RBAC Row Policy Overview
Role-Based Access Control (RBAC) row policy is used to control access to specific rows (or for vertex level access control) of data in TigerGraph based on user roles and attribute values.
User Guide
The row policy user guide has two parts:
-
RBAC: Row Policy Key Concepts - Learn the key concepts and features that make up row policy.
-
Set Up Row Policy - Learn how to setup a basic row policy using an example dataset.
Object-Based Privilege Tables
Here you can find the Object-Based privilege tables for reference.
Row Policy EBNF
Here you can find the row policy EBNF examples for reference.
Row Policy Limitations
-
Because exception statements are not supported for
INTERPRET
mode, if a query is affected by a row policy, ensure to always install it before running it. -
Currently, we only support row policy on vertices, not on edges.
-
Row policy will only regulate the read-related operations for vertices, including read, update, and delete.
-
A global vertex can only hold one global row policy and cannot apply a local row policy on a global vertex in a graph.
-
LOADACCUM
will be blocked if the vertex type to be loaded has a row policy. -
SelectVertex
should always have avSet
assignment, if there are any row policies in the graph. -
Statistics data will not be affected by row policies:
-
Blueprint function
outdegree()
-
Commands that are related to built-in functions on graph, such as:
-
select count(*)
fromvertexType
-
-
-
Upsert-related operations are not regulated by row policies:
-
GSQL Query: For both installed query and interpret query, top level and dml-level INSERT INTO statement.
-
REST API
POST /graph/{graph_name}
Upsert data to graph -
Loading job: (file loading and kafka loading) loading an existing vertex with new attribute value.
-
REST API
POST /ddl
: (for spark loading job) loading an existing vertex with new attribute value. API:built-in-endpoints.adoc#_run_a_loading_job
-