Overview
A database user can access the database system and perform querying and administrative operations based on their assigned privileges.
Ultipa supports both GQL and UQL to manage users in the database.
Naming Conventions
All usernames in the database must be unique and adhere to the following rules:
- Must be between 2 and 64 characters in length.
- Must begin with a letter (A–Z or a–z).
- May contain letters, numbers (0–9), and underscores (
_) only.
Using GQL
Showing Users
To list all database users:
SHOW USER
Creating a User
To create a user johndoe with a password:
CREATE USER johndoe WITH PASSWORD 'mHMUUjQWG46z'
The password of the user must be between 6 to 64 characters in length.
Altering a User
You can alter the username and password of a user.
To rename user johndoe to johndoe_1:
ALTER USER johndoe RENAME TO johndoe_1
To update the password for user admin:
ALTER USER admin SET PASSWORD 'zdcsQ7QFaCCE'
Granting to a User
You can grant privileges and roles to a user. Note that the existing privileges and roles assigned to the user remain unchanged.
System Privileges
To grant system privileges SHOW_POLICY and ALTER_GRAPH to the user johndoe:
GRANT ["SHOW_POLICY", "ALTER_GRAPH"] TO johndoe
To grant all system privileges to the user johndoe:
GRANT * TO johndoe
Graph Privileges
To grant graph privileges READ and UPDATE on the graph amz to the user johndoe:
GRANT ["READ", "UPDATE"] ON amz TO johndoe
To grant all graph privileges on all graphs to the user johndoe:
GRANT * ON * TO johndoe
Property Privileges
To grant the privileges READ and WRITE to properties name and age of the Person nodes in the current graph to the user johndoe:
GRANT ['READ','WRITE'] ON NODE Person (name, age) TO johndoe
To grant the privilege DENY to all properties of all edges in the current graph to the user johndoe:
GRANT ["DENY"] ON EDGE * * TO johndoe
Roles
To grant the role manager to the user johndoe:
GRANT ROLE manager TO johndoe
Revoking from a User
You can revoke privileges and roles from a user.
System Privileges
To revoke system privileges SHOW_POLICY and ALTER_GRAPH from the user johndoe:
REVOKE ["SHOW_POLICY", "ALTER_GRAPH"] FROM johndoe
To revoke all system privileges from the user johndoe:
REVOKE * FROM johndoe
Graph Privileges
To revoke graph privileges READ and UPDATE on the graph amz from the user johndoe:
REVOKE ["READ", "UPDATE"] ON amz FROM johndoe
To revoke all graph privileges on all graphs from the user johndoe:
REVOKE * ON * FROM johndoe
Property Privileges
To revoke the privileges READ and WRITE to properties name and age of the Person nodes in the current graph from the user johndoe:
REVOKE ['READ','WRITE'] ON NODE Person (name, age) FROM johndoe
To revoke the privilege DENY to all properties of all edges in the current graph from the user johndoe:
REVOKE ["DENY"] ON EDGE * * FROM johndoe
Roles
To revoke the role manager from the user johndoe:
REVOKE ROLE manager FROM johndoe
Dropping a User
To drop the user johndoe:
DROP USER johndoe
Using UQL
Showing Users
To list all database users:
show().user()
Or retrieves a specific user, such as the one named root:
show().user("root")
Or retrieves the current logged-in user:
show().self()
Creating a User
You can create a user and assign it privileges and roles at the same time:
create().user("<username>", "<password>").params({
system_privileges: ["<systemPriv>", "<systemPriv>", ...],
// Set <graph> as * to specify all graphs
graph_privileges: {
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
...
},
// Set <graph>/<schema>/<property> as * to specify all graphs/schemas/properties
property_privileges: {
"node": {
"read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
},
"edge": {
"read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
}
},
policies: ["<policy>", "<policy>", ...]
})
To create a user admin with all graph and system privileges:
create().user("admin", "U7MRDBFXd2Ab").params({
graph_privileges: {"*":["READ","INSERT","UPSERT","UPDATE","DELETE","CREATE_SCHEMA","DROP_SCHEMA","ALTER_SCHEMA","SHOW_SCHEMA","RELOAD_SCHEMA","CREATE_PROPERTY","DROP_PROPERTY","ALTER_PROPERTY","SHOW_PROPERTY","CREATE_FULLTEXT","DROP_FULLTEXT","SHOW_FULLTEXT","CREATE_INDEX","DROP_INDEX","SHOW_INDEX","LTE","UFE","CLEAR_JOB","STOP_JOB","SHOW_JOB","ALGO","CREATE_PROJECT","SHOW_PROJECT","DROP_PROJECT","CREATE_HDC_GRAPH","SHOW_HDC_GRAPH","DROP_HDC_GRAPH","COMPACT_HDC_GRAPH","SHOW_VECTOR_INDEX","CREATE_VECTOR_INDEX","DROP_VECTOR_INDEX","SHOW_CONSTRAINT","CREATE_CONSTRAINT","DROP_CONSTRAINT"]},
system_privileges: ["TRUNCATE","COMPACT","CREATE_GRAPH","SHOW_GRAPH","DROP_GRAPH","ALTER_GRAPH","TOP","KILL","STAT","SHOW_POLICY","CREATE_POLICY","DROP_POLICY","ALTER_POLICY","SHOW_USER","CREATE_USER","DROP_USER","ALTER_USER","SHOW_PRIVILEGE","SHOW_META","SHOW_SHARD","ADD_SHARD","DELETE_SHARD","REPLACE_SHARD","SHOW_HDC_SERVER","ADD_HDC_SERVER","DELETE_HDC_SERVER","LICENSE_UPDATE","LICENSE_DUMP","GRANT","REVOKE","SHOW_BACKUP","CREATE_BACKUP","SHOW_VECTOR_SERVER","ADD_VECTOR_SERVER","DELETE_VECTOR_SERVER"]
})
To create a user johndoe with:
- System privileges:
SHOW_GRAPH,ALTER_GRAPH - Graph privileges:
READfor all graphs,SHOW_INDEXandSHOW_JOBfor graphsamzandtrans. - Property privileges:
- Node:
readall node properties - Edge:
writepropertiesrankandassetforedgxedges andreadpropertymarkfor all edges in the graphamz
- Node:
- Roles:
manager
create().user("johndoe", "mHMUUjQWG46z").params({
system_privileges: ["SHOW_GRAPH", "ALTER_GRAPH"],
graph_privileges: {
"*": ["READ", "SHOW_SCHEMA", "SHOW_PROPERTY"],
"amz": ["SHOW_INDEX", "SHOW_JOB"],
"trans": ["SHOW_INDEX", "SHOW_JOB"]
},
property_privileges: {
"node": {
"read": [["*", "*", "*"]]
},
"edge": {
"read": [["amz", "*", "mark"]],
"write": [
["amz", "edgx", "rank"],
["amz", "edgx", "asset"]
]
}
},
policies: ["manager"]
})
Granting to a User
You can grant privileges and roles to a user. Note that the existing privileges and roles assigned to the user remain unchanged.
grant().user("<userName>").params({
system_privileges: ["<systemPriv>", "<systemPriv>", ...],
// Set <graph> as * to specify all graphs
graph_privileges: {
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
...
},
// Set <graph>/<schema>/<property> as * to specify all graphs/schemas/properties
property_privileges: {
"node": {
"read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
},
"edge": {
"read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
}
},
policies: ["<policy>", "<policy>", ...]
})
To grant the graph privileges CREATE_SCHEMA and DROP_SCHEMA of the graphset Tax, and system privilege ADD_HDC_SERVER to the user ultipaUsr:
grant().user("ultipaUsr").params({
graph_privileges: {"Tax": ["CREATE_SCHEMA", "DROP_SCHEMA"]},
system_privileges: ["ADD_HDC_SERVER"]
})
Revoking from a User
You can revoke privileges and roles from a user.
revoke().user("<userName>").params({
system_privileges: ["<systemPriv>", "<systemPriv>", ...],
// Set <graph> as * to specify all graphs
graph_privileges: {
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
...
},
// Set <graph>/<schema>/<property> as * to specify all graphs/schemas/properties
property_privileges: {
"node": {
"read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
},
"edge": {
"read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
"deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
}
},
policies: ["<policy>", "<policy>", ...]
})
To revoke the graph privileges CREATE_SCHEMA and DROP_SCHEMA of the graphset Tax, and system privilege ADD_HDC_SERVER from the user ultipaUsr:
revoke().user("ultipaUsr").params({
graph_privileges: {"Tax": ["CREATE_SCHEMA", "DROP_SCHEMA"]},
system_privileges: ["ADD_HDC_SERVER"]
})
Altering a User
You can alter privileges and roles assigned to a user. Note that only the specified items will be updated, others remain unchanged.
alter().user("<username>").set({
password: "<password>",
graph_privileges: {
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
...
},
system_privileges: ["<systemPriv>", "<systemPriv>", ...],
property_privileges: {
"node": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
},
"edge": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
}
},
policies: ["<policyName>", "<policyName>", ...]
})
To modify user admin's password while keeping all privileges and policies unchanged:
alter().user("admin").set({password: "zdcsQ7QFaCCE"})
To modify user johndoe's graph and property privileges, and policies, while keeping password and system privileges unchanged:
alter().user("johndoe").set({
graph_privileges: {"*": ["UPDATE", "DELETE"]},
property_privileges: {
"node": {
"write": [["miniCircle","*","*"]]
},
"edge": {
"write": [["miniCircle","*","*"]]
}
},
policies: ["sales"]
})
Dropping a User
To drop the user johndoe:
drop().user("johndoe")