 2026.06

SET TAGS replaces whatever tags the user currently has. For example, you can replace bob tags with exactly finance and auditor:

ALTER USER bob
SET TAGS 'finance', 'auditor';

Instead of removing every tag from a user, use REMOVE ALL TAGS, for example ALTER USER bob REMOVE ALL TAGS.

When altering a user, it is only necessary to specify the changes required. For example, leaving out the CHANGE [NOT] REQUIRED part of the query leaves that unchanged.
Enterprise Edition

The SET STATUS {ACTIVE | SUSPENDED}, SET HOME DATABASE, REMOVE HOME DATABASE, REMOVE AUTH, and the tag clauses: SET TAG[S], ADD TAG[S], REMOVE TAG[S], and REMOVE ALL TAG[S] parts of the command are only available in Neo4j Enterprise Edition, starting with Neo4j 2026.06. The SET AUTH clause for external providers is only available in Neo4j Enterprise Edition. However, SET AUTH 'native' can be used in Neo4j Community Edition.

The changes to the user will appear on the list provided by SHOW USERS. To see the tags set, use SHOW USERS YIELD * to explicitly yield the tags column. The tags column is not part of the default output of SHOW USERS.

SHOW USERS YIELD *;
Table 9. Result
user roles passwordChangeRequired suspended home tags

"bob"

["PUBLIC"]

false

false

<null>

["finance","auditor"]

"neo4j"

["admin","PUBLIC"]

true

false

<null>

[]

Rows: 2

Introduced in 2026.06 Seeing the values in the tags column requires the SHOW USER METADATA privilege, in addition to the SHOW USER privilege required to run SHOW USERS. Without SHOW USER METADATA, the tags column returns null for every row.

The default behavior of this command is to throw an exception if the user does not exist. Adding an optional parameter IF EXISTS to the command makes it idempotent and ensures that no exception is thrown. Nothing happens should the user not exist.

ALTER USER nonExistingUser IF EXISTS SET PASSWORD 'abcd1234';

Modifying multiple users' tags
Enterprise EditionIntroduced in 2026.06

You can modify the tags of several users in a single command with the ALTER USERS command. This is useful for applying the same tag changes across a group of users without issuing a separate ALTER USER command for each one.

ALTER USERS syntax

ALTER USERS name[, ...] [IF EXISTS] (1)
  [REMOVE { TAG[S] tag[, ...] \| ALL TAG[S] }]... (2)
  [ADD TAG[S] tag[, ...]]... (3)
  [SET TAG[S] tag[, ...]] (4)

Where:

1 Specifies the command to alter one or more users, given as a comma-separated list of usernames. By default, the command throws an exception if any of the listed users do not exist. Adding the optional IF EXISTS makes the command idempotent, so no exception is thrown and the missing users are skipped.
2 Removes one, several, or all existing tags from each listed user. Use REMOVE TAG[S] tag[, …​] to remove specific tags, or REMOVE ALL TAG[S] to remove every tag.
3 Adds one or more tags to each listed user, keeping any existing tags.
4 Sets the tags of each listed user, replacing any tags they already have.

As with ALTER USER, any REMOVE clause(s) must come before any ADD clause(s), which must come before any SET clause(s), and at least one SET, ADD, or REMOVE clause is required. The tags can be evaluated in attribute-based access control (ABAC) auth rules through the abac.native.user_tags() function.

Add a tag to multiple users

For example, you can add the finance tag to both bob and alice in a single command:

ALTER USERS bob, alice
ADD TAG 'finance';

Replace the tags of multiple users

For example, you can replace whatever tags bob and alice currently have with exactly finance and auditor, skipping any of the listed users that do not exist:

ALTER USERS bob, alice IF EXISTS
SET TAGS 'finance', 'auditor';

Changing the current user’s password

Users can change their password using ALTER CURRENT USER SET PASSWORD. The old password is required in addition to the new one, and either or both can be a string value or a string parameter. When a user executes this command it will change their password as well as set the CHANGE NOT REQUIRED flag.

ALTER CURRENT USER
SET PASSWORD FROM 'password1' TO 'password2';

This command works only for a logged-in user and cannot be run with auth disabled.

Delete users

Users can be deleted with DROP USER.

DROP USER bob;

Deleting a user does not automatically terminate associated connections, sessions, transactions, or queries.

However, when a user is deleted, it no longer appears on the list provided by SHOW USERS:

SHOW USERS;
Table 10. Result
user roles passwordChangeRequired suspended home

"neo4j"

["admin","PUBLIC"]

true

false

<null>

Rows: 1