Role Management
This page explains the procedures for various role management tasks under TigerGraph's authorization model.
Create a local role
Syntax
Required privilege
WRITE_ROLE
Procedure
To create a local role, run the
CREATE ROLE
command like below. If you choose not to specify a graph in the command, the current scope will be used as the scope of the role:
This will create two roles named role1
and role2
on graph example_graph
. By default, these two roles do not have any privilege:
Create a global role
Syntax
Required privilege
WRITE_ROLE
on the global scope
Procedure
To create a global role, run the
CREATE ROLE
command like below. Replacerole1
with the name of the role you are creating.
This will create a role named role1
on the global scope. By default, this role has no privileges:
View privileges of a role
Syntax
Required privilege
READ_ROLE
Procedure
To view the privileges of a role, run the
SHOW PRIVILEGE ON ROLE
command, and replacerole1, role2
with the names of the roles whose privileges you want to view:
This will show the privileges of the role role1
and role2:
List all existing roles
Syntax
Required privilege
READ_ROLE
Procedure
To list all existing roles, first ensure that you are in the correct scope. Run
USE <graph_name>
orUSE GLOBAL
to switch to your desired scope.Run the
SHOW ROLE
command:
This will show all the roles in your current scope:
Grant privileges to a role
Syntax
Require privilege
WRITE_ROLE
Procedure
To grant privileges to a role, run the
GRANT PRIVILEGE
command from the GSQL shell:
This will allow users with the roles role1
and role2
to edit and install queries, as well as modify roles on the graph example_graph
. To see a full list of privileges and the command they allow users to run, see List of Privileges.
Revoke privileges from a role
Syntax
Required privilege
WRITE_ROLE
Procedure
To revoke privileges from a role, run the
REVOKE PRIVILEGE
command from the GSQL shell:
This will revoke the WRITE_QUERY
privilege from the role role1
on graph example_graph.
Drop a role
Syntax
Required privilege
WRITE_ROLE
Procedure
To drop a role, run the
DROP ROLE
command from the GSQL shell:
This will drop the roles role1
and role2
. This will also revoke the roles from users who have been granted these roles.
Last updated