This page explains the procedures for various role management tasks under TigerGraph’s authorization model.
To create a local role, run the
CREATE ROLEcommand like below. If you choose not to specify a graph in the command, the current scope will be used as the scope of the role:
GSQL > USE GRAPH example_graph GSQL > CREATE ROLE role1, role2
This will create two roles named
role2 on graph
example_graph. By default, these two roles do not have any privilege:
Successfully created local roles for graph 'example_graph': [role1, role2].
To create a global role, run the
CREATE ROLEcommand like below. Replace
role1with the name of the role you are creating.
CREATE ROLE role1 ON GLOBAL
This will create a role named
role1 on the global scope. By default, this role has no privileges:
Successfully created global roles: [role1].
To view the privileges of a role, run the
SHOW PRIVILEGE ON ROLEcommand, and replace
role1, role2with the names of the roles whose privileges you want to view:
GSQL > SHOW PRIVILEGE ON ROLE role1 , role2
This will show the privileges of the role
Role: "role1" - Graph 'tpc_graph' Privileges: WRITE_QUERY Role: "role2" This role has no privilege.
To list all existing roles, first ensure that you are in the correct scope. Run
USE GLOBALto switch to your desired scope.
GSQL > SHOW ROLE
This will show all the roles in your current scope:
- Builtin Roles: observer queryreader querywriter designer admin globaldesigner superuser - User Defined Roles: - Graph 'tpc_graph' Roles: role1 role2
GRANT PRIVILEGE <privilege_name1> (, privilege_name2)* [ON GRAPH <graph_name>] TO <role_name1> (, <role_name2>)*
To grant privileges to a role, run the
GRANT PRIVILEGEcommand from the GSQL shell:
GSQL > GRANT PRIVILEGE WRITE_QUERY, WRITE_ROLE ON GRAPH example_graph TO role1 , role2
This will allow users with the roles
role2 to edit and install queries, as well as modify roles on the graph
example_graph. To see a full list of privileges and the command they allow users to run, see List of Privileges.
REVOKE PRIVILEGE <privilege_name1> (, privilege_name2)* [ON GRAPH <graph_name>] FROM <role_name1> (, <role_name2>)*
DROP ROLE <role_name> (, <role_name2>)*