List of Privileges

This page provides a complete list of privileges in TigerGraph’s Role-based Access Control system.

  • Any privilege marked “on global only” can only be granted to a global role. It cannot be granted to a local role (See Global role vs local role).

    • Local roles are deprecated and will be dropped in a later version.

  • The command IMPORT GRAPH <gName> needs multiple privileges, .e.g WRITE_SCHEMA, WRITE_LOADING_JOB, WRITE_QUERY and so on.

  • To run the command CREATE SECRET on a graph, the user must have at least one of the access database privileges: READ_DATA, WRITE_DATA and EXECUTE_LOADINGJOB on that graph. Thus the built-in queryreader role and above can create secrets on a graph, but the observer role cannot.

Table of Privileges

Privilege Name Commands Associated Global Only

READ_SCHEMA

  • ls

  • show vertex <vName>

  • show edge <eName>

  • show graph <gName>

  • show job (<schema_changeJobName>

No

WRITE_SCHEMA

  • create schema_change job <scjName>

  • run schema_change job <scjName>

  • drop schema_change job <scjName>

  • create vertex <vName>

  • drop vertex <vName>

  • create edge <eName>

  • drop edge <eName>

  • create graph <gName>

  • create global schema_change job <gscjName>

  • run global schema_change job <gscjName>

  • drop global schema_change job <gscjName>

No

READ_LOADINGJOB

  • show job <loadingJobName>

  • show data_source <dsName>

No

EXECUTE_LOADINGJOB

  • run loading job <ljName>

  • show loading status <jobId>

  • abort loading job <ljName>

  • resume loading job <ljName>

No

WRITE_LOADINGJOB

  • create loading job <ljName>

  • drop loading job <ljName>

No

READ_QUERY

show query <qName>

No

WRITE_QUERY

  • create query <qName>

  • install query <qName>

  • drop query <qName>

No

CREATE_DATA

Running queries that insert vertices or edges in the allowed scope. For details see Data CRUD privileges.

NO

READ_DATA

Running queries that read vertex or edge information in the allowed scope. For details see Data CRUD privileges.

No

UPDATE_DATA

Running queries that update vertex or edge information in the allowed scope. For details see Data CRUD privileges.

No

DELETE_DATA

Running queries that delete vertices or edges in the allowed scope. For details see Data CRUD privileges.

No

WRITE_DATASOURCE

  • create data_source <dsName>

  • grant data_source <dsName>

  • revoke data_source <dsName>

  • drop data_source <dsName>

No

READ_ROLE

  • show role

  • show privilege on role <rName>

No

WRITE_ROLE

  • create role <rName>

  • grant role <rName>

  • revoke role <rName>

  • drop role <rName>

  • grant privilege <pName> on graph <gName> to <rName>

  • revoke privilege <pName> on graph <gName> from <rName>

No

READ_USER

  • show user

  • show privilege on user <uName>

  • show secret

No

WRITE_USER

  • create user <uName>

  • drop user <uName>

  • alter password

Yes

READ_PROXYGROUP

show group

No

WRITE_PROXYGROUP

  • create group <pgName> proxy <rule>

  • drop group <pgName>

Yes

READ_FILE

get <fileName> to <path-to-file>

Yes

WRITE_FILE

put <fileName> from <path-to-file>

Yes

DROP_GRAPH

drop graph <gName>

Yes

EXPORT_GRAPH

export graph <gName>

Yes

CLEAR_GRAPHSTORE

clear graph store

Yes

ACCESS_TAG

  • Operations with schema change jobs involving tags

  • Operations with loading jobs involving tags

  • Operations with queries involving tags

No

APP_ACCESS_DATA

Accessing data through TigerGraph Suite applications including GraphStudio and TigerGraph Insights.

This privilege only allows you to access the information through TigerGraph Suite applications if you already have access to the data in GSQL. It only pertains to the applications and does not have meaning in GSQL itself.

DROP_ALL

drop all

Yes