Legacy RBAC Privileges

This page lists the privileges in TigerGraph’s Legacy Role-Based Access Control system. In version 3.10, Object-Based Privileges were introduced to eventually replace the original (legacy) RBAC system. See Object-Based Privilege Tables for a comparison with the legacy syntax.

The legacy system of privileges is deprecated. Users should move to the new object-based privileges.

Legacy Privilege Limitations

As of 4.1, support for legacy RBAC privileges is disabled by default. To enable support, set GSQL.BasicConfig.Env with the ALLOW_LEGACY_RBAC_SYNTAX environmental variable. Even so, some legacy RBAC privileges are no longer supported. See details and examples in Legacy RBAC Syntax Usage.
Any privilege marked “Global only” can only be granted to a global role. It cannot be granted to a local role (See Global role vs local role).
Local roles are deprecated and will be dropped in a later version.
As of 3.10.0, when using the legacy privilege syntax, a user will receive a warning when trying to grant or revoke a privilege.
Legacy privilege syntax for function privileges is only supported on the global scope.
- To add function privileges, it’s best to use the Object-Based Privileges syntax.

Table of Legacy RBAC Privileges

Privilege Name Commands Associated Global Only

Privilege Name	Commands Associated	Global Only
`READ_SCHEMA`	`ls` `show vertex <vName>` `show edge <eName>` `show graph <gName>` `show job (<schema_changeJobName>`	No
`WRITE_SCHEMA`	`create schema_change job <scjName>` `run schema_change job <scjName>` `drop schema_change job <scjName>` `create vertex <vName>` `drop vertex <vName>` `create edge <eName>` `drop edge <eName>` `create graph <gName>` `create global schema_change job <gscjName>` `run global schema_change job <gscjName>` `drop global schema_change job <gscjName>`	No
`READ_LOADINGJOB`	`show job <loadingJobName>` `show data_source <dsName>`	No
`EXECUTE_LOADINGJOB`	`run loading job <ljName>` `show loading status <jobId>` `abort loading job <ljName>` `resume loading job <ljName>`	No
`WRITE_LOADINGJOB`	`create loading job <ljName>` `drop loading job <ljName>`	No
`READ_QUERY`	`show query <qName>`	No
`CREATE_QUERY`	`create query <qName>` `create or replace query <qName>` when `<qName>` does not exist	No
`UPDATE_QUERY`	`create or replace query <qName>` when `<qName>` exists	No
`DROP_QUERY`	`drop query <qName>`	No
`INSTALL_QUERY`	`install query <qName>`	No
`EXECUTE_QUERY`	`run query <qName>` `interpret query <qName>`	No
`OWNERSHIP`	`show query <qName>` `create or replace query <qName>` `drop query <qName>` `run query <qName>` `interpret query <qName>` `grant <queryPrivileges> on query <queryName> in <gName> to <roleName>` `grant <queryPrivileges> on query <queryName> in <gName> to <userName>` `revoke <queryPrivileges> on query <queryName> in <gName> from <roleName>` `revoke <queryPrivileges> on query <queryName> in <gName> from <userName>`	No
`CREATE_DATA`	Running queries that insert vertices or edges in the allowed scope. For details see Data CRUD privileges.	No
`READ_DATA`	Running queries that read vertex or edge information in the allowed scope. For details see Data CRUD privileges.	No
`UPDATE_DATA`	Running queries that update vertex or edge information in the allowed scope. For details see Data CRUD privileges.	No
`DELETE_DATA`	Running queries that delete vertices or edges in the allowed scope. For details see Data CRUD privileges.	No
`WRITE_DATASOURCE`	`create data_source <dsName>` `grant data_source <dsName>` `revoke data_source <dsName>` `drop data_source <dsName>`	No
`READ_ROLE`	`show role` `show privilege on role <rName>`	No
`WRITE_ROLE`	`create role <rName>` `grant role <rName>` `revoke role <rName>` `drop role <rName>` `grant privilege <pName> on graph <gName> to <rName>` `revoke privilege <pName> on graph <gName> from <rName>`	No
`READ_USER`	`show user` `show privilege on user <uName>` `show secret`	No
`WRITE_USER`	`create user <uName>` `drop user <uName>` `alter password`	Yes
`READ_PROXYGROUP`	`show group`	No
`WRITE_PROXYGROUP`	`create group <pgName> proxy <rule>` `drop group <pgName>`	Yes
`READ_FILE`	`get <fileName> to <path-to-file>`	Yes
`WRITE_FILE`	`put <fileName> from <path-to-file>`	Yes
`DROP_GRAPH`	`drop graph <gName>`	Yes
`EXPORT_GRAPH`	`export graph <gName>`	Yes
`CLEAR_GRAPHSTORE`	`clear graph store`	Yes
`ACCESS_TAG` [Dropped in 4.1]	Operations with schema change jobs involving tags Operations with loading jobs involving tags Operations with queries involving tags	No
`APP_ACCESS_DATA`	Accessing data through TigerGraph Suite applications including GraphStudio and TigerGraph Insights. This privilege only allows you to access the information through TigerGraph Suite applications if you already have access to the data in GSQL. It only pertains to the applications and does not have meaning in GSQL itself.
`DROP_ALL`	`drop all`	Yes

READ_SCHEMA

ls
show vertex <vName>
show edge <eName>
show graph <gName>
show job (<schema_changeJobName>

WRITE_SCHEMA

create schema_change job <scjName>
run schema_change job <scjName>
drop schema_change job <scjName>
create vertex <vName>
drop vertex <vName>
create edge <eName>
drop edge <eName>
create graph <gName>
create global schema_change job <gscjName>
run global schema_change job <gscjName>
drop global schema_change job <gscjName>

READ_LOADINGJOB

show job <loadingJobName>
show data_source <dsName>

EXECUTE_LOADINGJOB

run loading job <ljName>
show loading status <jobId>
abort loading job <ljName>
resume loading job <ljName>

WRITE_LOADINGJOB

create loading job <ljName>
drop loading job <ljName>

READ_QUERY

show query <qName>

CREATE_QUERY

create query <qName>
create or replace query <qName> when <qName> does not exist

UPDATE_QUERY

create or replace query <qName> when <qName> exists

DROP_QUERY

drop query <qName>

INSTALL_QUERY

install query <qName>

EXECUTE_QUERY

run query <qName>
interpret query <qName>

OWNERSHIP

show query <qName>
create or replace query <qName>
drop query <qName>
run query <qName>
interpret query <qName>
grant <queryPrivileges> on query <queryName> in <gName> to <roleName>
grant <queryPrivileges> on query <queryName> in <gName> to <userName>
revoke <queryPrivileges> on query <queryName> in <gName> from <roleName>
revoke <queryPrivileges> on query <queryName> in <gName> from <userName>

CREATE_DATA

Running queries that insert vertices or edges in the allowed scope. For details see Data CRUD privileges.

READ_DATA

Running queries that read vertex or edge information in the allowed scope. For details see Data CRUD privileges.

UPDATE_DATA

Running queries that update vertex or edge information in the allowed scope. For details see Data CRUD privileges.

DELETE_DATA

Running queries that delete vertices or edges in the allowed scope. For details see Data CRUD privileges.

WRITE_DATASOURCE

create data_source <dsName>
grant data_source <dsName>
revoke data_source <dsName>
drop data_source <dsName>

READ_ROLE

show role
show privilege on role <rName>

WRITE_ROLE

create role <rName>
grant role <rName>
revoke role <rName>
drop role <rName>
grant privilege <pName> on graph <gName> to <rName>
revoke privilege <pName> on graph <gName> from <rName>

READ_USER

show user
show privilege on user <uName>
show secret

WRITE_USER

create user <uName>
drop user <uName>
alter password

Yes

READ_PROXYGROUP

show group

WRITE_PROXYGROUP

create group <pgName> proxy <rule>
drop group <pgName>

Yes

READ_FILE

get <fileName> to <path-to-file>

Yes

WRITE_FILE

put <fileName> from <path-to-file>

Yes

DROP_GRAPH

drop graph <gName>

Yes

EXPORT_GRAPH

export graph <gName>

Yes

CLEAR_GRAPHSTORE

clear graph store

Yes

ACCESS_TAG

[Dropped in 4.1]

Operations with schema change jobs involving tags
Operations with loading jobs involving tags
Operations with queries involving tags

APP_ACCESS_DATA

Accessing data through TigerGraph Suite applications including GraphStudio and TigerGraph Insights.

This privilege only allows you to access the information through TigerGraph Suite applications if you already have access to the data in GSQL. It only pertains to the applications and does not have meaning in GSQL itself.

DROP_ALL

drop all

Yes