Skip to main content
Version: 1.6.1

User privileges (Enterprise)

Most databases have multiple users accessing and modifying data within the database. This might pose a serious security concern for the system administrators that wish to grant only certain privileges to certain users. A typical example would be an internal database of some company which tracks data about their employees. Naturally, only certain users of the database should be able to perform queries which modify that data.

At Memgraph, we provide the administrators with the option of granting, denying or revoking a certain set of privileges to some users or groups of users (i.e. users that are assigned a specific user role), thereby eliminating such security concerns.

By default, anyone can connect to Memgraph and is granted all privileges. After the first user is created, Memgraph will execute a query if and only if either a user or its role is granted that privilege and neither the user nor its role are denied that privilege. Otherwise, Memgraph will not execute that specific query. Note that DENY is a stronger operation than GRANT. This is also notable from the fact that if neither the user nor its role are explicitly granted or denied a certain privilege, that user will not be able to perform that specific query. This effect also is known as a silent deny. The information above is neatly condensed in the following table:

User StatusRole StatusEffective Status
GRANTGRANTGRANT
GRANTDENYDENY
GRANTNULLGRANT
DENYGRANTDENY
DENYDENYDENY
DENYNULLDENY
NULLGRANTGRANT
NULLDENYDENY
NULLNULLDENY

All supported commands that deal with accessing or modifying users, user roles and privileges can only be executed by users that are granted the AUTH privilege. All of those commands are listed in the appropriate reference guide.

At the moment, privileges are confined to users' abilities to perform certain OpenCypher queries. Namely users can be given permission to execute a subset of the following commands: CREATE, DELETE, MATCH, MERGE, SET, REMOVE, INDEX, STATS, AUTH, REPLICATION, READ_FILE, DURABILITY, FREE_MEMORY, TRIGGER, STREAM, and CONFIG.

We could naturally cluster those privileges into groups:

  • Privilege to access data (MATCH)
  • Privilege to modify data (MERGE, SET)
  • Privilege to create and delete data (CREATE, DELETE, REMOVE)
  • Privilege to index data (INDEX)
  • Privilege to obtain statistics and information from Memgraph (STATS)
  • Privilege to view and alter users, roles and privileges (AUTH)
  • Privilege to use replication queries (REPLICATION)
  • Privilege to access files in queries, e.g. LOAD CSV clause (READ_FILE)
  • Privilege to manage durability files (DURABILITY)
  • Privilege to try freeing memory (FREE_MEMORY)
  • Privilege to use trigger queries (TRIGGER)
  • Privilege to use stream queries (STREAM)
  • Privilege to configure Memgraph during runtime (CONFIG)

If you are unfamiliar with any of these commands, you can look them up in our Cypher manual.

Similarly, the complete list of commands which can be executed under AUTH privilege can be viewed in the appropriate article within our reference guide.

The remainder of this article outlines a recommended workflow of user management within an internal database of a fictitious company.

Creating an administrator​

As it was stated in the introduction, after the first user is created, Memgraph will execute a query for a given user if the effective status of a corresponding privilege evaluates to GRANT. As a corollary, the person that created the first user might not be able to perform any meaningful action after their session had ended. To prevent that from happening, we strongly recommend the first created user to be an administrator which is granted all privileges.

Therefore, let's create a user named admin and set its' password to 0000. This can be done by executing:

  CREATE USER admin IDENTIFIED BY '0000';

Granting all privileges to our admin user can be done as follows:

  GRANT ALL PRIVILEGES to admin;

At this point, the current user can close their session and log into a new one as an admin user they have just created. The remainder of the article is written from the viewpoint of an administrator which is granted all privileges.

Creating other users​

Our fictitious company is internally divided into teams, and each team has its own supervisor. All employees of the company need to access and modify data within the database.

Creating a user account for a new hire named Alice can be done as follows:

  CREATE USER alice IDENTIFIED BY '0042';

Alice should also be granted a privilege to access data, which can be done by executing the following:

  GRANT MATCH, MERGE, SET TO alice;

Creating user roles​

Each team supervisor needs to have additional privileges that allow them to create new data or delete existing data from the database. Instead of tediously granting additional privileges to each supervisor using language constructs from the previous chapter, we could do so by creating a new user role for supervisors.

Creating a user role named supervisor can be done by executing the following command:

  CREATE ROLE supervisor;

Granting the privilege to create and delete data to our newly created role can be done as follows:

  GRANT CREATE, DELETE, REMOVE TO supervisor;

Finally, we need to assign that role to each of the supervisors. Suppose, a user named bob is indeed a supervisor within the company. Assigning them that role within the database can be done by the following command:

  SET ROLE FOR bob TO supervisor;

Where to next?​

To learn more about Memgraph's functionalities, visit the Reference guide. For real-world examples of how to use Memgraph, we strongly suggest going through one of the available Tutorials.