A role (or policy) aggregates multiple privileges and can also include other roles, enabling hierarchical and modular access control. When designed and applied effectively, roles support robust role-based access control (RBAC), simplifying permission management and enhancing security.
Ultipa supports both GQL and UQL to manage roles in the database.
All role names in the database must be unique and adhere to the following rules:
_) only.To list all roles defined in the database:
GQLSHOW ROLE
To create a role named Tester:
GQLCREATE ROLE Tester
To rename the role Tester to sales:
GQLALTER ROLE Tester RENAME TO sales
You can grant privileges and roles to a role. Note that the existing privileges and roles assigned to the role remain unchanged.
To grant system privileges SHOW_GRAPH and ALTER_GRAPH to the role Tester:
GQLGRANT ["SHOW_GRAPH", "ALTER_GRAPH"] TO ROLE Tester
To grant all system privileges to the role superADM:
GQLGRANT * TO ROLE superADM
To grant graph privilege READ for all graphs to the role Tester:
GQLGRANT ["READ"] ON * TO ROLE Tester
To grant graph privileges SHOW_INDEX and SHOW_JOB for the graph amz to the role Tester:
GQLGRANT ["SHOW_INDEX","SHOW_JOB"] ON amz TO ROLE Tester
To grant all graph privileges for all graphs to the role superADM:
GQLGRANT * ON * TO ROLE superADM
To grant property privileges READ to properties name and age of the Person nodes in the current graph to the role Tester:
GQLGRANT ['READ','WRITE'] ON NODE Person (name, age) TO ROLE Tester
To grant the privilege DENY to all properties of all edges in the current graph to the role sales:
GQLGRANT ["DENY"] ON EDGE * * TO ROLE sales
To grant the role manager to the role Tester:
GQLGRANT ROLE manager TO ROLE Tester
You can revoke privileges and roles from a role.
To revoke system privileges SHOW_POLICY and ALTER_GRAPH from the role Tester:
GQLREVOKE ["SHOW_POLICY", "ALTER_GRAPH"] FROM ROLE Tester
To revoke all system privileges from the role sales:
GQLREVOKE * FROM ROLE sales
To revoke graph privileges READ and UPDATE on the graph amz from the role Tester:
GQLREVOKE ["READ", "UPDATE"] ON amz FROM ROLE Tester
To revoke all graph privileges on all graphs from the role sales:
GQLREVOKE * ON * FROM ROLE sales
To revoke the privileges READ and WRITE to properties name and age of the Person nodes in the current graph from the role Tester:
GQLREVOKE ['READ','WRITE'] ON NODE Person (name, age) FROM ROLE Tester
To revoke the privilege DENY to all properties of all edges in the current graph from the role sales:
GQLREVOKE ["DENY"] ON EDGE * * FROM ROLE sales
To revoke the role manager from the role Tester:
GQLREVOKE ROLE manager FROM ROLE Tester
To drop the role Tester:
GQLDROP ROLE Tester
To list all roles defined in the database:
UQLshow().policy()
Or retrieves a specific policy, such as the one named manager:
UQLshow().policy("manager")
You can create a role and assign it privileges and other roles at the same time:
Syntaxcreate().policy("<name>").params({ system_privileges: ["<systemPriv>", "<systemPriv>", ...], // Set <graph> as * to specify all graphs graph_privileges: { "<graph>": ["<graphPriv>", "<graphPriv>", ...], "<graph>": ["<graphPriv>", "<graphPriv>", ...], ... }, // Set <graph>/<schema>/<property> as * to specify all graphs/schemas/properties property_privileges: { "node": { "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...] }, "edge": { "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...] } }, policies: ["<policy>", "<policy>", ...] })
To create a role superADM with all graph and system privileges:
UQLcreate().policy("superADM").params({ graph_privileges: {"*":["READ","INSERT","UPSERT","UPDATE","DELETE","CREATE_SCHEMA","DROP_SCHEMA","ALTER_SCHEMA","SHOW_SCHEMA","RELOAD_SCHEMA","CREATE_PROPERTY","DROP_PROPERTY","ALTER_PROPERTY","SHOW_PROPERTY","CREATE_FULLTEXT","DROP_FULLTEXT","SHOW_FULLTEXT","CREATE_INDEX","DROP_INDEX","SHOW_INDEX","LTE","UFE","CLEAR_JOB","STOP_JOB","SHOW_JOB","ALGO","CREATE_PROJECT","SHOW_PROJECT","DROP_PROJECT","CREATE_HDC_GRAPH","SHOW_HDC_GRAPH","DROP_HDC_GRAPH","COMPACT_HDC_GRAPH","SHOW_VECTOR_INDEX","CREATE_VECTOR_INDEX","DROP_VECTOR_INDEX","SHOW_CONSTRAINT","CREATE_CONSTRAINT","DROP_CONSTRAINT"]}, system_privileges: ["TRUNCATE","COMPACT","CREATE_GRAPH","SHOW_GRAPH","DROP_GRAPH","ALTER_GRAPH","TOP","KILL","STAT","SHOW_POLICY","CREATE_POLICY","DROP_POLICY","ALTER_POLICY","SHOW_USER","CREATE_USER","DROP_USER","ALTER_USER","SHOW_PRIVILEGE","SHOW_META","SHOW_SHARD","ADD_SHARD","DELETE_SHARD","REPLACE_SHARD","SHOW_HDC_SERVER","ADD_HDC_SERVER","DELETE_HDC_SERVER","LICENSE_UPDATE","LICENSE_DUMP","GRANT","REVOKE","SHOW_BACKUP","CREATE_BACKUP","SHOW_VECTOR_SERVER","ADD_VECTOR_SERVER","DELETE_VECTOR_SERVER"] })
To create a role Tester with:
SHOW_GRAPH, ALTER_GRAPHREAD for all graphs, SHOW_INDEX and SHOW_JOB for graphs amz and trans.read all node propertieswrite properties rank and asset for edgx edges and read property mark for all edges in the graph amzmanagerUQLcreate().policy("Tester").params({ system_privileges: ["SHOW_GRAPH", "ALTER_GRAPH"], graph_privileges: { "*": ["READ", "SHOW_SCHEMA", "SHOW_PROPERTY"], "amz": ["SHOW_INDEX", "SHOW_JOB"], "trans": ["SHOW_INDEX", "SHOW_JOB"] }, property_privileges: { "node": { "read": [["*", "*", "*"]] }, "edge": { "read": [["amz", "*", "mark"]], "write": [ ["amz", "edgx", "rank"], ["amz", "edgx", "asset"] ] } }, policies: ["manager"] })
You can grant privileges and roles to a role. Note that the existing privileges and roles assigned to the role remain unchanged.
Syntaxgrant().policy("<name>").params({ system_privileges: ["<systemPriv>", "<systemPriv>", ...], // Set <graph> as * to specify all graphs graph_privileges: { "<graph>": ["<graphPriv>", "<graphPriv>", ...], "<graph>": ["<graphPriv>", "<graphPriv>", ...], ... }, // Set <graph>/<schema>/<property> as * to specify all graphs/schemas/properties property_privileges: { "node": { "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...] }, "edge": { "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...] } }, policies: ["<policy>", "<policy>", ...] })
To grant the graph privileges CREATE_SCHEMA and DROP_SCHEMA of the graphset Tax, and system privilege ADD_HDC_SERVER to the role Tester:
UQLgrant().policy("Tester").params({ graph_privileges: {"Tax": ["CREATE_SCHEMA", "DROP_SCHEMA"]}, system_privileges: ["ADD_HDC_SERVER"] })
You can revoke privileges and roles from a role.
Syntaxrevoke().policy("<name>").params({ system_privileges: ["<systemPriv>", "<systemPriv>", ...], // Set <graph> as * to specify all graphs graph_privileges: { "<graph>": ["<graphPriv>", "<graphPriv>", ...], "<graph>": ["<graphPriv>", "<graphPriv>", ...], ... }, // Set <graph>/<schema>/<property> as * to specify all graphs/schemas/properties property_privileges: { "node": { "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...] }, "edge": { "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...] } }, policies: ["<policy>", "<policy>", ...] })
To revoke the graph privileges CREATE_SCHEMA and DROP_SCHEMA of the graph Tax, and system privilege ADD_HDC_SERVER from the role Tester:
UQLrevoke().policy("Tester").params({ graph_privileges: {"Tax": ["CREATE_SCHEMA", "DROP_SCHEMA"]}, system_privileges: ["ADD_HDC_SERVER"] })
You can alter privileges and roles assigned to a role. Note that only the specified items will be updated, others remain unchanged.
Syntaxalter().policy("<name>").set({ system_privileges: ["<systemPriv>", "<systemPriv>", ...], // Set <graph> as * to specify all graphs graph_privileges: { "<graph>": ["<graphPriv>", "<graphPriv>", ...], "<graph>": ["<graphPriv>", "<graphPriv>", ...], ... }, // Set <graph>/<schema>/<property> as * to specify all graphs/schemas/properties property_privileges: { "node": { "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...] }, "edge": { "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...], "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...] } }, policies: ["<policy>", "<policy>", ...] })
To modify only the graph privileges assigned to the role Tester:
UQLalter().policy("Tester").set({graph_privileges: {"Tax": ["UPDATE"]}})
To modify the graph and property privileges, and roles included in the policy Tester:
UQLalter().policy("Tester").set({ graph_privileges: {"*": ["UPDATE", "DELETE"]}, property_privileges: { "node": { "write": [["miniCircle","*","*"]] }, "edge": { "write": [["miniCircle","*","*"]] } }, policies: ["sales"] })
To drop the role Tester:
UQLdrop().policy("Tester")