From 12458ac05f5c447fa2f04a341507dba02fe53cbf Mon Sep 17 00:00:00 2001 From: Andreja Tonev Date: Fri, 10 Oct 2025 16:27:18 +0200 Subject: [PATCH 1/2] Added detailed list of queries and their privileges --- .../query-privileges.mdx | 268 ++++++++++++++++++ .../role-based-access-control.mdx | 6 + 2 files changed, 274 insertions(+) create mode 100644 pages/database-management/authentication-and-authorization/query-privileges.mdx diff --git a/pages/database-management/authentication-and-authorization/query-privileges.mdx b/pages/database-management/authentication-and-authorization/query-privileges.mdx new file mode 100644 index 000000000..229ebe32f --- /dev/null +++ b/pages/database-management/authentication-and-authorization/query-privileges.mdx @@ -0,0 +1,268 @@ +--- +title: Query privileges reference +description: Comprehensive reference for query privileges and required permissions in Memgraph. +--- + +import { Callout } from 'nextra/components' + +# Query privileges reference Enterprise + +This comprehensive reference provides detailed information about the privilege system in Memgraph, including which privileges are required for different types of queries and operations. + + +This page complements the [Role-based access control](/database-management/authentication-and-authorization/role-based-access-control) documentation by providing detailed privilege requirements for specific queries and operations. + + +## Overview + +Memgraph's privilege system controls access to various database operations through a comprehensive set of privileges. The system analyzes queries and determines the required privileges using the `PrivilegeExtractor` class, which implements the visitor pattern to traverse the Abstract Syntax Tree (AST) and extract privilege requirements. + +## Cypher query privileges + +### Basic operations + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `CREATE` | `CREATE` | `CREATE (n:Person {name: "Alice"})` | +| `MATCH` | `MATCH` | `MATCH (n:Person) RETURN n` | +| `DELETE` | `DELETE` | `MATCH (n) DELETE n` | +| `MERGE` | `MERGE` | `MERGE (n:Person {id: 1})` | +| `SET` (properties) | `SET` | `MATCH (n) SET n.name = "Bob"` | +| `SET` (labels) | `SET` | `MATCH (n) SET n:Employee` | +| `REMOVE` (properties) | `REMOVE` | `MATCH (n) REMOVE n.temp` | +| `REMOVE` (labels) | `REMOVE` | `MATCH (n) REMOVE n:Temp` | + +### Complex queries + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `MATCH` + `DELETE` | `MATCH`, `DELETE` | `MATCH (n) DELETE n` | +| `MATCH` + `CREATE` | `MATCH`, `CREATE` | `MATCH (n) CREATE (m)-[:KNOWS]->(n)` | +| `MATCH` + `SET` | `MATCH`, `SET` | `MATCH (n) SET n.updated = true` | +| `MATCH` + `REMOVE` | `MATCH`, `REMOVE` | `MATCH (n) REMOVE n:Old` | + +## Index operations + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `CREATE INDEX` | `INDEX` | `CREATE INDEX ON :Person(name)` | +| `DROP INDEX` | `INDEX` | `DROP INDEX ON :Person(name)` | +| `CREATE EDGE INDEX` | `INDEX` | `CREATE EDGE INDEX ON :KNOWS` | +| `CREATE TEXT INDEX` | `INDEX` | `CREATE TEXT INDEX ON :Person(name)` | +| `CREATE VECTOR INDEX` | `INDEX` | `CREATE VECTOR INDEX ON :Document(embedding)` | +| `CREATE TEXT EDGE INDEX` | `INDEX` | `CREATE TEXT EDGE INDEX ON :KNOWS(description)` | +| `CREATE VECTOR EDGE INDEX` | `INDEX` | `CREATE VECTOR EDGE INDEX ON :SIMILAR(embedding)` | +| `ANALYZE GRAPH` | `INDEX` | `ANALYZE GRAPH` | +| `DROP ALL INDEXES` | `INDEX` | `DROP ALL INDEXES` | + +## Constraint operations + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `CREATE CONSTRAINT` | `CONSTRAINT` | `CREATE CONSTRAINT ON (n:Person) ASSERT n.id IS UNIQUE` | +| `DROP CONSTRAINT` | `CONSTRAINT` | `DROP CONSTRAINT ON (n:Person) ASSERT n.id IS UNIQUE` | +| `DROP ALL CONSTRAINTS` | `CONSTRAINT` | `DROP ALL CONSTRAINTS` | + +## Authentication and authorization + +| Query Type | Required Privileges | Special Cases | +|------------|-------------------|---------------| +| `CREATE ROLE` | `AUTH` | | +| `DROP ROLE` | `AUTH` | | +| `SHOW ROLES` | `AUTH` | | +| `CREATE USER` | `AUTH` | | +| `SET PASSWORD` | `AUTH` | | +| `CHANGE PASSWORD` | **None** | Users can change their own password | +| `DROP USER` | `AUTH` | | +| `SHOW CURRENT USER` | **None** | Users can always see their own info | +| `SHOW CURRENT ROLE` | **None** | Users can always see their current role | +| `SHOW USERS` | `AUTH` | | +| `SET ROLE` | `AUTH` | | +| `CLEAR ROLE` | `AUTH` | | +| `GRANT PRIVILEGE` | `AUTH` | | +| `DENY PRIVILEGE` | `AUTH` | | +| `REVOKE PRIVILEGE` | `AUTH` | | +| `SHOW PRIVILEGES` | `AUTH` | | +| `SHOW ROLE FOR USER` | `AUTH` | | +| `SHOW USERS FOR ROLE` | `AUTH` | | +| `GRANT DATABASE TO USER` | `AUTH` | | +| `DENY DATABASE FROM USER` | `AUTH` | | +| `REVOKE DATABASE FROM USER` | `AUTH` | | +| `SHOW DATABASE PRIVILEGES` | `AUTH` | | +| `SET MAIN DATABASE` | `AUTH` | | +| `GRANT IMPERSONATE USER` | `AUTH` | | +| `DENY IMPERSONATE USER` | `AUTH` | | + +## Database information queries + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `SHOW INDEX INFO` | `INDEX` | `SHOW INDEX INFO` | +| `SHOW EDGE TYPES` | `INDEX` | `SHOW EDGE_TYPES INFO` | +| `SHOW NODE LABELS` | `INDEX` | `SHOW NODE_LABELS INFO` | +| `SHOW VECTOR INDEX INFO` | `INDEX` | `SHOW VECTOR INDEX INFO` | +| `SHOW CONSTRAINT INFO` | `CONSTRAINT` | `SHOW CONSTRAINT INFO` | +| `SHOW METRICS` | `STATS` | `SHOW METRICS INFO` | + +## System information queries + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `SHOW STORAGE INFO` | `STATS` | `SHOW STORAGE INFO` | +| `SHOW BUILD INFO` | `STATS` | `SHOW BUILD INFO` | +| `SHOW ACTIVE USERS` | `STATS` | `SHOW ACTIVE USERS` | +| `SHOW LICENSE INFO` | `CONFIG` | `SHOW LICENSE INFO` | +| `SHOW INSTANCE` | `STATS` | `SHOW INSTANCE` | +| `SHOW INSTANCES` | `STATS` | `SHOW INSTANCES` | + +## Administrative operations + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `DUMP DATABASE` | `DUMP` | `DUMP DATABASE` | +| `LOCK DATA DIRECTORY` | `DURABILITY` | `LOCK DATA DIRECTORY` | +| `UNLOCK DATA DIRECTORY` | `DURABILITY` | `UNLOCK DATA DIRECTORY` | +| `DATA DIRECTORY LOCK STATUS` | `DURABILITY` | `DATA DIRECTORY LOCK STATUS` | +| `FREE MEMORY` | `FREE_MEMORY` | `FREE MEMORY` | +| `SHOW CONFIG` | `CONFIG` | `SHOW CONFIG` | +| `CREATE TRIGGER` | `TRIGGER` | `CREATE TRIGGER ...` | +| `DROP TRIGGER` | `TRIGGER` | `DROP TRIGGER ...` | +| `SHOW TRIGGERS` | `TRIGGER` | `SHOW TRIGGERS` | +| `SHOW TRIGGER INFO` | `TRIGGER` | `SHOW TRIGGER INFO` | +| `CREATE STREAM` | `STREAM` | `CREATE STREAM ...` | +| `DROP STREAM` | `STREAM` | `DROP STREAM ...` | +| `SET ISOLATION LEVEL` | `CONFIG` | `SET ISOLATION LEVEL ...` | +| `SET STORAGE MODE` | `STORAGE_MODE` | `SET STORAGE MODE ...` | +| `CREATE SNAPSHOT` | `DURABILITY` | `CREATE SNAPSHOT` | +| `RECOVER SNAPSHOT` | `DURABILITY` | `RECOVER SNAPSHOT` | +| `SHOW SNAPSHOTS` | `DURABILITY` | `SHOW SNAPSHOTS` | +| `SHOW NEXT SNAPSHOT` | `DURABILITY` | `SHOW NEXT SNAPSHOT` | +| `SET SETTING` | `CONFIG` | `SET SETTING ...` | +| `SHOW VERSION` | `STATS` | `SHOW VERSION` | +| `SHOW TRANSACTIONS` | `TRANSACTION_MANAGEMENT` | `SHOW TRANSACTIONS` | +| `TERMINATE TRANSACTIONS` | `TRANSACTION_MANAGEMENT` | `TERMINATE TRANSACTIONS 'transaction_id'` | + +## Replication operations + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `REPLICATION` operations | `REPLICATION` | Various replication commands | +| `SHOW REPLICATION ROLE` | `REPLICATION` | `SHOW REPLICATION ROLE` | +| `SHOW REPLICAS` | `REPLICATION` | `SHOW REPLICAS` | +| `SHOW REPLICATION LAG` | `COORDINATOR` | `SHOW REPLICATION LAG` | + +## Multi-database operations + +| Query Type | Required Privileges | Special Cases | +|------------|-------------------|---------------| +| `CREATE DATABASE` | `MULTI_DATABASE_EDIT` | | +| `DROP DATABASE` | `MULTI_DATABASE_EDIT` | | +| `RENAME DATABASE` | `MULTI_DATABASE_EDIT` | | +| `DROP DATABASE FORCE` | `MULTI_DATABASE_EDIT`, `TRANSACTION_MANAGEMENT` | Requires both privileges | +| `USE DATABASE` | `MULTI_DATABASE_USE` | | +| `SHOW DATABASE` | **None** | Users can see current database | +| `SHOW DATABASES` | `MULTI_DATABASE_USE` | | + +## Enum operations + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `CREATE ENUM` | `CREATE` | `CREATE ENUM ...` | +| `SHOW ENUMS` | `STATS` | `SHOW ENUMS` | +| `ALTER ENUM ADD VALUE` | `CREATE` | `ALTER ENUM ... ADD VALUE ...` | +| `ALTER ENUM UPDATE VALUE` | `CREATE` | `ALTER ENUM ... UPDATE VALUE ...` | +| `ALTER ENUM REMOVE VALUE` | `DELETE` | `ALTER ENUM ... REMOVE VALUE ...` | +| `DROP ENUM` | `DELETE` | `DROP ENUM ...` | + +## TTL operations + +| Query Type | Required Privileges | Note | +|------------|-------------------|------| +| `TTL` operations | `CONFIG`, `INDEX`, `MATCH`, `DELETE` | Requires multiple privileges | + +## Coordinator operations + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `COORDINATOR` operations | `COORDINATOR` | Various coordinator commands | +| `SHOW COORDINATOR SETTINGS` | `COORDINATOR` | `SHOW COORDINATOR SETTINGS` | + +## Schema information + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `SHOW SCHEMA INFO` | `STATS` | `SHOW SCHEMA INFO` | + +## User profile operations + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `USER PROFILE` operations | `PROFILE_RESTRICTION` | User profile management | + +## Procedure calls + +| Procedure Type | Required Privileges | Example | +|----------------|-------------------|---------| +| `mg.get_module_files` | `MODULE_READ` | `CALL mg.get_module_files()` | +| `mg.create_module_file` | `MODULE_WRITE` | `CALL mg.create_module_file(...)` | +| `mg.update_module_file` | `MODULE_WRITE` | `CALL mg.update_module_file(...)` | +| `mg.get_module_file` | `MODULE_READ` | `CALL mg.get_module_file(...)` | +| `mg.delete_module_file` | `MODULE_WRITE` | `CALL mg.delete_module_file(...)` | +| Other procedures | **Procedure-specific** | Depends on procedure definition | + +## File operations + +| Query Type | Required Privileges | Example | +|------------|-------------------|---------| +| `LOAD CSV` | `READ_FILE` | `LOAD CSV FROM "file.csv" AS row` | + +## Special cases + +| Query Type | Required Privileges | Notes | +|------------|-------------------|-------| +| `EXPLAIN` | **Inherits from inner query** | Privileges depend on the explained query | +| `PROFILE` | **Inherits from inner query** | Privileges depend on the profiled query | +| `SET SESSION TRACE` | **None** | No privileges required | + +### Examples + +```cypher +-- EXPLAIN inherits privileges from the inner query +EXPLAIN MATCH (n:Person) RETURN n; -- Requires MATCH privilege + +-- PROFILE inherits privileges from the inner query +PROFILE CREATE (n:Person {name: "Alice"}); -- Requires CREATE privilege +``` + +## Troubleshooting + +### Common privilege errors + + +If you encounter "Vertex not created due to not having enough permission!" errors, you likely need to grant fine-grained access control privileges to the user. + + +### Checking privileges + +```cypher +-- Show all privileges for a user or role +SHOW PRIVILEGES FOR username; + +-- Show privileges in specific database context +SHOW PRIVILEGES FOR username ON DATABASE db_name; + +-- Show current user's privileges +SHOW PRIVILEGES FOR CURRENT USER; +``` + +### Privilege inheritance + +Remember that: +- **Grants**: If any role grants a permission, the user has that permission +- **Denies**: If any role denies a permission, the user is denied that permission +- **Database Access**: If any role grants access to a database, the user has access +- **Fine-grained Permissions**: Combined using the same grant/deny logic + + +Privilege changes take effect after the user reconnects to the database. + diff --git a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx index e83499792..fc8e42a2e 100644 --- a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx +++ b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx @@ -172,10 +172,16 @@ of the following commands: | Privilege to change [storage mode](/fundamentals/storage-memory-usage#storage-modes). | `STORAGE_MODE` | | Privilege to manage [multi-tenant databases](/database-management/multi-tenancy). | `MULTI_DATABASE_EDIT` | | Privilege to use a database within the multi-tenant architecture. | `MULTI_DATABASE_USE` | +| Privilege to configure [high-availability](/clustering/high-availability) coordinators. | `COORDINATOR` | +| Privilege to [impersonate other users](/database-management/authentication-and-authorization/impersonate-user). | `IMPERSONATE_USER` | | Privilege to set limits and monitor resource usage per user. | `PROFILE_RESTRICTION` | | Privileges to specific labels. | `ALL LABELS` | | Privileges to specific relationships types. | `ALL EDGE TYPES` | + +For a comprehensive reference of which privileges are required for specific queries and operations, see the [Query privileges reference](/database-management/authentication-and-authorization/query-privileges) documentation. + + ## Authentication and authorization requirements From 4738d0db22aa0247484977822257a94b397d0989 Mon Sep 17 00:00:00 2001 From: Matea Pesic <80577904+matea16@users.noreply.github.com> Date: Mon, 13 Oct 2025 10:03:32 +0200 Subject: [PATCH 2/2] Apply suggestions from code review --- .../query-privileges.mdx | 30 ++++++++++--------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/pages/database-management/authentication-and-authorization/query-privileges.mdx b/pages/database-management/authentication-and-authorization/query-privileges.mdx index 229ebe32f..d24575f88 100644 --- a/pages/database-management/authentication-and-authorization/query-privileges.mdx +++ b/pages/database-management/authentication-and-authorization/query-privileges.mdx @@ -13,7 +13,6 @@ This comprehensive reference provides detailed information about the privilege s This page complements the [Role-based access control](/database-management/authentication-and-authorization/role-based-access-control) documentation by providing detailed privilege requirements for specific queries and operations. -## Overview Memgraph's privilege system controls access to various database operations through a comprehensive set of privileges. The system analyzes queries and determines the required privileges using the `PrivilegeExtractor` class, which implements the visitor pattern to traverse the Abstract Syntax Tree (AST) and extract privilege requirements. @@ -72,10 +71,10 @@ Memgraph's privilege system controls access to various database operations throu | `SHOW ROLES` | `AUTH` | | | `CREATE USER` | `AUTH` | | | `SET PASSWORD` | `AUTH` | | -| `CHANGE PASSWORD` | **None** | Users can change their own password | +| `CHANGE PASSWORD` | **None** | Users can change their own password. | | `DROP USER` | `AUTH` | | -| `SHOW CURRENT USER` | **None** | Users can always see their own info | -| `SHOW CURRENT ROLE` | **None** | Users can always see their current role | +| `SHOW CURRENT USER` | **None** | Users can always see their own info. | +| `SHOW CURRENT ROLE` | **None** | Users can always see their current role. | | `SHOW USERS` | `AUTH` | | | `SET ROLE` | `AUTH` | | | `CLEAR ROLE` | `AUTH` | | @@ -146,7 +145,7 @@ Memgraph's privilege system controls access to various database operations throu | Query Type | Required Privileges | Example | |------------|-------------------|---------| -| `REPLICATION` operations | `REPLICATION` | Various replication commands | +| `REPLICATION` operations | `REPLICATION` | Various replication commands. | | `SHOW REPLICATION ROLE` | `REPLICATION` | `SHOW REPLICATION ROLE` | | `SHOW REPLICAS` | `REPLICATION` | `SHOW REPLICAS` | | `SHOW REPLICATION LAG` | `COORDINATOR` | `SHOW REPLICATION LAG` | @@ -158,9 +157,9 @@ Memgraph's privilege system controls access to various database operations throu | `CREATE DATABASE` | `MULTI_DATABASE_EDIT` | | | `DROP DATABASE` | `MULTI_DATABASE_EDIT` | | | `RENAME DATABASE` | `MULTI_DATABASE_EDIT` | | -| `DROP DATABASE FORCE` | `MULTI_DATABASE_EDIT`, `TRANSACTION_MANAGEMENT` | Requires both privileges | +| `DROP DATABASE FORCE` | `MULTI_DATABASE_EDIT`, `TRANSACTION_MANAGEMENT` | Requires both privileges. | | `USE DATABASE` | `MULTI_DATABASE_USE` | | -| `SHOW DATABASE` | **None** | Users can see current database | +| `SHOW DATABASE` | **None** | Users can see current database. | | `SHOW DATABASES` | `MULTI_DATABASE_USE` | | ## Enum operations @@ -178,13 +177,13 @@ Memgraph's privilege system controls access to various database operations throu | Query Type | Required Privileges | Note | |------------|-------------------|------| -| `TTL` operations | `CONFIG`, `INDEX`, `MATCH`, `DELETE` | Requires multiple privileges | +| `TTL` operations | `CONFIG`, `INDEX`, `MATCH`, `DELETE` | Requires multiple privileges. | ## Coordinator operations | Query Type | Required Privileges | Example | |------------|-------------------|---------| -| `COORDINATOR` operations | `COORDINATOR` | Various coordinator commands | +| `COORDINATOR` operations | `COORDINATOR` | Various coordinator commands. | | `SHOW COORDINATOR SETTINGS` | `COORDINATOR` | `SHOW COORDINATOR SETTINGS` | ## Schema information @@ -197,7 +196,7 @@ Memgraph's privilege system controls access to various database operations throu | Query Type | Required Privileges | Example | |------------|-------------------|---------| -| `USER PROFILE` operations | `PROFILE_RESTRICTION` | User profile management | +| `USER PROFILE` operations | `PROFILE_RESTRICTION` | User profile management. | ## Procedure calls @@ -208,7 +207,7 @@ Memgraph's privilege system controls access to various database operations throu | `mg.update_module_file` | `MODULE_WRITE` | `CALL mg.update_module_file(...)` | | `mg.get_module_file` | `MODULE_READ` | `CALL mg.get_module_file(...)` | | `mg.delete_module_file` | `MODULE_WRITE` | `CALL mg.delete_module_file(...)` | -| Other procedures | **Procedure-specific** | Depends on procedure definition | +| Other procedures | **Procedure-specific** | Depends on procedure definition. | ## File operations @@ -220,9 +219,9 @@ Memgraph's privilege system controls access to various database operations throu | Query Type | Required Privileges | Notes | |------------|-------------------|-------| -| `EXPLAIN` | **Inherits from inner query** | Privileges depend on the explained query | -| `PROFILE` | **Inherits from inner query** | Privileges depend on the profiled query | -| `SET SESSION TRACE` | **None** | No privileges required | +| `EXPLAIN` | **Inherits privileges from inner query** | Privileges depend on the explained query. | +| `PROFILE` | **Inherits privileges from inner query** | Privileges depend on the profiled query. | +| `SET SESSION TRACE` | **None** | No privileges required. | ### Examples @@ -251,6 +250,9 @@ SHOW PRIVILEGES FOR username; -- Show privileges in specific database context SHOW PRIVILEGES FOR username ON DATABASE db_name; +-- Verify the current logged-in user +SHOW CURRENT USER; + -- Show current user's privileges SHOW PRIVILEGES FOR CURRENT USER; ```