List of Privileges

This page provides a complete list of privileges in TigerGraph’s Role-based Access Control system.

  • Any privilege marked “on global only” can only be granted to a global role. It cannot be granted to a local role (See Global role vs local role).

  • The command IMPORT GRAPH <gName> needs multiple privileges, .e.g WRITE_SCHEMA, WRITE_LOADING_JOB, WRITE_QUERY and so on.

  • To run the command CREATE SECRET on a graph, the user must have at least one of the access database privileges: READ_DATA, WRITE_DATA and EXECUTE_LOADINGJOB on that graph. Thus the built-in queryreader role and above can create secrets on a graph, but the observer role cannot.

Table of Privileges

Privilege Name Commands Associated Global Only

READ_SCHEMA

  • ls

  • show vertex <vName>

  • show edge <eName>

  • show graph <gName>

  • show job (<schema_changeJobName>

No

WRITE_SCHEMA

  • create schema_change job <scjName>

  • run schema_change job <scjName>

  • drop schema_change job <scjName>

  • create vertex <vName>

  • drop vertex <vName>

  • create edge <eName>

  • drop edge <eName>

  • create graph <gName>

  • create global schema_change job <gscjName>

  • run global schema_change job <gscjName>

  • drop global schema_change job <gscjName>

No

READ_LOADINGJOB

  • show job <loadingJobName>

  • show data_source <dsName>

No

EXECUTE_LOADINGJOB

  • run loading job <ljName>

  • show loading status <jobId>

  • abort loading job <ljName>

  • resume loading job <ljName>

No

WRITE_LOADINGJOB

  • create loading job <ljName>

  • drop loading job <ljName>

No

READ_QUERY

show query <qName>

No

WRITE_QUERY

  • create query <qName>

  • install query <qName>

  • drop query <qName>

No

READ_DATA

run Read_Only_Query <qName>

No

WRITE_DATA

  • run Query_With_Update <qName>

  • (including create, delete, update in its own or any sub-query)

No

WRITE_DATASOURCE

  • create data_source <dsName>

  • grant data_source <dsName>

  • revoke data_source <dsName>

  • drop data_source <dsName>

No

READ_ROLE

  • show role

  • show privilege on role <rName>

No

WRITE_ROLE

  • create role <rName>

  • grant role <rName>

  • revoke role <rName>

  • drop role <rName>

  • grant privilege <pName> on graph <gName> to <rName>

  • revoke privilege <pName> on graph <gName> from <rName>

No

READ_USER

  • show user

  • show privilege on user <uName>

  • show secret

No

WRITE_USER

  • create user <uName>

  • drop user <uName>

  • alter password

Yes

READ_PROXYGROUP

show group

No

WRITE_PROXYGROUP

  • create group <pgName> proxy <rule>

  • drop group <pgName>

Yes

READ_FILE

get <fileName> to <path-to-file>

Yes

WRITE_FILE

put <fileName> from <path-to-file>

Yes

DROP_GRAPH

drop graph <gName>

Yes

EXPORT_GRAPH

export graph <gName>

Yes

CLEAR_GRAPHSTORE

clear graph store

Yes

ACCESS_TAG

  • Operations with schema change jobs involving tags

  • Operations with loading jobs involving tags

  • Operations with queries involving tags

No

DROP_ALL

drop all

Yes