Authentication and authorization

Learn how authentication and authorization works in Memgraph. Manage users and roles, secure the database with role-based and fine-grained access control and learn how to integrate with other authentication systems.

Changes to authentication requirements

As of Memgraph v3.5 there are new requirements for authentication and authorization operations, particularly affecting multi-tenant environments:

AUTH privilege requirement

Authentication and authorization queries (such as CREATE USER, CREATE ROLE, GRANT, DENY, REVOKE, etc.) now require the AUTH privilege AND access to the “memgraph” database. Users must be explicitly granted this privilege to perform user and role management operations.

System queries in multi-tenant environment

To execute system (auth, replication and multi-database) queries, users must have:

• The appropriate privileges (AUTH, REPLICATION, MULTI_DATABASE_EDIT)
• AND access to the default “memgraph” database

Multi-tenant environment query syntax changes

SHOW ROLE syntax in multi-tenant environments

SHOW ROLE FOR <USER>: This command does not require database specification and will show all roles assigned to the user across all databases.

-- Show all roles for a user (works in all environments)
SHOW ROLE FOR user_name;
SHOW ROLES FOR user_name;

If you need to see roles in a specific database context, you can optionally specify:

1. Show roles for the user’s main database:

SHOW ROLE FOR user_name ON MAIN;

2. Show roles for the current database:

SHOW ROLE FOR user_name ON CURRENT;

3. Show roles for a specific database:

SHOW ROLE FOR user_name ON DATABASE database_name;

SHOW PRIVILEGES syntax in multi-tenant environments

SHOW PRIVILEGES FOR <USER>: In multi-tenant environments, you must specify the database context:

1. Show privileges for the user’s main database:

SHOW PRIVILEGES FOR user_name ON MAIN;

2. Show privileges for the current database:

SHOW PRIVILEGES FOR user_name ON CURRENT;

3. Show privileges for a specific database:

SHOW PRIVILEGES FOR user_name ON DATABASE database_name;

These commands return the aggregated roles and privileges for the user in the specified database context. The ON MAIN option shows information for the user’s main database, ON CURRENT shows information for whatever database is currently active, and ON DATABASE shows information for the explicitly specified database.

SHOW PRIVILEGES FOR <ROLE>: This command does not require database specification and will show all privileges for the role.

-- Show all privileges for a role (works in all environments)
SHOW PRIVILEGES FOR role_name;

Multi-tenant recommendations

For multi-tenant environments, we recommend:

• Treating the default “memgraph” database as an administrative/system database
• Restricting access to the “memgraph” database to privileged users only
• Storing application data in tenant-specific databases
• Ensuring users who need to perform authentication, replication, or multi-database operations have appropriate access

For detailed information about these requirements and best practices, see the Role-based access control, Multi-tenancy, and Replication documentation.

Users

Learn how to manage users in Memgraph.

Role-based access control (Enterprise)

Learn how to manage roles, set up their privileges and fine-grained access control.

Multi-role users and multi-tenant roles (Enterprise)

Learn how to assign multiple roles to users simultaneously and understand how permissions are combined from all roles.

Auth system integrations (Enterprise)

Learn how to integrate with third-party auth systems and manage user authentication and access control using Memgraph’s auth module.

Impersonate user (Enterprise)

Learn how the impersonate user feature enables authorized users to execute queries with the full permissions and context of another user.

User profiles (Enterprise)

Learn how to manage user profiles and set resource limits for users to control resource consumption and prevent abuse.