RBAC & Roles

TigerGraph's security model centers on Roles, which are collections of Privileges assigned to Scopes (Global or Graph-specific).

1. Built-in Roles

TigerGraph comes with several predefined roles that cover common use cases:

Role	Description
superuser	Full access to all graphs and global system settings.
admin	Full access to a specific graph (Schema, Data, Queries).
designer	Can modify schema and write queries, but cannot manage users.
querywriter	Can write and execute queries, but cannot change the schema.
queryreader	Can only execute existing queries.
observer	Read-only access to the schema and data.

2. Global vs. Local Roles

• Global Roles: Exist across the entire system. Privileges granted to a global role apply to all graphs.
• Local Roles: Exist only within a specific graph scope.

gsqlterminal
Copy
# Create a global role
CREATE ROLE analyst ON GLOBAL

# Create a local role for a specific graph
CREATE ROLE marketing_viewer ON GRAPH MarketingGraph

3. Fine-Grained Privileges

TigerGraph allows you to grant privileges at three distinct levels of granularity:

Graph Level

Grants access to all objects within a graph.

gsqlterminal
Copy
GRANT READ ON ALL DATA IN GRAPH MyGraph TO analyst

Type Level

Grants access only to specific vertex or edge types.

gsqlterminal
Copy
GRANT READ ON VERTEX Person IN GRAPH MyGraph TO hr_role

Attribute Level

The most granular level; restricts access to specific fields within a vertex or edge.

gsqlterminal
Copy
# Hide sensitive fields while allowing access to others
GRANT READ ON VERTEX Person ATTRIBUTE id, age IN GRAPH MyGraph TO public_role

4. Granting and Revoking

Assigning a role to a user links them to the role's privileges.

gsqlterminal
Copy
# Grant a role to a user
GRANT ROLE admin ON GRAPH MyGraph TO user1

# Revoke a role
REVOKE ROLE designer ON GRAPH MyGraph FROM user2

[!IMPORTANT] To view the current status of a role's permissions, use: SHOW PRIVILEGE ON ROLE my_role