# User Management

To see user management tasks under the Access Control List (ACL) model, see ACL Management.

## Create a user

You can run the `CREATE USER` command to create a user.

The username cannot contain the following characters: `\` ,` ` `(` , `)`, `[`, `]`, `:`, `<`, `>`, `;`, `,`, `@`, `\r`, `\n`, `\f`, `\t`, `\\`, `\0`, `\b`. It also cannot start with a dot `.` or have multiple dots in a sequence.

You can use non-ascii characters, such as Chinese and Kanji characters.

### Syntax

``CREATE USER``

### Required privilege

`WRITE_USER`

### Procedure

1. From the GSQL shell, run the `CREATE USER` command:

``GSQL > CREATE USER``
2. Enter the user information in the prompts that follow:

Example: Create user
``````User Name : frank@email.com
The user "frank" is created.``````

## View roles assignments and login attempts

The `SHOW USER` command displays the role assignments, as well as the login attempts, of the current user. If the current user hsa the `READ_USER` privilege

### Syntax

``SHOW USER``

### Required privilege

`READ_USER` for displaying roles of other users

### Procedure

From the GSQL shell, run the `SHOW USER` command:

``````GSQL > SHOW USER
- Name: testUser
- Global Roles: superuser
- LastSuccessLogin: Thu Sep 22 12:43:07 UTC 2022
- NextValidLogin: Thu Sep 22 12:43:07 UTC 2022 (1)
- FailedAttempts: 0

If the user running the command has the `READ_USER` privilege, information on all users is displayed. Otherwise, only the current user’s information is displayed.

## View privileges of a user

Users with the `READ_USER` privilege in a scope can view the RBAC privileges of the users in that scope.

### Syntax

``SHOW PRIVILEGE ON USER <username> (, <username>)*``

### Required privilege

`READ_USER`

### Procedure

1. From the GSQL shell, run the `SHOW PRIVILEGE ON USER` command :

``GSQL > SHOW PRIVILEGE ON USER tigergraph``

The above command will show the privileges of user `tigergraph`:

``````User: "tigergraph"
- Global Privileges:
WRITE_SCHEMA
WRITE_QUERY
WRITE_DATA
WRITE_DATASOURCE
WRITE_ROLE
WRITE_USER
WRITE_PROXYGROUP
WRITE_FILE
DROP_GRAPH
EXPORT_GRAPH
CLEAR_GRAPHSTORE
DROP_ALL
ACCESS_TAG``````

## Grant a role to a user/proxy group

### Syntax

``````GRANT ROLE <role_name1> (, role_name2)* [ON GRAPH <graph_name>]

### Required privilege

`WRITE_ROLE`

### Procedure

1. Start the GSQL shell and make sure you are using the correct graph

``````$gsql GSQL > USE GRAPH example_graph`````` 2. From the GSQL shell, run the `GRANT ROLE` command. You can grant multiple roles to multiple users: ``GSQL > GRANT ROLE role1 , role2 ON GRAPH example_graph TO user1, user2`` The above command will grant roles `role1` and `role2` on graph `example_graph` to users `user1` and `user2`. ## Revoke a role from a user ### Syntax ``````REVOKE ROLE <roleName1> (, <roleName2)* [ON GRAPH <graphName>] FROM <userName1> (, <userName2>)*`````` ### Required privilege `WRITE_ROLE` ### Procedure 1. Start the GSQL shell and make sure you are using the correct graph ``````$ gsql
GSQL > USE GRAPH example_graph``````
2. From the GSQL shell, run the `REVOKE_ROLE` command. You can revoke multiple roles from multiple users at the same time:

``````GSQL > REVOKE ROLE role1, role2 ON GRAPH example_graph
FROM user1, user2``````

The above command will revoke roles `role1` and `role2` on graph `example_graph` from users `user1` and `user2`.

Users can change their own passwords used for login without needing any privilege. Users with the `WRITE_USER` privilege can change the passwords of other users.

### Syntax

``ALTER PASSWORD <username>``

### Required privilege

`WRITE_USER` for changing the password of a user other than the current user

### Procedure

1. From the GSQL shell, run the following command. Replace `username` with the user whose password you want to change

``GSQL > ALTER PASSWORD username``
2. Enter the new password in the prompt that follows.

 To see how to change a user’s ACL password, see Change ACL password

## Drop a user

### Syntax

``DROP USER <user1> (,<user2>)*``

### Required privilege

`WRITE_USER`

### Procedure

1. From the GSQL shell, run the `DROP USER` command. You can drop multiple users in the same command.

``GSQL > DROP USER user1, user2``
2. GSQL will confirm that the users you entered have been dropped