User Management

This page explains the procedures for various user management tasks under TigerGraph’s role-based access control(RBAC) model.

To see user management tasks under the Access Control List (ACL) model, see ACL Management.

Create a user

You can run the CREATE USER command to create a user.

The username cannot contain the following characters: \ ,` ` ( , ), [, ], :, <, >, ;, ,, @, \r, \n, \f, \t, \\, \0, \b. It also cannot start with a dot . or have multiple dots in a sequence.

You can use non-ascii characters, such as Chinese and Kanji characters.

Syntax

CREATE USER

Required privilege

WRITE_USER

Procedure

  1. From the GSQL shell, run the CREATE USER command:

    GSQL > CREATE USER

  2. Enter the user information in the prompts that follow:

    Example: Create user
    User Name : frank@email.com
New Password : ************
Re-enter Password : ************
The user "frank" is created.

View roles of a user

Syntax

SHOW USER

Required privilege

READ_USER for displaying roles of other users

Procedure

  1. From the GSQL shell, run the SHOW USER command:

    GSQL > SHOW USER

If the user running the command has the READ_USER privilege, role information on all users will be displayed. Otherwise, only the current user’s roles will be displayed.

View privileges of a user

Users with the READ_USER privilege in a scope can view the RBAC privileges of the users in that scope.

Syntax

SHOW PRIVILEGE ON USER <username> (, <username>)*

Required privilege

READ_USER

Procedure

  1. From the GSQL shell, run the SHOW PRIVILEGE ON USER command :

    GSQL > SHOW PRIVILEGE ON USER tigergraph

The above command will show the privileges of user tigergraph:

User: "tigergraph"
  - Global Privileges:
    READ_SCHEMA
    WRITE_SCHEMA
    READ_LOADINGJOB
    EXECUTE_LOADINGJOB
    WRITE_LOADINGJOB
    READ_QUERY
    WRITE_QUERY
    READ_DATA
    WRITE_DATA
    WRITE_DATASOURCE
    READ_ROLE
    WRITE_ROLE
    READ_USER
    WRITE_USER
    READ_PROXYGROUP
    WRITE_PROXYGROUP
    READ_FILE
    WRITE_FILE
    DROP_GRAPH
    EXPORT_GRAPH
    CLEAR_GRAPHSTORE
    DROP_ALL
    ACCESS_TAG

To view ACL privileges of a user, see View ACL privileges of a user.

Grant a role to a user/proxy group

Syntax

GRANT ROLE <role_name1> (, role_name2)* [ON GRAPH <graph_name>]
  TO <username1>|<proxy_group_name1> (, <username2> | <proxy_group_name>2)*

Required privilege

WRITE_ROLE

Procedure

  1. Start the GSQL shell and make sure you are using the correct graph

    $ gsql
GSQL > USE GRAPH example_graph

  2. From the GSQL shell, run the GRANT ROLE command. You can grant multiple roles to multiple users:

    GSQL > GRANT ROLE role1 , role2 ON GRAPH example_graph TO user1, user2

The above command will grant roles role1 and role2 on graph example_graph to users user1 and user2.

Revoke a role from a user

Syntax

REVOKE ROLE <roleName1> (, <roleName2)* [ON GRAPH <graphName>]
        FROM <userName1> (, <userName2>)*

Required privilege

WRITE_ROLE

Procedure

  1. Start the GSQL shell and make sure you are using the correct graph

    $ gsql
GSQL > USE GRAPH example_graph

  2. From the GSQL shell, run the REVOKE_ROLE command. You can revoke multiple roles from multiple users at the same time:

    GSQL > REVOKE ROLE role1, role2 ON GRAPH example_graph
        FROM user1, user2

The above command will revoke roles role1 and role2 on graph example_graph from users user1 and user2.

Change a user’s password

Users can change their own passwords used for login without needing any privilege. Users with the WRITE_USER privilege can change the passwords of other users.

Syntax

ALTER PASSWORD <username>

Required privilege

WRITE_USER for changing the password of a user other than the current user

Procedure

  1. From the GSQL shell, run the following command. Replace username with the user whose password you want to change

    GSQL > ALTER PASSWORD username

  2. Enter the new password in the prompt that follows.

To see how to change a user’s ACL password, see Change ACL password

Drop a user

Syntax

DROP USER <user1> (,<user2>)*

Required privilege

WRITE_USER

Procedure

  1. From the GSQL shell, run the DROP USER command. You can drop multiple users in the same command.

    GSQL > DROP USER user1, user2

  2. GSQL will confirm that the users you entered have been dropped