Role Management
This page explains the procedures for various role management tasks under TigerGraph's authorization model.

Create a local role

Syntax
1
CREATE ROLE <role_name> (, <role_name>)* [ON GRAPH <graph_name>]
Copied!
Required privilege
WRITE_ROLE
Procedure
  1. 1.
    To create a local role, run the CREATE ROLE command like below. If you choose not to specify a graph in the command, the current scope will be used as the scope of the role:
    1
    GSQL > USE GRAPH example_graph
    2
    GSQL > CREATE ROLE role1, role2
    Copied!
This will create two roles named role1 and role2 on graph example_graph. By default, these two roles do not have any privilege:
1
Successfully created local roles for graph 'example_graph': [role1, role2].
Copied!

Create a global role

Syntax

1
CREATE ROLE <role_name> (, <role_name>)* ON GLOBAL
Copied!

Required privilege

WRITE_ROLE on the global scope

Procedure

  1. 1.
    To create a global role, run the CREATE ROLE command like below. Replace role1 with the name of the role you are creating.
1
CREATE ROLE role1 ON GLOBAL
Copied!
This will create a role named role1 on the global scope. By default, this role has no privileges:
1
Successfully created global roles: [role1].
Copied!

View privileges of a role

Syntax
1
SHOW PRIVILEGE ON ROLE <role_name> (, <role_name2>)*
Copied!
Required privilege
READ_ROLE
Procedure
  1. 1.
    To view the privileges of a role, run the SHOW PRIVILEGE ON ROLE command, and replace role1, role2 with the names of the roles whose privileges you want to view:
1
GSQL > SHOW PRIVILEGE ON ROLE role1 , role2
Copied!
This will show the privileges of the role role1 and role2:
1
Role: "role1"
2
- Graph 'tpc_graph' Privileges:
3
WRITE_QUERY
4
5
Role: "role2"
6
This role has no privilege.
Copied!

List all existing roles

Syntax
1
SHOW ROLE
Copied!
Required privilege
READ_ROLE
Procedure
  1. 1.
    To list all existing roles, first ensure that you are in the correct scope. Run USE <graph_name> or USE GLOBAL to switch to your desired scope.
  2. 2.
    Run the SHOW ROLE command:
    1
    GSQL > SHOW ROLE
    Copied!
This will show all the roles in your current scope:
1
- Builtin Roles:
2
observer
3
queryreader
4
querywriter
5
designer
6
admin
7
globaldesigner
8
superuser
9
10
- User Defined Roles:
11
- Graph 'tpc_graph' Roles:
12
role1
13
role2
Copied!

Grant privileges to a role

Syntax
1
GRANT PRIVILEGE <privilege_name1> (, privilege_name2)*
2
[ON GRAPH <graph_name>] TO <role_name1> (, <role_name2>)*
Copied!
Require privilege
WRITE_ROLE
Procedure
  1. 1.
    To grant privileges to a role, run the GRANT PRIVILEGE command from the GSQL shell:
    1
    GSQL > GRANT PRIVILEGE WRITE_QUERY, WRITE_ROLE
    2
    ON GRAPH example_graph TO role1 , role2
    Copied!
This will allow users with the roles role1 and role2 to edit and install queries, as well as modify roles on the graph example_graph. To see a full list of privileges and the command they allow users to run, see List of Privileges.

Revoke privileges from a role

Syntax
1
REVOKE PRIVILEGE <privilege_name1> (, privilege_name2)*
2
[ON GRAPH <graph_name>] FROM <role_name1> (, <role_name2>)*
Copied!
Required privilege
WRITE_ROLE
Procedure
  1. 1.
    To revoke privileges from a role, run the REVOKE PRIVILEGE command from the GSQL shell:
    1
    GSQL > REVOKE PRIVILEGE WRITE_QUERY
    2
    ON GRAPH example_graph FROM role1
    Copied!
This will revoke the WRITE_QUERY privilege from the role role1 on graph example_graph.

Drop a role

Syntax
1
DROP ROLE <role_name> (, <role_name2>)*
Copied!
Required privilege
WRITE_ROLE
Procedure
  1. 1.
    To drop a role, run the DROP ROLE command from the GSQL shell:
    1
    GSQL > DROP ROLE role1 , role2
    Copied!
This will drop the roles role1 and role2. This will also revoke the roles from users who have been granted these roles.
Last modified 3mo ago