User Management
This page explains the procedures for various user management tasks under TigerGraph’s role-based access control(RBAC) model.
To see user management tasks under the Access Control List (ACL) model, see Access Control Lists (ACLs).
Username Rules for v3.9.3 and above
v3.9.3 expanded the variety of characters users can access while creating a username from previous versions. |
A username is treated as a STRING in GSQL,
regardless of the syntax structure, format, or characters used.
|
Usernames may contain any Unicode characters except the following:
-
May not contain these characters:
\r
,\n
,\0
,\b
,\t
,\a
,\v
. -
May not contain any
SPACE
.
In the GSQL client, backquotes ( ` ) must be used as a delimiter to enclose usernames which is not a valid email and does not follow the pattern [a-zA-Z_][a-zA-Z0-9]*.
Delimiters are not stored internally.
|
Username Rules for v3.9.2 and below
For v3.9.2 and below please follow these guidelines when creating a username. |
Usernames must match a regex pattern of [a-zA-Z_][a-zA-Z0-9]*
, or be an email.
You may also use non-ascii characters, such as Chinese and Kanji characters.
Additionally, usernames may not contain the following characters:
-
\
,(
,)
,[
,]
,:
,<
,>
,;
,,
,@
,\r
,\n
,\f
,\t
,\\
,\0
,\b
. -
A username may not start with a dot (
.
) or have multiple dots (…
ora.b..c…
) in a sequence.
Backquotes ( ` ) must be used as a delimiter to enclose usernames which do not follow
the pattern [a-zA-Z_][a-zA-Z0-9]* . Delimiters are not stored internally.
|
Procedure
-
From the GSQL shell, run the
CREATE USER
command:GSQL > CREATE USER
-
Enter the user information in the prompts that follow:
Example 1: Create userUser Name : user1 New Password : ************ Re-enter Password : ************ The user "user1" is created.
Example 2: Create user with emailUser Name : a@b.com New Password : ************ Re-enter Password : ************ The user "a@b.com" is created.
Example 3: Create user with special characters (Only v3.9.3)User Name : `:"/.,@#$%^*()_+=-` New Password : ************ Re-enter Password : ************ The user ":"/.,@#$%^*()_+=-" is created.
View roles assignments and login attempts
The SHOW USER
command displays the role assignments, as well as the login attempts, of the current user.
If the current user has the READ_USER
privilege
Procedure
From the GSQL shell, run the SHOW USER
command:
GSQL > SHOW USER
- Name: testUser
- Global Roles: superuser
- LastSuccessLogin: Thu Sep 22 12:43:07 UTC 2022
- NextValidLogin: Thu Sep 22 12:43:07 UTC 2022 (1)
- FailedAttempts: 0
- ShowAlterPasswordWarning: false
1 | The next time the user is allowed to attempt login. For more information, see Configuring Login Protection |
If the user running the command has the READ_USER
privilege, information on all users is displayed.
Otherwise, only the current user’s information is displayed.
View privileges of a user
Users with the READ_USER
privilege in a scope can view the RBAC privileges of the users in that scope.
Procedure
-
From the GSQL shell, run the
SHOW PRIVILEGE ON USER
command :GSQL > SHOW PRIVILEGE ON USER tigergraph
The above command will show the privileges of user tigergraph
:
User: "tigergraph"
- Global Privileges:
READ_SCHEMA
WRITE_SCHEMA
READ_LOADINGJOB
EXECUTE_LOADINGJOB
WRITE_LOADINGJOB
READ_QUERY
WRITE_QUERY
READ_DATA
WRITE_DATA
WRITE_DATASOURCE
READ_ROLE
WRITE_ROLE
READ_USER
WRITE_USER
READ_PROXYGROUP
WRITE_PROXYGROUP
READ_FILE
WRITE_FILE
DROP_GRAPH
EXPORT_GRAPH
CLEAR_GRAPHSTORE
DROP_ALL
ACCESS_TAG
To view ACL privileges of a user, see View ACL privileges of a user.
Grant a role to a user/proxy group
Syntax
GRANT ROLE <role_name1> (, role_name2)* [ON GRAPH <graph_name>]
TO <username1>|<proxy_group_name1> (, <username2> | <proxy_group_name>2)*
Procedure
-
Start the GSQL shell and make sure you are using the correct graph
$ gsql GSQL > USE GRAPH example_graph
-
From the GSQL shell, run the
GRANT ROLE
command. You can grant multiple roles to multiple users:GSQL > GRANT ROLE role1 , role2 ON GRAPH example_graph TO user1, user2
The above command will grant roles role1
and role2
on graph example_graph
to users user1
and user2
.
Revoke a role from a user
Syntax
REVOKE ROLE <roleName1> (, <roleName2)* [ON GRAPH <graphName>]
FROM <userName1> (, <userName2>)*
Procedure
-
Start the GSQL shell and make sure you are using the correct graph
$ gsql GSQL > USE GRAPH example_graph
-
From the GSQL shell, run the
REVOKE_ROLE
command. You can revoke multiple roles from multiple users at the same time:GSQL > REVOKE ROLE role1, role2 ON GRAPH example_graph FROM user1, user2
The above command will revoke roles role1
and role2
on graph example_graph
from users user1
and user2
.
Change a user’s password
Users can change their own passwords used for login without needing any privilege.
Users with the WRITE_USER
privilege can change the passwords of other users.
Procedure
-
From the GSQL shell, run the following command. Replace
username
with the user whose password you want to changeGSQL > ALTER PASSWORD username
-
Enter the new password in the prompt that follows.
To see how to change a user’s ACL password, see Change ACL password |