Security best practices for Role-Based Access Control.
GQL// Good: Specific graph access GRANT READ ON GRAPH 'production' TO ROLE 'analyst' // Avoid: Wildcard access unless truly needed GRANT READ ON GRAPH * TO ROLE 'analyst'
GQL// Create roles for job functions CREATE ROLE 'data_analyst' DESCRIPTION 'Read-only access for analytics' CREATE ROLE 'data_engineer' DESCRIPTION 'Read and write for ETL pipelines' CREATE ROLE 'app_service' DESCRIPTION 'Application service account'
GQL// Rotate service account password ALTER USER 'backend_service' SET PASSWORD 'new_secure_password_789'
GQL// Deactivate suspicious account (preserves audit trail) ALTER USER 'suspicious_user' SET STATUS INACTIVE // Reactivate after investigation ALTER USER 'suspicious_user' SET STATUS ACTIVE
Regularly audit user permissions and access:
GQL// Audit user permissions SHOW GRANTS FOR USER 'analyst' // List all users and their status SHOW USERS // List all roles SHOW ROLES // Check specific role permissions SHOW GRANTS FOR ROLE 'data_analyst'
Use separate accounts for different environments:
GQL// Development CREATE USER 'app_dev' WITH PASSWORD 'dev_password' GRANT READ, INSERT, UPDATE, DELETE ON GRAPH 'dev_graph' TO USER 'app_dev' // Staging CREATE USER 'app_staging' WITH PASSWORD 'staging_password' GRANT READ, INSERT, UPDATE, DELETE ON GRAPH 'staging_graph' TO USER 'app_staging' // Production (more restrictive) CREATE USER 'app_prod' WITH PASSWORD 'prod_password' GRANT ROLE 'app_readonly' TO USER 'app_prod'
