Neo4j 4.1 introduces new features for security including role-based access control, schema-based security, and granular security for write operations. It also includes improvements to causal clustering, performance, and developer tools. This document reviews the history of releases from Neo4j 3.0 through 4.1 and highlights some of the main new capabilities in security, performance, and operations.

1. Neo4j 4.1 Overview
Version 1
Last Update: 2020.06.23

2. 2020.06.01: First Version
2020.06.23: Neo4j 4.1 GA
2
Review History

3. A Journey through Neo4j 3.X
3
3.0 3.1 3.2 3.3 3.4 3.5
Causal
Clustering
N/A - Causal Clustering
released
- Multi-datacenter support
- Tiered replicas
- Least-connected load balancing
- ID re-use
- Multi-clustering - Improved large Txn
handling
Cypher &
Performance
- User-Defined
Procedures
- Increased
relationship type
limits
- Native Label index
- Node Keys
- Composite Indexes
- Depth query in
DISTINCT function
- Compiled runtime
- Faster and less memory
intensive runtime
- Native Numeric schema
indexes
- Local locks for schema
changes
- Datetime data types
- Spatial data types
- 70% faster Cypher
reads (average)
- Native String schema
index
- Full-text search
- Index-based ORDER BY
- Native index for all data types
- Improved large Txn handling
Security
- Native users and
roles
- LDAP integration
- Kerberos
authentication plugin
- Intra-cluster encryption - Property blacklisting - SNI / Hostname verification
- Cluster discovery service
encryption
Developer
- Bolt (binary)
Protocol
w/ Java, JS,
.NET, Python
- APOC v.1
- Bolt+routing
- Schema viewer
within Browser
- Faster Neo4j Browser UI - Offline bulk import
performance improvements
- Neo4j Desktop
- Graph Algorithms v.1
- Go Driver
- New Graph Algorithms
Operations
- Official
Debian
packages
- View and manage
running queries
- Execution guard for
long running queries
- Detailed query metrics
- Official RPM packages
- IPv6 Support
- Dynamic config settings
- Off-heap page cache metadata
- Rolling Upgrades - Improved online backup
performance (in CC)
Deprecations
- HA
- HTTP endpoints
- File based authentication and
authorization
Apr 2016 Dec 2016 May 2017 Oct 2017 May 2018 Nov 2018

4. A new Journey has just started: Neo4j 4.X
4
4.0 4.1
Causal
Clustering
- Improved Cluster performance
- Support for multi-database in clusters
- Embedded Causal Cluster
- Cluster leadership control and balancing
Cypher &
Performance
- System Database and administration commands
- Sharding & Federation
- New index population algorithm
- Subquery improvements
- Query replanning options
- New Cypher runtime
Security
- Role-Based Access control and user management
- Schema-based security
- Granular security for Read operations
- Granular security for Write operations
- Role-Based Access Control for Database, User and
Privilege Management
- PUBLIC role
Developer
- Reactive architecture with back-pressure and flow
control
for Java, JavaScript and .NET drivers
- New Spring Boot Starter
- SDN/RX
- New Python driver
- SDN/RX GA release
Operations
- Multi-tenancy through multi-database
- Clusterwide metadata repository
(“system Database”)
- Cypher administration commands
- neo4j:// scheme
- Transaction log folders
- New memory management tooling
- Improved administration commands
Deprecations
- REST API
- Security procedures
Jan 2020 Jun 2020

5. • Starting with Neo4j 3.5, we introduced a multi-tier term support structure:
• STS - Short Term Support: All versions of Neo4j have a minimum support of 18 months
• For every version Neo4j provides regular patches and fix issues
• LTS - Long Term Support: The last minor release of a major release has a minimum support
of 36 months
• For this version Neo4j provides regular patches and fix issues for a longer period
• ETS - Extended Term Support: Customers with Platinum Support agreement may submit
issues and request patches for 36 instead of 18 months
• Neo4j provides patches on demand
Long Term, Short Term and Extended Support
5
Release numbers
and dates are only
examples

6. Cluster
• Embedded Causal Cluster
• Cluster leadership control and balancing
• Rolling Upgrades
4.1 Main Features
Kernel & Generic
• New memory management tooling
• Database router
6
Enterprise-only in Green
Security
• Granular security for Write operations
• Role-Based Access Control for Database, User and
Privilege Management
• PUBLIC roleOther
• 4.1 drivers: Java, .NET, JS
• Python 4.X driver / GO 1.8 driver
• SDN-RX GA
• APOC in db package
Cypher
• Query replanning options
• Pipelined runtime for READ operators
• Improved SHOW commands

7. 7
Role-Based Access Control and
Schema-Based Security
Role-Based Access Control for Neo4j 4.X (i.e. not only 4.0 & 4.1):
• Security applied to cluster, server and graph components:
• Configuration, Users, Databases, Libraries, Procedures
• Graphs, Nodes, Relationships, Properties
• Property Name/Value pairs
• Grant/Deny access to graph component(s) with property with value X
• Role-Based Access Control (RBAC) approach:
combination of Permission - Entity - User
• Use of GRANT/DENY and REVOKE commands
• Privileges are associated to roles, roles are associated to users
• Rules cascade:
• Server/Cluster > Database > Graph > Node > Property
• Server/Cluster > Database > Graph > Relationship > Property
• Library > Procedure
• Security rules are causally consistent

8. 8
Schema-Based Security
GRANT
ROLE name[,...]
TO grantee
dbms-privilege
database-privilege
graph-privilege
ON DBMS
ON DATABASE[S] *|name
ELEMENT[S]
NODES[S]
RELATIONSHIP[S]
*|name[,...]ON GRAPH[S] *|name

9. Granular Security for Write Operations
What is it
In 4.0, roles/users could only be granted an
all-write privilege for a graph.
In 4.1, write operations can be identified by
type and granted for graphs and graph
elements.
9
Enterprise Edition only
What is it for
Graphs accessed by multiple users and
applications, requiring more granular control
over the operations they are allowed to
execute.

10. Graph Privileges
TRAVERSE
TO grantee
ELEMENT[S]
NODES[S]
RELATIONSHIP[S]
*|name[,...]ON GRAPH[S] *|name[,...]
READ
MATCH
{*|property-name[,...]}
CREATE
DELETE
MERGE
SET PROPERTY
ALL [[GRAPH] PRIVILEGES]
WRITE
SET LABEL
REMOVE LABEL
ON GRAPH[S] *|name[,...]*|label-name[,...]

11. Graph Privileges
TRAVERSE
TO grantee
ELEMENT[S]
NODES[S]
RELATIONSHIP[S}
*|name[,...]ON GRAPH[S] *|name[,...]
READ
MATCH
{*|property-name[,...]}
CREATE
DELETE
MERGE
SET PROPERTY
ALL [[GRAPH] PRIVILEGES]
WRITE
SET LABEL
REMOVE LABEL
ON GRAPH[S] *|name[,...]*|label-name[,...]
GRANT MATCH {*} ON GRAPH gr1 TO role1

12. Graph Privileges
TRAVERSE
TO grantee
ELEMENT[S]
NODES[S]
RELATIONSHIP[S}
*|name[,...]ON GRAPH[S] *|name[,...]
READ
MATCH
{*|property-name[,...]}
CREATE
DELETE
MERGE
SET PROPERTY
ALL [[GRAPH] PRIVILEGES]
WRITE
SET LABEL
REMOVE LABEL
ON GRAPH[S] *|name[,...]*|label-name[,...]
GRANT MATCH {*} ON GRAPH gr1 TO role1
GRANT SET PROPERTY {*} ON GRAPH gr1 NODE * TO role1

13. Graph Privileges
TRAVERSE
TO grantee
ELEMENT[S]
NODES[S]
RELATIONSHIP[S}
*|name[,...]ON GRAPH[S] *|name[,...]
READ
MATCH
{*|property-name[,...]}
CREATE
DELETE
MERGE
SET PROPERTY
ALL [[GRAPH] PRIVILEGES]
WRITE
SET LABEL
REMOVE LABEL
ON GRAPH[S] *|name[,...]*|label-name[,...]
GRANT MATCH {*} ON GRAPH gr1 TO role1
GRANT SET PROPERTY {*} ON GRAPH gr1 NODE * TO role1
DENY SET PROPERTY {p1} ON GRAPH gr1 NODES n3,n4 TO role1

14. Graph Privileges
TRAVERSE
TO grantee
ELEMENT[S]
NODES[S]
RELATIONSHIP[S}
*|name[,...]ON GRAPH[S] *|name[,...]
READ
MATCH
{*|property-name[,...]}
CREATE
DELETE
MERGE
SET PROPERTY
ALL [[GRAPH] PRIVILEGES]
WRITE
SET LABEL
REMOVE LABEL
ON GRAPH[S] *|name[,...]*|label-name[,...]
GRANT MATCH {*} ON GRAPH gr1 TO role1
GRANT SET PROPERTY {*} ON GRAPH gr1 NODE * TO role1
DENY SET PROPERTY {p1} ON GRAPH gr1 NODES n3,n4 TO role1
DENY SET PROPERTY {ssn} ON GRAPH gr1 NODES * TO role1
DENY READ {ssn} ON GRAPH gr1 NODES * TO role1

15. Role-Based Access Control for Databases
What is it
Granular security to assign privileges to
administrators and operators at database level.
Valid for:
• Database access/start/stop
• CREATE/DROP indexes and constraints
• CREATE labels, types and property keys
• Transactions management
15
Enterprise Edition only
What is it for
• For operators with limited power
compared to full power administrators.
• For SaaS and multi-tenant environments,
operators may have administrative
privileges on their own databases
without the option to access users’ data.

16. Database Privileges
ALL [[DATABASE] PRIVILEGES]
START
STOP
TO grantee
DEFAULT DATABASE
DATABASE[S] (*|name[,...])
CREATE INDEX[ES]
DROP INDEX[ES]
INDEX[ES] [MANAGEMENT]
CREATE CONSTRAINT[S]
DROP CONSTRAINT[S]
CONSTRAINT[S] [MANAGEMENT]
CREATE NEW [NODE] LABEL[S]
CREATE NEW [RELATIONSHIP] TYPE[S]
CREATE NEW [PROPERTY] NAME[S]
NAME [MANAGEMENT]
ON
SHOW TRANSACTION[S]
TERMINATE TRANSACTION[S]
TRANSACTION [MANAGEMENT]
(*|user[,...])
ACCESS

17. valerio@neo4j> SHOW USER PRIVILEGES;
neo4j@neo4j> CALL apoc.util.sleep(1000000);
valerio@neo4j> CALL dbms.listQueries() YIELD queryId, username, elapsedTimeMillis, status;
neo4j@neo4j> GRANT SHOW TRANSACTION ON DATABASE neo4j TO role1;
valerio@neo4j> CALL dbms.listQueries() YIELD queryId, username, elapsedTimeMillis, status;
Database Privileges
User valerio has role1
User valerio can see own
query, not query run by user
neo4j
role1 granted TRANSACTION
MANAGEMENT privilege
User valerio can see query run
by user neo4j

18. More DBMS Privileges
What is it
Granular security for privileges assigned to
operators for administration commands.
• User management: set password, user
status
• Privilege management: assign, remove,
show privileges
• Database management: CREATE and
DROP databases
What is it for
• For operators with limited power compared
to full power administrators.
• For SaaS and multi-tenant environments,
operators may have administrative
privileges on their own databases without
the option to access users’ data.
18
Enterprise Edition only

19. DBMS Privileges
TO granteeON DBMS
CREATE
DROP
DATABASE
DATABASE MANAGEMENT
CREATE
ALTER
DROP
SHOW
USER
SET PASSWORD[S]
SET USER STATUS
USER MANAGEMENT
CREATE
DROP
SHOW
ASSIGN
REMOVE
ROLE
ROLE MANAGEMENT
ASSIGN
REMOVE
SHOW
PRIVILEGE
PRIVILEGE MANAGEMENT
ALL [DBMS] PRIVILEGES

20. DBMS Privileges
TO granteeON DBMS
CREATE
DROP
DATABASE
DATABASE MANAGEMENT
CREATE
ALTER
DROP
SHOW
USER
SET PASSWORD[S]
SET USER STATUS
USER MANAGEMENT
CREATE
DROP
SHOW
ASSIGN
REMOVE
ROLE
ROLE MANAGEMENT
ASSIGN
REMOVE
SHOW
PRIVILEGE
PRIVILEGE MANAGEMENT
ALL [DBMS] PRIVILEGES
valerio@neo4j> SHOW USER PRIVILEGES;
valerio@neo4j> DROP ROLE role1;
Permission denied.
neo4j@neo4j> GRANT DROP ROLE ON DBMS TO role1;
valerio@neo4j> DROP ROLE role1;
0 rows available after 3 ms, consumed after another 0 ms

21. DBMS Privileges
TO granteeON DBMS
CREATE
DROP
DATABASE
DATABASE MANAGEMENT
CREATE
ALTER
DROP
SHOW
USER
SET PASSWORD[S]
SET USER STATUS
USER MANAGEMENT
CREATE
DROP
SHOW
ASSIGN
REMOVE
ROLE
ROLE MANAGEMENT
ASSIGN
REMOVE
SHOW
PRIVILEGE
PRIVILEGE MANAGEMENT
ALL [DBMS] PRIVILEGES
valerio@neo4j> SHOW USER PRIVILEGES;
valerio@neo4j> CREATE USER john SET PASSWORD 'abc';
Permission denied.
neo4j@neo4j> GRANT CREATE USER ON DBMS TO role1;
valerio@neo4j> CREATE USER john SET PASSWORD 'abc';
0 rows available after 12 ms, consumed after another 0 ms

22. Schema-Based Security Example
CREATE ROLE Baseline_Personnel_Security_Standard;
CREATE ROLE Security_Check;
CREATE ROLE Counter_Terrorism_Check;
CREATE ROLE Developed_Vetting;
GRANT TRAVERSE ON GRAPH * ELEMENTS * TO
Baseline_Personnel_Security_Standard;
GRANT TRAVERSE ON GRAPH * ELEMENTS * TO Security_Check;
GRANT TRAVERSE ON GRAPH * ELEMENTS * TO Counter_Terrorism_Check;
GRANT TRAVERSE ON GRAPH * ELEMENTS * TO Developed_Vetting;
GRANT READ {*} ON GRAPH * NODES BPSS TO
Baseline_Personnel_Security_Standard;
GRANT READ {*} ON GRAPH * NODES SC TO Security_Check;
GRANT READ {*} ON GRAPH * NODES CTC TO Counter_Terrorism_Check;
GRANT READ {*} ON GRAPH * NODES DV TO Developed_Vetting;

23. Schema-Based Security Example
Baseline_Personnel
_Security_Standard
Security_Check Counter_Terrorism
_Check
Developed_Vetting
emiljake philip
GRANT ROLE Baseline_Personnel_Security_Standard TO jake, philip, emil;
GRANT ROLE Security_Check TO philip, emil;
GRANT ROLE Counter_Terrorism_Check TO philip, emil;
GRANT ROLE Developed_Vetting TO emil;

24. Schema-Based Security Example
(ALL ROLES)
emil
emil@neo4j> MATCH (i)-[j]->(k) RETURN i,j,k ORDER BY i.p0, j.p0, j.p1, k.p0;
+--------------------------------------------------------------------------+
| i | j | k |
+--------------------------------------------------------------------------+
| (:BPSS {p0: 1, p1: 11, p2: 21}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:BPSS {p0: 1, p1: 11, p2: 21}) | [:R] | (:CTC {p0: 8, p1: 18, p2: 28}) |
| (:BPSS {p0: 2, p1: 12, p2: 22}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:BPSS {p0: 3, p1: 13, p2: 23}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:SC {p0: 5, p1: 15, p2: 25}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:SC {p0: 6, p1: 16, p2: 26}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:CTC {p0: 7, p1: 17, p2: 27}) | [:R] | (:CTC {p0: 8, p1: 18, p2: 28}) |
| (:DV {p0: 9, p1: 19, p2: 29}) | [:R] | (:CTC {p0: 8, p1: 18, p2: 28}) |
| (:DV {p0: 10, p1: 20, p2: 30}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:DV {p0: 10, p1: 20, p2: 30}) | [:R] | (:CTC {p0: 8, p1: 18, p2: 28}) |
| (:DV {p0: 11, p1: 21, p2: 31}) | [:R] | (:CTC {p0: 8, p1: 18, p2: 28}) |
| (:DV {p0: 12, p1: 22, p2: 32}) | [:R] | (:CTC {p0: 8, p1: 18, p2: 28}) |
+--------------------------------------------------------------------------+

25. Schema-Based Security Example
(Baseline_Personnel_Security_Standard)
jake
jake@neo4j> MATCH (i)-[j]->(k) RETURN i,j,k ORDER BY i.p0, j.p0, j.p1, k.p0;
+--------------------------------------------------------------------------+
| i | j | k |
+--------------------------------------------------------------------------+
| (:BPSS {p0: 1, p1: 11, p2: 21}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:BPSS {p0: 1, p1: 11, p2: 21}) | [:R] | (:CTC) |
| (:BPSS {p0: 2, p1: 12, p2: 22}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:BPSS {p0: 3, p1: 13, p2: 23}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:SC) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:SC) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:DV) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:CTC) | [:R] | (:CTC) |
| (:DV) | [:R] | (:CTC) |
| (:DV) | [:R] | (:CTC) |
| (:DV) | [:R] | (:CTC) |
| (:DV) | [:R] | (:CTC) |
+--------------------------------------------------------------------------+

26. Schema-Based Security Example
(Baseline_Personnel_Security_Standard
+ DENY TRAVERSE)
jake
jake@neo4j> MATCH (i)-[j]->(k) RETURN i,j,k ORDER BY i.p0, j.p0, j.p1, k.p0;
+--------------------------------------------------------------------------+
| i | j | k |
+--------------------------------------------------------------------------+
| (:BPSS {p0: 1, p1: 11, p2: 21}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:BPSS {p0: 2, p1: 12, p2: 22}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
| (:BPSS {p0: 3, p1: 13, p2: 23}) | [:R] | (:BPSS {p0: 4, p1: 14, p2: 24}) |
+--------------------------------------------------------------------------+

27. GRANT MATCH {*} ON GRAPH neo4j TO me;
Schema-Based Security Example: TRAVERSE
me@neo4j> MATCH (s)-[r]->(d)
RETURN s,r,d
ORDER BY s.p0, d.p0;
+-------------------------------------------------------+
| s | r | d |
+-------------------------------------------------------+
| (:A {p0: "Node A"}) | [:TYPE_2] | (:B {p0: "Node B"}) |
| (:A {p0: "Node A"}) | [:TYPE_4] | (:C {p0: "Node C"}) |
| (:A {p0: "Node A"}) | [:TYPE_1] | (:E {p0: "Node E"}) |
| (:B {p0: "Node B"}) | [:TYPE_3] | (:E {p0: "Node E"}) |
| (:C {p0: "Node C"}) | [:TYPE_5] | (:D {p0: "Node D"}) |
| (:D {p0: "Node D"}) | [:TYPE_6] | (:E {p0: "Node E"}) |
+-------------------------------------------------------+
me@neo4j> MATCH (s:A),(d:E), p = shortestPath( (s)-[*]->(d) ) RETURN p;
+----------------------------------------------------+
| p |
+----------------------------------------------------+
| (:A {p0: "Node A"})-[:TYPE_1]->(:E {p0: "Node E"}) |
+----------------------------------------------------+

28. GRANT MATCH {*} ON GRAPH neo4j TO me;
DENY TRAVERSE ON GRAPH neo4j RELATIONSHIP TYPE_1 TO me;
Schema-Based Security Example: TRAVERSE
me@neo4j> MATCH (s)-[r]->(d)
RETURN s,r,d
ORDER BY s.p0, d.p0;
+-------------------------------------------------------+
| s | r | d |
+-------------------------------------------------------+
| (:A {p0: "Node A"}) | [:TYPE_2] | (:B {p0: "Node B"}) |
| (:A {p0: "Node A"}) | [:TYPE_4] | (:C {p0: "Node C"}) |
| (:B {p0: "Node B"}) | [:TYPE_3] | (:E {p0: "Node E"}) |
| (:C {p0: "Node C"}) | [:TYPE_5] | (:D {p0: "Node D"}) |
| (:D {p0: "Node D"}) | [:TYPE_6] | (:E {p0: "Node E"}) |
+-------------------------------------------------------+
me@neo4j> MATCH (s:A),(d:E), p = shortestPath( (s)-[*]->(d) ) RETURN p;
+-----------------------------------------------------------------------------------+
| p |
+-----------------------------------------------------------------------------------+
| (:A {p0: "Node A"})-[:TYPE_2]->(:B {p0: "Node B"})-[:TYPE_3]->(:E {p0: "Node E"}) |
+-----------------------------------------------------------------------------------+
✗

29. GRANT MATCH {*} ON GRAPH neo4j TO me;
DENY TRAVERSE ON GRAPH neo4j RELATIONSHIP TYPE_1 TO me;
DENY TRAVERSE ON GRAPH neo4j RELATIONSHIP TYPE_2 TO me;
Schema-Based Security Example: TRAVERSE
me@neo4j> MATCH (s)-[r]->(d)
RETURN s,r,d
ORDER BY s.p0, d.p0;
+-------------------------------------------------------+
| s | r | d |
+-------------------------------------------------------+
| (:A {p0: "Node A"}) | [:TYPE_4] | (:C {p0: "Node C"}) |
| (:B {p0: "Node B"}) | [:TYPE_3] | (:E {p0: "Node E"}) |
| (:C {p0: "Node C"}) | [:TYPE_5] | (:D {p0: "Node D"}) |
| (:D {p0: "Node D"}) | [:TYPE_6] | (:E {p0: "Node E"}) |
+-------------------------------------------------------+
me@neo4j> MATCH (s:A),(d:E), p = shortestPath( (s)-[*]->(d) ) RETURN p;
+------------------------------------------------------------------------------------------------------------------+
| p |
+------------------------------------------------------------------------------------------------------------------+
| (:A {p0: "Node A"})-[:TYPE_4]->(:C {p0: "Node C"})-[:TYPE_5]->(:D {p0: "Node D"})-[:TYPE_6]->(:E {p0: "Node E"}) |
+------------------------------------------------------------------------------------------------------------------+
✗
✗

30. New PUBLIC Built-in Role
What is it
PUBLIC is a new built-in role that all users always
have assigned.
PUBLIC can be modified, but cannot be removed.
PUBLIC cannot be revoked from users.
Default setting for PUBLIC is:
GRANT ACCESS ON DEFAULT DATABASE
TO PUBLIC
What is it for
• The PUBLIC role is automatically associated to
new user, hence administrators can easily setup
users with a common security profile.
• other roles do not need to set all the privileges
required by a user to operate, they can build on
top of the PUBLIC role.
• Administrators can setup or modify the PUBLIC
role in order to modify the standard security for
the DBMS and all their users.
30
Enterprise Edition only

31. GRANT ACCESS ON DEFAULT DATABASE TO PUBLIC;
The default PUBLIC role is:
PUBLIC Role Example (customisation)
GRANT INDEX MANAGEMENT ON DATABASE neo4j TO PUBLIC;
GRANT CONSTRAINT MANAGEMENT ON DATABASE neo4j TO PUBLIC;
GRANT NAME MANAGEMENT ON DATABASE neo4j TO PUBLIC;
GRANT TRANSACTION MANAGEMENT ON DATABASE neo4j TO PUBLIC;
GRANT USER MANAGEMENT ON DBMS TO PUBLIC;
GRANT ALL GRAPH PRIVILEGES ON GRAPH neo4j TO PUBLIC;
This PUBLIC role allows users to do a subset of administrative privileges:

32. What is it
SHOW commands can now filter rows and
columns:
• SHOW DATABASES
• SHOW PRIVILEGES
• SHOW ROLES
• SHOW USERS
SHOW ROLE reader PRIVILEGES
YIELD access, resource, segment, action
WHERE access = 'GRANTED'
AND action = 'match';
Improvements in SHOW Commands
What is it for
Improve user experience: some SHOW commands
generate a lot of output that can be difficult to read.
32
Filter columns
Filter rows

33. Rolling Upgrades Are Back
What is it
Clusters support instances with different versions
of Neo4j, enabling zero-down time upgrades:
• Each instance is individually upgraded, and
involves downtime of the instance alone
• The cluster works with a mix of 4.0 and 4.1
instances
• Shared resources, the system database, are
upgraded in a later step
• CALL dbms.upgradeStatus
• CALL dbms.upgrade
What is it for
To support a zero down-time upgrade of
clusters, maximizing availability.
To control the upgrade procedure in a
more sophisticated clustered environment,
i.e. with the system database and shared
information and configuration.
33

34. Memory Management
What is it for
• Avoid Out Of Memory errors
• Manage fairness across databases
• Manage fairness across transactions
NOTE: in 4.1 the default setting for the transaction
state memory allocation is:
dbms.tx_state.memory_allocation=ON_HEAP
Although it is still possible to allocate off heap
memory, this is the recommended setting for the
majority of use cases.
34
What is it
Memory accounting: track java heap used by Neo4j
• Estimate memory used
• Configure thresholds:
• Per DBMS
dbms.memory.transaction.global_max_size
• Per Database
dbms.memory.transaction.database_max_size
• Per Transaction
dbms.memory.transaction.max_size
• Any query that brings memory used above threshold is
killed
• Show memory used in PROFILE,
dbms.listTransactions(), dbms.listPools()

35. Show memory used examples (1)
neo4j@neo4j> CALL dbms.listPools();
neo4j@neo4j> CALL dbms.listTransactions() yield estimatedUsedHeapMemory;

36. Show memory used examples (2)
PROFILE MATCH (julia {name: "Julia Roberts"})
RETURN julia;

37. Embedded Causal Cluster
What is it
• A way to embed a clustering version of
Neo4j as a library within an application
• New Factory code plus documentation on
how to migrate an HA cluster to a Causal
Cluster
What is it for
A more reliable, more robust solution for high
availability and scalability for applications
using Neo4j Embedded.
37
Enterprise Edition only

38. Cluster Leadership Control and Balancing
What is it
• Leadership Transfer Extension: extension to
raft protocol that allows servers to transfer
leadership
• Control leadership based on user priorities
• In multiple databases scenario, balance
leadership equally or based on user priorities
What is it for
• Sometimes a leader must step down (e.g.
maintenance). The leader will now avoid a
new election delay by passing leadership
before stepping down.
• Some servers might be more suitable to
become leaders than others. That preference
can now be configured.
• In clusters with several (possibly hundreds) of
databases, it is now possible to load balance
leadership load.
38

39. Scenario 1: Load Balancing Leadership
a. The load-balancer algorithm runs
periodically and if needed requests transfer
of leaderships.
b. When a leader steps down, leadership is
passed to any suitable member, avoiding
election
i. Load-balancer can request transfer
CORE-3
FF L
CORE-2
LF F
CORE-1
FL F
Leaders load-balanced across servers!
causal_clustering.leadership_balancing=equal_balancing
# do NOT define priority groups for the databases

40. group2
group1
Scenario 2: Preferred Leaders
CORE-3
FF L
CORE-2
LF F
CORE-1
FL F
# Assign servers to server_groups
causal_clustering.server_groups= group1
# declare r1 as the priority group for all databases
causal_clustering.leadership_priority_group.dbYellow=group1
causal_clustering.leadership_priority_group.dbGreen=group1
causal_clustering.leadership_priority_group.dbPink=group1
● Over time, the leader for the database will end
up being a member of group1
○ Checks run periodically
○ Leadership transfer triggered when
required.
● When a Leader steps down, it passes
leadership to a member of the priority group
CORE-5
FF F
CORE-4
FF F
# Assign servers to server_groups
causal_clustering.server_groups= group2
No Leaders!

41. Cypher Query Replanning Options
What is it
Query replanning can now be controlled at
query time, letting users force or skip a
replan.
Replanning is a runtime option.
What is it for
In a mix workload, batch scripts can force
replanning using Cypher EXPLAIN commands:
CYPHER replan=force EXPLAIN MATCH ...
Similarly, user queries that require low latency
can use the skip option:
CYPHER replan=skip MATCH ...
41

42. Pipelined Runtime for Read Operators
What is it
• Implemented a number of Read operators using the
Pipelined Cypher runtime:
• NestedPlanExpression
• OptionalExpandAll
• OrderedAggregation
• PartialSort
• PartialTop
• RollUpApply
• SemiApply
• AntiSemiApply
• Skip
• Union
• ValueHashJoin
• Total of 48 operators supported on Pipelined
• For full Read support still missing 8 operators
What is it for
• Faster Read queries
• At the workload level (single instance LDBC), 4.1
improves throughput over 4.0 by 11-34% depending
on scale factor
• Most queries are faster
• For extremely fast (microsecond scale) queries,
slotted is sometimes faster.
42
Enterprise Edition only

43. Latencies of queries in macro bench
>0 -> 4.1 faster
<0 -> 4.1 slower

44. Better description for EXPLAIN and PROFILE
What is it
A more readable and informational plan
description per queries
What is it for
Makes it easier to optimize query
performance
44

45. Before ...
A lot of information, but very
spread out and sometimes
hard to relate to original query

46. … After
Details column with
operator specific
information
Multiple rows,
no truncation
Information about
variables, no need for
Variables column
Same format as the
query string

47. What is it
A Cypher queries can access any database in the same
DBMS, regardless of the database selected in the
session.
Transactions can span across databases
(multi-read, single-write, NO multi-write allowed).
Admin commands can be executed from any session
without the need to select the system database first.
Server Side Routing: queries can be directed to any
cluster member, and will be redirected automatically
• E.g Write query directed to FOLLOWER will be
forwarded to LEADER
Database router
What is it for
• Seamless multi-db experience
• Simplify user experience when working with
multi-databases.
• Over time, server side routing should simplify
writing drivers for new languages.
47

48. neo4j@foo> :BEGIN
neo4j@foo# MATCH (n) RETURN n
+------------------------+
| n |
+------------------------+
| (:N1 {p0: "From foo"}) |
+------------------------+
neo4j@foo# MATCH (m) RETURN m
+------------------------+
| m |
+------------------------+
| (:N1 {p0: "From foo"}) |
+------------------------+
neo4j@foo# USE bar
MATCH (p) RETURN p
+------------------------+
| m |
+------------------------+
| (:N1 {p0: "From bar"}) |
+------------------------+
neo4j@foo# :COMMIT
neo4j@foo>
Examples
// Single session
// with db selection: ‘foo’
MATCH (n) RETURN n
------------------------
// no need to connect to ‘bar’
USE bar CALL db.indexes
------------------------
// no need to connect to ‘system’
CREATE ROLE basic
foo | bar
---------+--------
BEGIN | ***
MATCH | ***
|
|
|
|
|
|
MATCH | ***
|
|
|
|
|
|
|
--- | BEGIN +
| MATCH
|
|
|
|
|
COMMIT | COMMIT
|

49. What is it
• New set of drivers that give access to the 4.1
features
• Java
• .NET
• JS
• New version of Bolt server
What is it for
• Access to the database router feature
(see previous slides)
• Single instance deployments don’t
anymore advertise themselves as
localhost (by default)
Drivers 4.1
49

50. Examples of new Bolt features use cases
Use case 1: preserve connections with active
long running transactions
• Idle connections might be killed by
network providers (e.g AWS)
• Neo4j 4.1 can send “empty” messages
to keep the connection alive.
• Disabled by default
# Frequency of Empty message to be sent
dbms.connector.bolt.connection_keep_alive=1m
# How often to check open transactions idleness
dbms.connector.bolt.connection_keep_alive_schedul
ing_interval=1m
Use case 2: prevent attacker to consume
resources on the server
• client completes initial handshake but
does not follow up with a successful
authentication attempt.
• Neo4j 4.1 introduces timeouts for
connection attempt.
dbms.connector.bolt.unsupported_unauth_connec
tion_timeout=30s

51. Python Driver 4.0
What is it
Then new Python database now offers:
• Multi-database support
• Configurable fetch size
with driver.session(database="example_database",
fetch_size=10) as session:
result = session.run("UNWIND range(1,100) AS x
RETURN x")
for record in result: # The driver will ask
# for 10 records at a
# time over the network
print(record["x"])
What is it for
• Python users can specify which
database they want to query against
• Python users can tune their memory
consumption by configuring how
much data they want to fetch each
request.
51

52. GO Driver 1.8
What is it
Then new GO driver is a rewrite of existing
functionality of 1.7 (that was based on C)
• Pure GO
• No change in client code required
The 1.8 driver also offers multi-database access.
What is it for
• Easier driver installation
• Bridge towards 4.x functionality
52

53. SDN-RX GA Release
What is it
New version of Neo4j SDN. Features:
● Reactive(/Imperative) programming model
● Mapping supported by Spring Data Core
library
● Immutable entities
● New Neo4j client and reactive client
feature, template over the plain driver
● Spring Boot Autostarter for Driver and
SDN-RX
What is it for
For Java developers who use the Spring
Framework or Spring Boot and want to take
advantage of reactive development principles.
• Communication driver-database can be
adjusted according to needs of the client
(Neo4jClient / Neo4jTemplate /
Repositories).
53

54. OpenCypher-DSL
What is it
• A DSL for generating openCypher
compatible Cypher statements in Java
• Spinout of SDN-RX
var node = node("Movie").named("m");
Cypher.match(node).returning(node).limit(1)...
What is it for
• Programmatically build cypher statements
without string concat madness
• Reuse query components over and over
again
• Already used by Neo4j GraphQL project

55. What is it
• A subset of APOC (apoc-core) packaged with
the main product.
• apoc-core.jar in labs sub-folder
• APOC maintain current “Neo4j Labs” terms
and conditions.
APOC core in db package (coming 4.1.1)
What is it for
• Remove the issue of multiple downloads
to take full advantage of extra functions
and procedures.
• Reduce risks of using wrong versions,
missing updates etc.

56. Graph Data Science:
- Public preview release of 4.1 compatible jar by end of June
Aura
- Intended launch simultaneously with 4.1 GA
Bloom:
- Bloom 1.3.x is intended to be compatible with Neo4j 4.1
Platform Compatibility

57. Thank You!