Role Management
This page explains the procedures for various role management tasks under TigerGraph’s role-based access control model.
To see role management tasks under the Access Control List (ACL) model, see ACL Management.
Create a local role
Procedure
-
To create a local role, run the
CREATE ROLEcommand like below. If you choose not to specify a graph in the command, the current scope will be used as the scope of the role:GSQL > USE GRAPH example_graph GSQL > CREATE ROLE role1, role2
This will create two roles named role1 and role2 on graph example_graph. By default, these two roles do not have any privilege:
Successfully created local roles for graph 'example_graph': [role1, role2].
Create a global role
Procedure
-
To create a global role, run the
CREATE ROLEcommand like below. Replacerole1with the name of the role you are creating.
CREATE ROLE role1 ON GLOBALThis will create a role named role1 on the global scope. By default, this role has no privileges:
Successfully created global roles: [role1].View privileges of a role
Users with the READ_ROLE privilege in a scope can view the RBAC privileges on the roles in that scope.
Procedure
-
To view the privileges of a role, run the
SHOW PRIVILEGE ON ROLEcommand, and replacerole1, role2with the names of the roles whose privileges you want to view:
GSQL > SHOW PRIVILEGE ON ROLE role1 , role2This will show the privileges of the role role1 and role2:
Role: "role1"
- Graph 'tpc_graph' Privileges:
WRITE_QUERY
Role: "role2"
This role has no privilege.To view the ACL privileges of a role, see View ACL privileges of a role.
List all existing roles
Procedure
-
To list all existing roles, first ensure that you are in the correct scope. Run
USE <graph_name>orUSE GLOBALto switch to your desired scope. -
Run the
SHOW ROLEcommand:GSQL > SHOW ROLE
This will show all the roles in your current scope:
- Builtin Roles:
observer
queryreader
querywriter
designer
admin
globaldesigner
superuser
- User Defined Roles:
- Graph 'tpc_graph' Roles:
role1
role2Grant privileges to a role
Users with the WRITE_ROLE privileges on a scope can grant RBAC privileges to the roles in that scope.
Syntax
GRANT PRIVILEGE <privilege_name1> (, privilege_name2)*
[ON GRAPH <graph_name>] TO <role_name1> (, <role_name2>)*Procedure
-
To grant privileges to a role, run the
GRANT PRIVILEGEcommand from the GSQL shell:GSQL > GRANT PRIVILEGE WRITE_QUERY, WRITE_ROLE ON GRAPH example_graph TO role1 , role2
This will allow users with the roles role1 and role2 to edit and install queries, as well as modify roles on the graph example_graph. To see a full list of privileges and the command they allow users to run, see List of Privileges.
To grant ACL privileges to a role, see Grant ACL privileges to a role.
Revoke privileges from a role
Users with the WRITE_ROLE privileges on a scope can revoke RBAC privileges from the roles in that scope.
Syntax
REVOKE PRIVILEGE <privilege_name1> (, privilege_name2)*
[ON GRAPH <graph_name>] FROM <role_name1> (, <role_name2>)*Procedure
-
To revoke privileges from a role, run the
REVOKE PRIVILEGEcommand from the GSQL shell:GSQL > REVOKE PRIVILEGE WRITE_QUERY ON GRAPH example_graph FROM role1
This will revoke the WRITE_QUERY privilege from the role role1 on graph example_graph.
To revoke ACL privileges from a role, see Revoke ACL privileges from a role.