Controlling access to Graph keyspaces

Manage permission to access Graph data.

DSE Graph authentication and authorization is accomplished with DSE Unified Authentication because the underlying storage is the DSE database, see Configuring DSE Unified Authentication. Each graph has the following three keyspaces. Manage permissions to each graph using CQL GRANT/REVOKE commands.

  • graph_name: Keyspace with the same name as the graph.
  • graph_name_system Keyspace with the graph name followed by underscore system that stores shared information.
GRANT <permission type> ON KEYSPACE <graphname> TO <rolename>;
GRANT <permission type> ON KEYSPACE <graphname_system> TO <rolename>;
The following tables show scenarios of how role permissions affect access to graph operations:
Table 1. Role properties
Operation Superuser Non-user Plain user (no role with graph permissions) ALL PERMISSIONS
Connection T F F T
Select T F F T
Schema change T F F T
Add vertex T F F T
Create/Drop vertex T,T F,n/a F T,T
Table 2. Permission type on graph keyspaces
Operation CREATE SELECT ALTER MODIFY
Connection T T T T
Select F T F F
Schema change F F F F
Add vertex F F T T
Create/Drop vertex F F F F
Table 3. Multiple permissions on graph keyspaces
Operation CREATE/SELECT CREATE/ALTER CREATE/MODIFY CREATE/ALTER/DROP
Connection T T T T
Select T F F F
Schema change F F F T
Add vertex F F T F
Create/Drop vertex F F F F
Note: Connection refers to the ability to connect to the DSE Graph Server.