User Management
This page explains the procedures for various user management tasks under TigerGraph’s role-based access control(RBAC) model.
To see user management tasks under the Access Control List (ACL) model, see ACL Management.
Create a user
You can run the CREATE USER command to create a user.
The username cannot contain the following characters: \ ,` ` ( , ), [, ], :, <, >, ;, ,, @, \r, \n, \f, \t, \\, \0, \b.
It also cannot start with a dot . or have multiple dots in a sequence.
You can use non-ascii characters, such as Chinese and Kanji characters.
View roles assignments and login attempts
The SHOW USER command displays the role assignments, as well as the login attempts, of the current user.
If the current user hsa the READ_USER privilege
Procedure
From the GSQL shell, run the SHOW USER command:
GSQL > SHOW USER
- Name: testUser
- Global Roles: superuser
- LastSuccessLogin: Thu Sep 22 12:43:07 UTC 2022
- NextValidLogin: Thu Sep 22 12:43:07 UTC 2022 (1)
- FailedAttempts: 0
- ShowAlterPasswordWarning: false| 1 | The next time the user is allowed to attempt login. For more information, see Configuring Login Protection |
If the user running the command has the READ_USER privilege, information on all users is displayed.
Otherwise, only the current user’s information is displayed.
View privileges of a user
Users with the READ_USER privilege in a scope can view the RBAC privileges of the users in that scope.
Procedure
-
From the GSQL shell, run the
SHOW PRIVILEGE ON USERcommand :GSQL > SHOW PRIVILEGE ON USER tigergraph
The above command will show the privileges of user tigergraph:
User: "tigergraph"
- Global Privileges:
READ_SCHEMA
WRITE_SCHEMA
READ_LOADINGJOB
EXECUTE_LOADINGJOB
WRITE_LOADINGJOB
READ_QUERY
WRITE_QUERY
READ_DATA
WRITE_DATA
WRITE_DATASOURCE
READ_ROLE
WRITE_ROLE
READ_USER
WRITE_USER
READ_PROXYGROUP
WRITE_PROXYGROUP
READ_FILE
WRITE_FILE
DROP_GRAPH
EXPORT_GRAPH
CLEAR_GRAPHSTORE
DROP_ALL
ACCESS_TAGTo view ACL privileges of a user, see View ACL privileges of a user.
Grant a role to a user/proxy group
Syntax
GRANT ROLE <role_name1> (, role_name2)* [ON GRAPH <graph_name>]
TO <username1>|<proxy_group_name1> (, <username2> | <proxy_group_name>2)*Procedure
-
Start the GSQL shell and make sure you are using the correct graph
$ gsql GSQL > USE GRAPH example_graph -
From the GSQL shell, run the
GRANT ROLEcommand. You can grant multiple roles to multiple users:GSQL > GRANT ROLE role1 , role2 ON GRAPH example_graph TO user1, user2
The above command will grant roles role1 and role2 on graph example_graph to users user1 and user2.
Revoke a role from a user
Syntax
REVOKE ROLE <roleName1> (, <roleName2)* [ON GRAPH <graphName>]
FROM <userName1> (, <userName2>)*Procedure
-
Start the GSQL shell and make sure you are using the correct graph
$ gsql GSQL > USE GRAPH example_graph -
From the GSQL shell, run the
REVOKE_ROLEcommand. You can revoke multiple roles from multiple users at the same time:GSQL > REVOKE ROLE role1, role2 ON GRAPH example_graph FROM user1, user2
The above command will revoke roles role1 and role2 on graph example_graph from users user1 and user2.
Change a user’s password
Users can change their own passwords used for login without needing any privilege.
Users with the WRITE_USER privilege can change the passwords of other users.
Procedure
-
From the GSQL shell, run the following command. Replace
usernamewith the user whose password you want to changeGSQL > ALTER PASSWORD username -
Enter the new password in the prompt that follows.
| To see how to change a user’s ACL password, see Change ACL password |