Controlling access to Graph keyspaces
Manage permission to access Graph data.
DSE Graph authentication and authorization is accomplished with DSE Unified Authentication because the underlying storage is the DSE database, see Configuring DSE Unified Authentication. Each graph has the following three keyspaces. Manage permissions to each graph using CQL / commands.
graph_name
: Keyspace with the same name as the graph.graph_name_system
Keyspace with the graph name followed by underscore system that stores shared information.
GRANT <permission type> ON KEYSPACE <graphname> TO <rolename>;
GRANT <permission type> ON KEYSPACE <graphname_system> TO <rolename>;
The following tables show scenarios of how role permissions affect access to graph
operations:
Operation | Superuser | Non-user | Plain user (no role with graph permissions) | ALL PERMISSIONS |
---|---|---|---|---|
Connection | T | F | F | T |
Select | T | F | F | T |
Schema change | T | F | F | T |
Add vertex | T | F | F | T |
Create/Drop vertex | T,T | F,n/a | F | T,T |
Operation | CREATE | SELECT | ALTER | MODIFY |
---|---|---|---|---|
Connection | T | T | T | T |
Select | F | T | F | F |
Schema change | F | F | F | F |
Add vertex | F | F | T | T |
Create/Drop vertex | F | F | F | F |
Operation | CREATE/SELECT | CREATE/ALTER | CREATE/MODIFY | CREATE/ALTER/DROP |
---|---|---|---|---|
Connection | T | T | T | T |
Select | T | F | F | F |
Schema change | F | F | F | T |
Add vertex | F | F | T | F |
Create/Drop vertex | F | F | F | F |
Note: Connection refers to the ability to connect to the DSE Graph
Server.