Assign or remove permissions from users and roles. Use GRANT to add permissions and REVOKE to remove them.
| Statement | Description |
|---|---|
GRANT ROLE TO USER | Assign role to user |
REVOKE ROLE FROM USER | Remove role from user |
GRANT ON DATABASE | Grant database-wide permission |
GRANT ON GRAPH | Grant graph-level permission |
SHOW GRANTS | Show all grants |
Grant role to user:
GQLGRANT ROLE 'data_reader' TO USER 'analyst'
Revoke role from user:
GQLREVOKE ROLE 'data_reader' FROM USER 'analyst'
Read access to a graph:
GQLGRANT READ ON GRAPH 'social_network' TO ROLE 'data_reader'
Write access to a graph:
GQLGRANT INSERT, UPDATE, DELETE ON GRAPH 'social_network' TO ROLE 'data_writer'
Full access to all graphs:
GQLGRANT ALL ON GRAPH * TO ROLE 'admin'
Database-wide read access:
GQLGRANT READ ON DATABASE TO ROLE 'data_reader'
Access to specific node label:
GQLGRANT READ ON NODE 'Person' IN GRAPH 'social_network' TO ROLE 'analytics'
Access to specific edge label:
GQLGRANT READ ON EDGE 'KNOWS' IN GRAPH 'social_network' TO ROLE 'analytics'
Access to specific property:
GQLGRANT READ ON PROPERTY 'salary' ON 'Person' IN GRAPH 'hr_data' TO ROLE 'hr_manager'
GQLREVOKE INSERT ON GRAPH 'social_network' FROM ROLE 'data_writer'
Show all grants:
GQLSHOW GRANTS
Show grants for specific user:
GQLSHOW GRANTS FOR USER 'analyst'
Result:
| operation | scope | resource | effect |
|---|---|---|---|
| READ | GRAPH | social_network | ALLOW |
| READ | GRAPH | products | ALLOW |
Show grants for specific role:
GQLSHOW GRANTS FOR ROLE 'data_reader'
