List of Legacy Privilege Syntax

This page provides a complete list of privileges in TigerGraph’s Role-based Access Control system.

Legacy Privilege Syntax Limitations

  • Any privilege marked “Global only” can only be granted to a global role. It cannot be granted to a local role (See Global role vs local role).

  • Local roles are deprecated and will be dropped in a later version.

  • As of 3.10.0, when using the legacy privilege syntax, a user will receive a warning when trying to grant or revoke a privilege.

  • Legacy privilege syntax for function privileges is only supported on the global scope.

    • To add function privileges, it’s best to use the Object-Based Privileges syntax.

  • As of 4.1.0, when using certain legacy query privilege syntax, a user need to config entry GSQL.BasicConfig.Env with ALLOW_LEGACY_RBAC_SYNTAX environmental variable. However, there are also several forbidden legacy RBAC syntax usages. See details and examples in Legacy RBAC Syntax Usage.

It’s recommended to use the Object-Based Privileges syntax. See Object-Based Privilege Tables for a comparison with the legacy syntax.

Table of Privileges

Privilege Name Commands Associated Global Only

READ_SCHEMA

  • ls

  • show vertex <vName>

  • show edge <eName>

  • show graph <gName>

  • show job (<schema_changeJobName>

No

WRITE_SCHEMA

  • create schema_change job <scjName>

  • run schema_change job <scjName>

  • drop schema_change job <scjName>

  • create vertex <vName>

  • drop vertex <vName>

  • create edge <eName>

  • drop edge <eName>

  • create graph <gName>

  • create global schema_change job <gscjName>

  • run global schema_change job <gscjName>

  • drop global schema_change job <gscjName>

No

READ_LOADINGJOB

  • show job <loadingJobName>

  • show data_source <dsName>

No

EXECUTE_LOADINGJOB

  • run loading job <ljName>

  • show loading status <jobId>

  • abort loading job <ljName>

  • resume loading job <ljName>

No

WRITE_LOADINGJOB

  • create loading job <ljName>

  • drop loading job <ljName>

No

READ_QUERY

  • show query <qName>

No

CREATE_QUERY

  • create query <qName>

  • create or replace query <qName> when <qName> does not exist

No

UPDATE_QUERY

  • create or replace query <qName> when <qName> exists

No

DROP_QUERY

  • drop query <qName>

No

INSTALL_QUERY

  • install query <qName>

No

EXECUTE_QUERY

  • run query <qName>

  • interpret query <qName>

No

OWNERSHIP

  • show query <qName>

  • create or replace query <qName>

  • drop query <qName>

  • run query <qName>

  • interpret query <qName>

  • grant <queryPrivileges> on query <queryName> in <gName> to <roleName>

  • grant <queryPrivileges> on query <queryName> in <gName> to <userName>

  • revoke <queryPrivileges> on query <queryName> in <gName> from <roleName>

  • revoke <queryPrivileges> on query <queryName> in <gName> from <userName>

No

CREATE_DATA

Running queries that insert vertices or edges in the allowed scope. For details see Data CRUD privileges.

No

READ_DATA

Running queries that read vertex or edge information in the allowed scope. For details see Data CRUD privileges.

No

UPDATE_DATA

Running queries that update vertex or edge information in the allowed scope. For details see Data CRUD privileges.

No

DELETE_DATA

Running queries that delete vertices or edges in the allowed scope. For details see Data CRUD privileges.

No

WRITE_DATASOURCE

  • create data_source <dsName>

  • grant data_source <dsName>

  • revoke data_source <dsName>

  • drop data_source <dsName>

No

READ_ROLE

  • show role

  • show privilege on role <rName>

No

WRITE_ROLE

  • create role <rName>

  • grant role <rName>

  • revoke role <rName>

  • drop role <rName>

  • grant privilege <pName> on graph <gName> to <rName>

  • revoke privilege <pName> on graph <gName> from <rName>

No

READ_USER

  • show user

  • show privilege on user <uName>

  • show secret

No

WRITE_USER

  • create user <uName>

  • drop user <uName>

  • alter password

Yes

READ_PROXYGROUP

show group

No

WRITE_PROXYGROUP

  • create group <pgName> proxy <rule>

  • drop group <pgName>

Yes

READ_FILE

get <fileName> to <path-to-file>

Yes

WRITE_FILE

put <fileName> from <path-to-file>

Yes

DROP_GRAPH

drop graph <gName>

Yes

EXPORT_GRAPH

export graph <gName>

Yes

CLEAR_GRAPHSTORE

clear graph store

Yes

ACCESS_TAG

  • Operations with schema change jobs involving tags

  • Operations with loading jobs involving tags

  • Operations with queries involving tags

No

APP_ACCESS_DATA

Accessing data through TigerGraph Suite applications including GraphStudio and TigerGraph Insights.

This privilege only allows you to access the information through TigerGraph Suite applications if you already have access to the data in GSQL. It only pertains to the applications and does not have meaning in GSQL itself.

DROP_ALL

drop all

Yes