Role Management

This page explains the procedures for various role management tasks under TigerGraph’s authorization model.

Create a local role

Syntax

CREATE ROLE <role_name> (, <role_name>)* [ON GRAPH <graph_name>]

Required privilege

WRITE_ROLE

Procedure

  1. To create a local role, run the CREATE ROLE command like below. If you choose not to specify a graph in the command, the current scope will be used as the scope of the role:

    GSQL > USE GRAPH example_graph
GSQL > CREATE ROLE role1, role2

This will create two roles named role1 and role2 on graph example_graph. By default, these two roles do not have any privilege:

Successfully created local roles for graph 'example_graph': [role1, role2].

Create a global role

Syntax

CREATE ROLE <role_name> (, <role_name>)* ON GLOBAL

Required privilege

WRITE_ROLE on the global scope

Procedure

  1. To create a global role, run the CREATE ROLE command like below. Replace role1 with the name of the role you are creating.

CREATE ROLE role1 ON GLOBAL

This will create a role named role1 on the global scope. By default, this role has no privileges:

Successfully created global roles: [role1].

View privileges of a role

Syntax

SHOW PRIVILEGE ON ROLE <role_name> (, <role_name2>)*

Required privilege

READ_ROLE

Procedure

  1. To view the privileges of a role, run the SHOW PRIVILEGE ON ROLE command, and replace role1, role2 with the names of the roles whose privileges you want to view:

GSQL > SHOW PRIVILEGE ON ROLE role1 , role2

This will show the privileges of the role role1 and role2:

Role: "role1"
  - Graph 'tpc_graph' Privileges:
    WRITE_QUERY

Role: "role2"
This role has no privilege.

List all existing roles

Syntax

SHOW ROLE

Required privilege

READ_ROLE

Procedure

  1. To list all existing roles, first ensure that you are in the correct scope. Run USE <graph_name> or USE GLOBAL to switch to your desired scope.

  2. Run the SHOW ROLE command:

    GSQL > SHOW ROLE

This will show all the roles in your current scope:

  - Builtin Roles:
    observer
    queryreader
    querywriter
    designer
    admin
    globaldesigner
    superuser

  - User Defined Roles:
    - Graph 'tpc_graph' Roles:
      role1
      role2

Grant privileges to a role

Syntax

GRANT PRIVILEGE <privilege_name1> (, privilege_name2)*
        [ON GRAPH <graph_name>] TO <role_name1> (, <role_name2>)*

Require privilege

WRITE_ROLE

Procedure

  1. To grant privileges to a role, run the GRANT PRIVILEGE command from the GSQL shell:

    GSQL > GRANT PRIVILEGE WRITE_QUERY, WRITE_ROLE
        ON GRAPH example_graph TO role1 , role2

This will allow users with the roles role1 and role2 to edit and install queries, as well as modify roles on the graph example_graph. To see a full list of privileges and the command they allow users to run, see List of Privileges.

Revoke privileges from a role

Syntax

REVOKE PRIVILEGE <privilege_name1> (, privilege_name2)*
        [ON GRAPH <graph_name>] FROM <role_name1> (, <role_name2>)*

Required privilege

WRITE_ROLE

Procedure

  1. To revoke privileges from a role, run the REVOKE PRIVILEGE command from the GSQL shell:

    GSQL > REVOKE PRIVILEGE WRITE_QUERY
        ON GRAPH example_graph FROM role1

This will revoke the WRITE_QUERY privilege from the role role1 on graph example_graph.

Drop a role

Syntax

DROP ROLE <role_name> (, <role_name2>)*

Required privilege

WRITE_ROLE

Procedure

  1. To drop a role, run the DROP ROLE command from the GSQL shell:

    GSQL > DROP ROLE role1 , role2

This will drop the roles role1 and role2. This will also revoke the roles from users who have been granted these roles.