Roles and Privileges
TigerGraph uses Role-based Access Control (RBAC) to manage authorization. On every graph, privileges to perform actions are assigned to roles, and roles are granted to users. Outside of the permissions granted by their roles, a user has no access to the system.
Privileges
Privilege is permission to perform an action in a given scope. When a privilege is assigned to a role, it allows users with the role to perform the specified action in the specified scope. For example, the privilege READ_SCHEMA
on graph social
gives a user read permission to the schema of the graph social
. This allows the user to run commands such as ls
and SHOW VERTEX
on the graph.
To view a complete list of privileges available in TigerGraph and the commands they enable a user to run, see List of Legacy Privilege Syntax.
Global vs local privileges
The scope of a privilege can be global or local. Global privileges apply to all graphs and global objects. Local privileges only apply on the graph they belong to.
For example, a role with WRITE_QUERY
on graph social
can only create queries on graph social
, but not on other graphs. In contrast, a role with WRITE_QUERY
on the global scope can create queries on all graphs.
Local roles can only be granted local privileges, while global roles can be granted both local and global privileges.
Global-only privileges
Some privileges can only be global by nature. For example, since users are global objects, any user-related privileges are global only. To see which privileges are global-only, see List of Legacy Privilege Syntax.
Roles
A role is a collection of privileges you can assign to users to grant them permission to perform actions on specific resources.
Global vs local roles
Roles can be global or local. Local roles can only be granted local privileges, while global roles can be granted both local and global privileges.
For example, if a user creates a role manager
on the graph social
:
GSQL > CREATE ROLE manager ON GRAPH social
Successfully created roles: [manager].
This role can only be granted privileges on the graph social
. It cannot be granted global privileges.
Built-in roles
GSQL offers 5 built-in local roles and 2 built-in global roles. The built-in roles cannot be dropped. Below is a table of the built-in roles and their corresponding set of privileges.
Name | Global or Local | Privilege List |
---|---|---|
|
Local |
|
|
Local |
|
|
Local |
|
|
Local |
|
|
Local |
|
|
Global |
Designer’s privileges on global + drop graph created by the same user |
|
Global |
All supported privileges |
User-defined roles
Users can define roles with their own list of privileges they want to grant to the role. To learn how to create/drop user-defined roles and manage privileges for the roles, see Role Management.