Authentication and authorization
Learn how authentication and authorization works in Memgraph. Manage users and roles, secure the database with role-based and fine-grained access control and learn how to integrate with other authentication systems.
Changes to authentication requirements
As of Memgraph v3.5 there are new requirements for authentication and authorization operations, particularly affecting multi-tenant environments:
AUTH privilege requirement
Authentication and authorization queries (such as CREATE USER
, CREATE ROLE
,
GRANT
, DENY
, REVOKE
, etc.) now require the AUTH
privilege AND access
to the “memgraph” database. Users must be explicitly granted this privilege to
perform user and role management operations.
The recommendation is to use the default “memgraph” database as an admin/system database and store graphs under other databases.
System queries in multi-tenant environment
To execute system (auth, replication and multi-database) queries, users must have:
- The appropriate privileges (
AUTH
,REPLICATION
,MULTI_DATABASE_EDIT
) - AND access to the default “memgraph” database
Multi-tenant environment query syntax changes
SHOW ROLE syntax in multi-tenant environments
SHOW ROLE FOR <USER>
: This command does not require database specification and
will show all roles assigned to the user across all databases.
-- Show all roles for a user (works in all environments)
SHOW ROLE FOR user_name;
SHOW ROLES FOR user_name;
If you need to see roles in a specific database context, you can optionally specify:
- Show roles for the user’s main database:
SHOW ROLE FOR user_name ON MAIN;
- Show roles for the current database:
SHOW ROLE FOR user_name ON CURRENT;
- Show roles for a specific database:
SHOW ROLE FOR user_name ON DATABASE database_name;
SHOW PRIVILEGES syntax in multi-tenant environments
SHOW PRIVILEGES FOR <USER>
: In multi-tenant environments, you must specify the
database context:
- Show privileges for the user’s main database:
SHOW PRIVILEGES FOR user_name ON MAIN;
- Show privileges for the current database:
SHOW PRIVILEGES FOR user_name ON CURRENT;
- Show privileges for a specific database:
SHOW PRIVILEGES FOR user_name ON DATABASE database_name;
These commands return the aggregated roles and privileges for the user in the
specified database context. The ON MAIN
option shows information for the
user’s main database, ON CURRENT
shows information for whatever database is
currently active, and ON DATABASE
shows information for the explicitly
specified database.
SHOW PRIVILEGES FOR <ROLE>
: This command does not require database
specification and will show all privileges for the role.
-- Show all privileges for a role (works in all environments)
SHOW PRIVILEGES FOR role_name;
Multi-tenant recommendations
For multi-tenant environments, we recommend:
- Treating the default “memgraph” database as an administrative/system database
- Restricting access to the “memgraph” database to privileged users only
- Storing application data in tenant-specific databases
- Ensuring users who need to perform authentication, replication, or multi-database operations have appropriate access
For detailed information about these requirements and best practices, see the Role-based access control, Multi-tenancy, and Replication documentation.
Users
Learn how to manage users in Memgraph.
Role-based access control (Enterprise)
Learn how to manage roles, set up their privileges and fine-grained access control.
Multi-role users and multi-tenant roles (Enterprise)
Learn how to assign multiple roles to users simultaneously and understand how permissions are combined from all roles.
Auth system integrations (Enterprise)
Learn how to integrate with third-party auth systems and manage user authentication and access control using Memgraph’s auth module.
Impersonate user (Enterprise)
Learn how the impersonate user feature enables authorized users to execute queries with the full permissions and context of another user.
User profiles (Enterprise)
Learn how to manage user profiles and set resource limits for users to control resource consumption and prevent abuse.