Skip to content

Roles and privileges

A role is a collection of privileges. You can assign a role to a user for access control.

Built-in roles

Nebula Graph does not support custom roles, but it has multiple built-in roles:

  • GOD
    • GOD is the original role with all privileges not limited to graph spaces. It is similar to root in Linux and administrator in Windows.
    • When the Meta Service is initialized, the one and only GOD role user root is automatically created with the password nebula.

    Note

    Modify the password for root as soon as possible for security.

    • The default username root is immutable.
    • If authentication is disabled, you can use any username and password to connect to Nebula Graph. This user is regarded as the GOD role.
  • ADMIN
    • An ADMIN role can read and write both the Schema and the data in a specific graph space.
    • An ADMIN role of a graph space can grant DBA, USER, and GUEST roles in the graph space to other users.
  • DBA
    • A DBA role can read and write both the Schema and the data in a specific graph space.
    • A DBA role of a graph space CANNOT grant roles to other users.
  • USER
    • A USER role can read and write data in a specific graph space.
    • The Schema information is read-only to the USER roles in a graph space.
  • GUEST
    • A GUEST role can only read the Schema and the data in a specific graph space.

Note

A user can have only one role in a graph space.

Role privileges and allowed nGQL

The privileges of roles and the nGQL statements that each role can use are listed as follows.

Privilege God Admin DBA User Guest Allowed nGQL
Read space Y Y Y Y Y USE, DESCRIBE SPACE
Write space Y CREATE SPACE, DROP SPACE, CREATE SNAPSHOT, DROP SNAPSHOT, BALANCE DATA, BALANCE DATA STOP, BALANCE DATA REMOVE, BALANCE LEADER, ADMIN, CONFIG, INGEST, DOWNLOAD, SUBMIT JOB COMPACT, SUBMIT JOB FLUSH, SUBMIT JOB STATS, STOP JOB, RECOVER JOB, BUILD TAG INDEX, BUILD EDGE INDEX
Read schema Y Y Y Y Y DESCRIBE TAG, DESCRIBE EDGE, DESCRIBE TAG INDEX, DESCRIBE EDGE INDEX
Write schema Y Y Y CREATE TAG, ALTER TAG, CREATE EDGE, ALTER EDGE, DROP TAG, DROP EDGE, CREATE TAG INDEX, CREATE EDGE INDEX, DROP TAG INDEX, DROP EDGE INDEX
Write user Y CREATE USER, DROP USER, ALTER USER
Write role Y Y GRANT, REVOKE
Read data Y Y Y Y Y GO, SET, PIPE, MATCH, ASSIGNMENT, LOOKUP, YIELD, ORDER BY, FETCH VERTICES, Find, FETCH EDGES, FIND PATH, LIMIT, GROUP BY, RETURN
Write data Y Y Y Y INSERT VERTEX, UPDATE VERTEX, INSERT EDGE, UPDATE EDGE, DELETE VERTEX, DELETE EDGES, DELETE TAG
Show operations Y Y Y Y Y SHOW, CHANGE PASSWORD

Note

  • The results of SHOW operations are limited to the role of a user. For example, all users can run SHOW SPACES, but the results only include the graph spaces that the users have privileges.
  • Only the GOD role can run SHOW USERS and SHOW SNAPSHOTS.
Last update: September 1, 2021
Back to top