This page provides a complete list of privileges in TigerGraph's Role-based Access Control system.
Any privilege marked “on global only” can only be granted to a global role. It cannot be granted to a local role (See Global role vs local role).
The command IMPORT GRAPH <gName>
needs multiple privileges, .e.g WRITE_SCHEMA
, WRITE_LOADING_JOB
, WRITE_QUERY
and so on.
To run the command CREATE SECRET
on a graph, the user must have at least one of the access database privileges: READ_DATA
, WRITE_DATA
and EXECUTE_LOADINGJOB
on that graph. Thus the built-in queryreader
role and above can create secrets on a graph, but the observer role cannot.
Privilege Name
Commands Associated
Global Only
READ_SCHEMA
ls
show vertex <vName>
show edge <eName>
show graph <gName>
show job (<schema_changeJobName>
No
WRITE_SCHEMA
create schema_change job <scjName>
run schema_change job <scjName>
drop schema_change job <scjName>
create vertex <vName>
drop vertex <vName>
create edge <eName>
drop edge <eName>
create graph <gName>
create global schema_change job <gscjName>
run global schema_change job <gscjName>
drop global schema_change job <gscjName>
No
READ_LOADINGJOB
show job <loadingJobName>
show data_source <dsName>
No
EXECUTE_LOADINGJOB
run loading job <ljName>
show loading status <jobId>
abort loading job <ljName>
resume loading job <ljName>
No
WRITE_LOADINGJOB
create loading job <ljName>
drop loading job <ljName>
No
READ_QUERY
show query <qName>
No
WRITE_QUERY
create query <qName>
install query <qName>
drop query <qName>
No
READ_DATA
run Read_Only_Query <qName>
No
WRITE_DATA
run Query_With_Update <qName>
(including create, delete, update in its own or any sub-query)
No
WRITE_DATASOURCE
create data_source <dsName>
grant data_source <dsName>
revoke data_source <dsName>
drop data_source <dsName>
No
READ_ROLE
show role
show privilege on role <rName>
No
WRITE_ROLE
create role <rName>
grant role <rName>
revoke role <rName>
drop role <rName>
grant privilege <pName> on graph <gName> to <rName>
revoke privilege <pName> on graph <gName> from <rName>
No
READ_USER
show user
show privilege on user <uName>
show secret
No
WRITE_USER
create user <uName>
drop user <uName>
alter password
Yes
READ_PROXYGROUP
show group
No
WRITE_PROXYGROUP
create group <pgName> proxy <rule>
drop group <pgName>
Yes
READ_FILE
get <fileName> to <path-to-file>
Yes
WRITE_FILE
put <fileName> from <path-to-file>
Yes
DROP_GRAPH
drop graph <gName>
Yes
EXPORT_GRAPH
export graph <gName>
Yes
CLEAR_GRAPHSTORE
clear graph store
Yes
DROP ALL
drop all
Yes
ACCESS_TAG
create/drop/run schema_change jobs involving tags
create/drop/install/run queries involving tags
create/drop/run loading jobs involving tags
NO