Roles and Privileges
TigerGraph uses Role-based Access Control (RBAC) to manage authorization. On every graph, privileges to perform actions are assigned to roles, and roles are granted to users. Outside of the permissions granted by their roles, a user has no access to the system.

Privileges

Privilege is permission to perform an action in a given scope. When a privilege is assigned to a role, it allows users with the role to perform the specified action in the specified scope. For example, the privilege READ_SCHEMA on graph social gives a user read permission to the schema of the graph social. This allows the user to run commands such as ls and SHOW VERTEX on the graph.
To view a complete list of privileges available in TigerGraph and the commands they enable a user to run, see List of Privileges.

Global vs local privileges

The scope of a privilege can be global or local. Global privileges apply to all graphs and global objects. Local privileges only apply on the graph they belong to.
For example, a role with WRITE_QUERY on graph social can only create queries on graph social, but not on other graphs. In contrast, a role with WRITE_QUERY on the global scope can create queries on all graphs.
Local roles can only be granted local privileges, while global roles can be granted both local and global privileges.
Global-only privileges
Some privileges can only be global by nature. For example, since users are global objects, any user-related privileges are global only. To see which privileges are global-only, see List of Privileges.

Roles

A role is a collection of privileges you can assign to users to grant them permission to perform actions on specific resources.

Global vs local roles

Roles can be global or local. Local roles can only be granted local privileges, while global roles can be granted both local and global privileges.
For example, if a user creates a role manager on the graph social:
1
GSQL > CREATE ROLE manager ON GRAPH social
2
Successfully created roles: [manager].
Copied!
This role can only be granted privileges on the graph social. It cannot be granted global privileges.

Built-in roles

GSQL offers 5 built-in local roles and 2 built-in global roles. The built-in roles cannot be dropped. Below is a table of the built-in roles and their corresponding set of privileges.
Name
Global or Local
Privilege List
observer
Local
READ_SCHEMA, READ_LOADINGJOB,READ_QUERY
queryreader
Local
READ_SCHEMA, READ_LOADINGJOB,READ_QUERY, EXECUTE_LOADINGJOB, READ_DATA
querywriter
Local
READ_SCHEMA, READ_LOADINGJOB,READ_QUERY, EXECUTE_LOADINGJOB, READ_DATA, WRITE_QUERY, WRITE_DATA
designer
Local
READ_SCHEMA, READ_LOADINGJOB,READ_QUERY, EXECUTE_LOADINGJOB, READ_DATA, WRITE_QUERY, WRITE_DATA, WRITE_SCHEMA, WRITE_LOADINGJOB, ACCESS_TAG
admin
Local
READ_SCHEMA, READ_LOADINGJOB,READ_QUERY, EXECUTE_LOADINGJOB, READ_DATA, WRITE_QUERY, WRITE_DATA, WRITE_SCHEMA, WRITE_LOADINGJOB, ACCESS_TAG WRITE_ROLE, WRITE_DATASOURCE, READ_ROLE, READ_USER, READ_PROXYGROUP
globaldesigner
Global
Designer’s privileges on global + drop graph created by the same user
superuser
Global
All supported privileges

User-defined roles

Users can define roles with their own list of privileges they want to grant to the role. To learn how to create/drop user-defined roles and manage privileges for the roles, see Role Management.
Last modified 2mo ago