Privileges are the basic content of user authentication. Privileges are categorized into Command Privileges and Property Privileges.
Command Privileges allow users to execute particular UQL commands. According to the scope of the UQL command, they are divided into:
NOTERefer to the Table of Privileges at the end of this article for all the command privileges and their corresponding UQL commands.
Property Privileges allow or refuse users to read (query and return) and write (insert, update and delete) particular custom properties. GraphSet and schema should be appointed:
NOTEDENY has a higher priority than READ and WRITE. If a user or a policy is granted with DENY and READ (or WRITE) at the same time, the effective one is DENY.
Returned table name: _privilege
Returned table header: graphPrivileges | systemPrivileges (graph privileges, system privileges)
Syntax:
Syntax// To list all command privileges supported by Ultipa system show().privilege()
Syntax:
Syntax// To grant node and edge property privileges to a user/policy grant().privilege(["READ" | "WRITE" | "DENY"]).on( "<graph>", <@schema?>, "<property?>" ).<user|policy>("<name>") // To grant node property privileges to a user/policy grant().node_privilege(["READ" | "WRITE" | "DENY"]).on( "<graph>", <@schema?>, "<property?>" ).<user|policy>("<name>") // To grant edge property privileges to a user/policy grant().edge_privilege(["READ" | "WRITE" | "DENY"]).on( "<graph>", <@schema?>, "<property?>" ).<user|policy>("<name>")
Example: Grant READ of property @product.price of GraphSet supplychain to policy sales
UQLgrant().node_privilege(["READ"]).on( "supplychain", @product, "price" ).policy("sales")
Example: Grant WRITE of all properties of all GraphSets to user admin002
UQLgrant().privilege(["WRITE"]).on( "*", @*, "*" ).user("admin002")
Analysis: The parameter on() in this example can be shortened as on("*")
Syntax:
Syntax// To grant system privileges to a user/policy grant().system().privilege(<[]system_privileges>).<user|policy>("<name>")
Example: Grant system privileges TOP and KILL to user admin002
UQLgrant().system().privilege(["TOP","KILL"]).user("admin002")
Syntax:
Syntax// To grant privileges of different types to a user/policy grant().user("<username>").params({ graph_privileges: <{}graph_privileges?>, system_privileges: <[]system_privileges?>, property_privileges: <{}property_privileges?>, policies: <[]policies?> })
Where the data structures are:
Syntax// <{}graph_privileges> { "<graph1>":["<graph_privilege>", "<graph_privilege>", ...], "<graph2>":["<graph_privilege>", "<graph_privilege>", ...], ... } // <{}property_privileges> { "node": { "read": [ ["<graph>", "<@schema?>", "<property?>"], ["<graph>", "<@schema?>", "<property?>"], ... ], "write": [ ["<graph>", "<@schema?>", "<property?>"], ["<graph>", "<@schema?>", "<property?>"], ... ], "deny": [ ["<graph>", "<@schema?>", "<property?>"], ["<graph>", "<@schema?>", "<property?>"], ... ], }, "edge": { "read": [ ["<graph>", "<@schema?>", "<property?>"], ["<graph>", "<@schema?>", "<property?>"], ... ], "write": [ ["<graph>", "<@schema?>", "<property?>"], ["<graph>", "<@schema?>", "<property?>"], ... ], "deny": [ ["<graph>", "<@schema?>", "<property?>"], ["<graph>", "<@schema?>", "<property?>"], ... ], } }
Example: Grant UPDATE of all GraphSets, system privilege STAT, WRITE of all properties of all GraphSets, and policy management to user Ultipa
UQLgrant().user("Ultipa").params({ graph_privileges: {"*": ["UPDATE"]}, system_privileges: ["STAT"], property_privileges: { "node": { "write": [["*", "*", "*"]] }, "edge": { "write": [["*", "*", "*"]] } }, policies: ["management"] })
Syntax:
Syntax// To revoke node and edge property privileges from a user/policy revoke().privilege(["READ" | "WRITE" | "DENY"]).on( "<graph>", <@schema?>, "<property?>" ).<user|policy>("<name>") // To revoke node property privileges from a user/policy revoke().node_privilege(["READ" | "WRITE" | "DENY"]).on( "<graph>", <@schema?>, "<property?>" ).<user|policy>("<name>") // To revoke edge property privileges from a user/policy revoke().edge_privilege(["READ" | "WRITE" | "DENY"]).on( "<graph>", <@schema?>, "<property?>" ).<user|policy>("<name>")
Example: Revoke READ of property @product.price of GraphSet supplychain from policy sales
UQLrevoke().node_privilege(["READ"]).on( "supplychain", @product, "price" ).policy("sales")
Example: Revoke WRITE of all properties of all GraphSets from user admin002
UQLrevoke().privilege(["WRITE"]).on( "*", @*, "*" ).user("admin002")
Analysis: The parameter on() in this example can be shortened as on("*")
Syntax:
Syntax// To revoke system privileges from a user/policy revoke().system().privilege(<[]system_privileges>).<user|policy>("<name>")
Example: Revoke system privileges TOP and KILL from user admin002
UQLrevoke().system().privilege(["TOP","KILL"]).user("admin002")
Syntax:
Syntax// To revoke privileges of different types from a user/policy revoke().user("<username>").params({ graph_privileges: <{}graph_privileges?>, system_privileges: <[]system_privileges?>, property_privileges: <{}property_privileges?>, policies: <[]policies?> })
Where the data structures <{}graph_privileges> and <{}property_privileges> are same as those in command grant().
Example: Revoke UPDATE of all GraphSets, system privilege STAT, WRITE of all properties of all GraphSets, and policy management from user Ultipa
UQLrevoke().user("Ultipa").params({ graph_privileges: {"*": ["UPDATE"]}, system_privileges: ["STAT"], property_privileges: { "node": { "write": [["*", "*", "*"]] }, "edge": { "write": [["*", "*", "*"]] } }, policies: ["management"] })
| Privilege | Level | Legal Command |
|---|---|---|
| SHOW_PRIVILEGE | system | show().privilege() |
| SHOW_POLICY | system | show().policy() |
| CREATE_POLICY | system | create().policy() |
| ALTER_POLICY | system | alter().policy() |
| DROP_POLICY | system | drop().policy() |
| SHOW_USER | system | show().user() |
| CREATE_USER | system | create().user() |
| ALTER_USER | system | alter().user() |
| DROP_USER | system | drop().user() |
| GRANT | system | grant() |
| REVOKE | system | revoke() |
Note: Command show().self() can be legally used by any user without authorization.
| Privilege | Level | Legal Command |
|---|---|---|
| STAT | system | stats() |
| SHOW_GRAPH | system | show().graph() |
| CREATE_GRAPH | system | create().graph() |
| ALTER_GRAPH | system | alter().graph() |
| DROP_GRAPH | system | drop().graph() |
| MOUNT_GRAPH | system | mount() |
| UNMOUNT_GRAPH | system | unmount() |
| SHOW_SCHEMA | graph | show().schema(), show().node_schema(), show().edge_schema() |
| CREATE_SCHEMA | graph | create().node_schema(), create().edge_schema() |
| ALTER_SCHEMA | graph | alter().node_schema(), alter().edge_schema() |
| DROP_SCHEMA | graph | drop().node_schema(), drop().edge_schema() |
| SHOW_PROPERTY | graph | show().property(), show().node_property(), show().edge_property() |
| CREATE_PROPERTY | graph | create().node_property(), create().edge_property() |
| ALTER_PROPERTY | graph | alter().node_property(), alter().edge_property() |
| DROP_PROPERTY | graph | drop().node_property(), drop().edge_property() |
| SHOW_FULLTEXT | graph | show().fulltext(), show().node_fulltext(), show().edge_fulltext() |
| CREATE_FULLTEXT | graph | create().node_fulltext(), create().edge_fulltext() |
| DROP_FULLTEXT | graph | drop().node_fulltext(), drop().edge_fulltext() |
| SHOW_INDEX | graph | show().index(), show().node_index(), show().edge_index() |
| CREATE_INDEX | graph | create().node_index(), create().edge_index() |
| DROP_INDEX | graph | drop().node_index(), drop().edge_index() |
| LTE | graph | LTE() |
| UFE | graph | UFE() |
| TRUNCATE | system | truncate() |
| COMPACT | system | compact() |
| Privilege | Level | Legal Command |
|---|---|---|
| INSERT | graph | insert(), insert().overwrite() |
| UPSERT | graph | upsert() |
| UPDATE | graph | update() |
| DELETE | graph | delete() |
| DELETE_NODE | graph | delete().nodes() |
| DELETE_EDGE | graph | delete().edges() |
| TEMPLATE | graph | n(), e(), re(), le(), nf(), graph() |
| KHOP | graph | khop() |
| AB | graph | ab() |
| SPREAD | graph | spread() |
| AUTONET | graph | autonet() |
| FIND | graph | find() |
| FIND_NODE | graph | find().nodes() |
| FIND_EDGE | graph | find().edges() |
| Privilege | Level | Legal Command |
|---|---|---|
| ALGO | graph | algo() |
| SHOW_ALGO | graph | show().algo() |
| SHOW_TASK | graph | show().task() |
| CLEAR_TASK | graph | clear() |
| STOP_TASK | graph | stop() |
| SHOW_BACKUP | graph | db.backup.show() |
| CREATE_BACKUP | graph | db.backup.create() |
| RESTORE_BACKUP | graph | db.backup.restore() |
| TOP | system | top() |
| KILL | system | kill() |
| SHOW_TRIGGER | graph | show().trigger(), show().node_trigger(), show().edge_trigger() |
| CREATE_TRIGGER | graph | create().node_trigger(), create().edge_trigger() |
| DROP_TRIGGER | graph | drop().node_trigger(), drop().edge_trigger() |
