neo4j · renetapopova · Feb 28, 2024 · Feb 27, 2024
diff --git a/modules/ROOT/pages/authentication-authorization/access-control.adoc b/modules/ROOT/pages/authentication-authorization/access-control.adoc
@@ -224,10 +224,14 @@ Then you need to *deny* the two specific actions this role is not supposed to pe
 * Read any patients' social security number (`SSN`).
 * Submit medical diagnoses.
 
+As well as the ability for the `itadmin` to amend their own privileges.
+
 [source, cypher, role=systemcmd]
 ----
 DENY READ {ssn} ON GRAPH healthcare NODES Patient TO itadmin;
 DENY CREATE ON GRAPH healthcare RELATIONSHIPS DIAGNOSIS TO itadmin;
+DENY ROLE MANAGEMENT ON DBMS TO itadmin;
+DENY PRIVILEGE MANAGEMENT ON DBMS TO itadmin;
 ----
 
 The complete set of privileges available to users assigned the `itadmin` role can be viewed using the following command:
@@ -253,6 +257,8 @@ SHOW ROLE itadmin PRIVILEGES AS COMMANDS;
 | "GRANT ALL DBMS PRIVILEGES ON DBMS TO `itadmin`"                        |
 | "DENY READ {ssn} ON GRAPH `healthcare` NODE Patient TO `itadmin`"       |
 | "DENY CREATE ON GRAPH `healthcare` RELATIONSHIP DIAGNOSIS TO `itadmin`" |
+| "DENY ROLE MANAGEMENT ON DBMS TO `itadmin`"                             |
+| "DENY PRIVILEGE MANAGEMENT ON DBMS TO `itadmin`"                        |
 +-------------------------------------------------------------------------+
 ----