User Management
This page explains the procedures for various user management tasks under TigerGraph’s role-based access control(RBAC) model.
To see user management tasks under the Access Control List (ACL) model, see ACL Management.
Create a user
You can run the CREATE USER command to create a user.
The username cannot contain the following characters: \ ,` ` ( , ), [, ], :, <, >, ;, ,, @, \r, \n, \f, \t, \\, \0, \b.
It also cannot start with a dot . or have multiple dots in a sequence.
You can use non-ascii characters, such as Chinese and Kanji characters.
View roles assignments and login attempts
The SHOW USER command displays the role assignments, as well as the login attempts, of the current user.
If the current user hsa the READ_USER privilege
Procedure
From the GSQL shell, run the SHOW USER command:
GSQL > SHOW USER
- Name: testUser
- Global Roles: superuser
- LastSuccessLogin: Thu Sep 22 12:43:07 UTC 2022
- NextValidLogin: Thu Sep 22 12:43:07 UTC 2022 (1)
- FailedAttempts: 0
- ShowAlterPasswordWarning: falsegsql| 1 | The next time the user is allowed to attempt login. For more information, see Configuring Login Protection |
If the user running the command has the READ_USER privilege, information on all users is displayed.
Otherwise, only the current user’s information is displayed.
View privileges of a user
Users with the READ_USER privilege in a scope can view the RBAC privileges of the users in that scope.
Procedure
-
From the GSQL shell, run the
SHOW PRIVILEGE ON USERcommand :GSQL > SHOW PRIVILEGE ON USER tigergraphgsql
The above command will show the privileges of user tigergraph:
User: "tigergraph" - Global Privileges: READ_SCHEMA WRITE_SCHEMA READ_LOADINGJOB EXECUTE_LOADINGJOB WRITE_LOADINGJOB READ_QUERY WRITE_QUERY READ_DATA WRITE_DATA WRITE_DATASOURCE READ_ROLE WRITE_ROLE READ_USER WRITE_USER READ_PROXYGROUP WRITE_PROXYGROUP READ_FILE WRITE_FILE DROP_GRAPH EXPORT_GRAPH CLEAR_GRAPHSTORE DROP_ALL ACCESS_TAGtext
To view ACL privileges of a user, see View ACL privileges of a user.
Grant a role to a user/proxy group
Syntax
GRANT ROLE <role_name1> (, role_name2)* [ON GRAPH <graph_name>]
TO <username1>|<proxy_group_name1> (, <username2> | <proxy_group_name>2)*gsqlProcedure
-
Start the GSQL shell and make sure you are using the correct graph
$ gsql GSQL > USE GRAPH example_graph -
From the GSQL shell, run the
GRANT ROLEcommand. You can grant multiple roles to multiple users:GSQL > GRANT ROLE role1 , role2 ON GRAPH example_graph TO user1, user2gsql
The above command will grant roles role1 and role2 on graph example_graph to users user1 and user2.
Revoke a role from a user
Syntax
REVOKE ROLE <roleName1> (, <roleName2)* [ON GRAPH <graphName>]
FROM <userName1> (, <userName2>)*gsqlProcedure
-
Start the GSQL shell and make sure you are using the correct graph
$ gsql GSQL > USE GRAPH example_graph -
From the GSQL shell, run the
REVOKE_ROLEcommand. You can revoke multiple roles from multiple users at the same time:GSQL > REVOKE ROLE role1, role2 ON GRAPH example_graph FROM user1, user2gsql
The above command will revoke roles role1 and role2 on graph example_graph from users user1 and user2.
Change a user’s password
Users can change their own passwords used for login without needing any privilege.
Users with the WRITE_USER privilege can change the passwords of other users.
Procedure
-
From the GSQL shell, run the following command. Replace
usernamewith the user whose password you want to changeGSQL > ALTER PASSWORD usernamegsql -
Enter the new password in the prompt that follows.
| To see how to change a user’s ACL password, see Change ACL password |