Impersonate user (Enterprise)
The impersonate user feature lets authorized users run queries on behalf of another user. When using impersonation, the permitted user adopts the full permissions and context of the impersonated user. This means they can execute queries and perform actions exactly as the impersonated user, with all associated privileges.
This feature provides a powerful tool for managing user permissions, debugging, and performing administrative tasks. By leveraging the ability to impersonate other users, you can ensure more efficient management of users and roles while maintaining robust security and access control within your graph database.
Enterprise: Impersonate user feature requires a Memgraph Enterprise license to function. For more information on Memgraph Enterprise and instructions on how to enable it, refer to the enabling Memgraph Enterprise documentation.
Targeting impersonation
The impersonated user is defined at the session start, as shown in the example using the Neo4j Python driver:
with driver.session(impersonated_user="user1") as session:
# queries here will be executed as if user1 executed themDuring this session, all queries will be executed with the privileges and
context of the impersonated user (user1 in this case), effectively “switching”
the identity for the duration of the session.
Permissions for impersonation
Only certain users or roles have the ability to impersonate other users. These permissions are managed with three key queries:
Grant impersonate user
The GRANT IMPERSONATE_USER query allows a user or role to impersonate specific users or all users. The syntax and behavior are as follows:
GRANT IMPERSONATE_USER [*] [list of users] TO user/role;Here is the explanation of arguments:
*: Grants permission to impersonate all users.list of users: Grants permission to impersonate specific users (comma-separated list).user/role: The user or role receiving the impersonation permission.
Here is an example of granting the admin role permission to impersonate user1 and user2:
GRANT IMPERSONATE_USER user1,user2 TO admin;Here is an example of granting the admin_user user permission to impersonate all users:
GRANT IMPERSONATE_USER * TO admin_user;Deny impersonate user
The DENY IMPERSONATE_USER denies impersonation rights to specific users or roles, allowing you to restrict who can impersonate whom.
The syntax and behavior are as follows:
DENY IMPERSONATE_USER list of users TO user/role;Here is the explanation of arguments:
list of users: Deny impersonation for specific users (comma-separated list).user/role: The user or role being restricted from impersonating others.
Here is an example of denying the admin role the ability to impersonate user1 and user2:
DENY IMPERSONATE_USER user1,user2 TO admin;Revoke impersonate user
The REVOKE IMPERSONATE_USER removes the impersonation rights for a given user or role. It revokes all impersonation permissions for the specified user/role.
The syntax and behavior are as follows:
REVOKE IMPERSONATE_USER FROM user/role;Here is the explanation of arguments:
user/role: The user or role whose impersonation permissions are being revoked.
Here is an example of revoking all impersonation permissions for the admin role:
REVOKE IMPERSONATE_USER FROM admin;Important things to note
When using the GRANT or DENY commands, you must provide exhaustive lists of users. This means that the existing configuration will be replaced by the new list provided.
For example:
- First command:
GRANT IMPERSONATE_USER user1,user2 TO admin; - Second command (this overrides the first one):
After the second command, the
GRANT IMPERSONATE_USER user3 TO admin;adminrole will only be able to impersonateuser3, even though the first command allowed impersonation ofuser1anduser2.
Permissions can be granted or denied to individual users or roles. For example, an admin role might have impersonation privileges that individual users do not have.
The REVOKE command removes any impersonation permissions for the specified user or role, ensuring that they cannot impersonate any user unless granted explicitly again.