This page explains the procedures for various role management tasks under TigerGraph’s role-based access control model.
To see role management tasks under the Access Control List (ACL) model, see ACL Management.
Create a local role
To create a local role, run the
CREATE ROLEcommand like below. If you choose not to specify a graph in the command, the current scope will be used as the scope of the role:
GSQL > USE GRAPH example_graph GSQL > CREATE ROLE role1, role2
This will create two roles named
role2 on graph
example_graph. By default, these two roles do not have any privilege:
Successfully created local roles for graph 'example_graph': [role1, role2].
Create a global role
To create a global role, run the
CREATE ROLEcommand like below. Replace
role1with the name of the role you are creating.
CREATE ROLE role1 ON GLOBAL
This will create a role named
role1 on the global scope. By default, this role has no privileges:
Successfully created global roles: [role1].
View privileges of a role
Users with the
READ_ROLE privilege in a scope can view the RBAC privileges on the roles in that scope.
To view the privileges of a role, run the
SHOW PRIVILEGE ON ROLEcommand, and replace
role1, role2with the names of the roles whose privileges you want to view:
GSQL > SHOW PRIVILEGE ON ROLE role1 , role2
This will show the privileges of the role
Role: "role1" - Graph 'tpc_graph' Privileges: WRITE_QUERY Role: "role2" This role has no privilege.
To view the ACL privileges of a role, see View ACL privileges of a role.
List all existing roles
To list all existing roles, first ensure that you are in the correct scope. Run
USE GLOBALto switch to your desired scope.
GSQL > SHOW ROLE
This will show all the roles in your current scope:
- Builtin Roles: observer queryreader querywriter designer admin globaldesigner superuser - User Defined Roles: - Graph 'tpc_graph' Roles: role1 role2
Grant privileges to a role
Users with the
WRITE_ROLE privileges on a scope can grant RBAC privileges to the roles in that scope.
GRANT PRIVILEGE <privilege_name1> (, privilege_name2)* [ON GRAPH <graph_name>] TO <role_name1> (, <role_name2>)*
To grant privileges to a role, run the
GRANT PRIVILEGEcommand from the GSQL shell:
GSQL > GRANT PRIVILEGE WRITE_QUERY, WRITE_ROLE ON GRAPH example_graph TO role1 , role2
This will allow users with the roles
role2 to edit and install queries, as well as modify roles on the graph
example_graph. To see a full list of privileges and the command they allow users to run, see List of Privileges.
To grant ACL privileges to a role, see Grant ACL privileges to a role.
Revoke privileges from a role
Users with the
WRITE_ROLE privileges on a scope can revoke RBAC privileges from the roles in that scope.
REVOKE PRIVILEGE <privilege_name1> (, privilege_name2)* [ON GRAPH <graph_name>] FROM <role_name1> (, <role_name2>)*
To revoke privileges from a role, run the
REVOKE PRIVILEGEcommand from the GSQL shell:
GSQL > REVOKE PRIVILEGE WRITE_QUERY ON GRAPH example_graph FROM role1
This will revoke the
WRITE_QUERY privilege from the role
role1 on graph
To revoke ACL privileges from a role, see Revoke ACL privileges from a role.