Query privileges reference Enterprise
This comprehensive reference provides detailed information about the privilege system in Memgraph, including which privileges are required for different types of queries and operations.
This page complements the Role-based access control documentation by providing detailed privilege requirements for specific queries and operations.
Memgraph’s privilege system controls access to various database operations through a comprehensive set of privileges. The system analyzes queries and determines the required privileges using the PrivilegeExtractor class, which implements the visitor pattern to traverse the Abstract Syntax Tree (AST) and extract privilege requirements.
Cypher query privileges
Basic operations
| Query Type | Required Privileges | Example |
|---|---|---|
CREATE | CREATE | CREATE (n:Person {name: "Alice"}) |
MATCH | MATCH | MATCH (n:Person) RETURN n |
DELETE | DELETE | MATCH (n) DELETE n |
MERGE | MERGE | MERGE (n:Person {id: 1}) |
SET (properties) | SET | MATCH (n) SET n.name = "Bob" |
SET (labels) | SET | MATCH (n) SET n:Employee |
REMOVE (properties) | REMOVE | MATCH (n) REMOVE n.temp |
REMOVE (labels) | REMOVE | MATCH (n) REMOVE n:Temp |
Complex queries
| Query Type | Required Privileges | Example |
|---|---|---|
MATCH + DELETE | MATCH, DELETE | MATCH (n) DELETE n |
MATCH + CREATE | MATCH, CREATE | MATCH (n) CREATE (m)-[:KNOWS]->(n) |
MATCH + SET | MATCH, SET | MATCH (n) SET n.updated = true |
MATCH + REMOVE | MATCH, REMOVE | MATCH (n) REMOVE n:Old |
Index operations
| Query Type | Required Privileges | Example |
|---|---|---|
CREATE INDEX | INDEX | CREATE INDEX ON :Person(name) |
DROP INDEX | INDEX | DROP INDEX ON :Person(name) |
CREATE EDGE INDEX | INDEX | CREATE EDGE INDEX ON :KNOWS |
CREATE TEXT INDEX | INDEX | CREATE TEXT INDEX ON :Person(name) |
CREATE VECTOR INDEX | INDEX | CREATE VECTOR INDEX ON :Document(embedding) |
CREATE TEXT EDGE INDEX | INDEX | CREATE TEXT EDGE INDEX ON :KNOWS(description) |
CREATE VECTOR EDGE INDEX | INDEX | CREATE VECTOR EDGE INDEX ON :SIMILAR(embedding) |
ANALYZE GRAPH | INDEX | ANALYZE GRAPH |
DROP ALL INDEXES | INDEX | DROP ALL INDEXES |
Constraint operations
| Query Type | Required Privileges | Example |
|---|---|---|
CREATE CONSTRAINT | CONSTRAINT | CREATE CONSTRAINT ON (n:Person) ASSERT n.id IS UNIQUE |
DROP CONSTRAINT | CONSTRAINT | DROP CONSTRAINT ON (n:Person) ASSERT n.id IS UNIQUE |
DROP ALL CONSTRAINTS | CONSTRAINT | DROP ALL CONSTRAINTS |
Authentication and authorization
| Query Type | Required Privileges | Special Cases |
|---|---|---|
CREATE ROLE | AUTH | |
DROP ROLE | AUTH | |
SHOW ROLES | AUTH | |
CREATE USER | AUTH | |
SET PASSWORD | AUTH | |
CHANGE PASSWORD | None | Users can change their own password. |
DROP USER | AUTH | |
SHOW CURRENT USER | None | Users can always see their own info. |
SHOW CURRENT ROLE | None | Users can always see their current role. |
SHOW USERS | AUTH | |
SET ROLE | AUTH | |
CLEAR ROLE | AUTH | |
GRANT PRIVILEGE | AUTH | |
DENY PRIVILEGE | AUTH | |
REVOKE PRIVILEGE | AUTH | |
SHOW PRIVILEGES | AUTH | |
SHOW ROLE FOR USER | AUTH | |
SHOW USERS FOR ROLE | AUTH | |
GRANT DATABASE TO USER | AUTH | |
DENY DATABASE FROM USER | AUTH | |
REVOKE DATABASE FROM USER | AUTH | |
SHOW DATABASE PRIVILEGES | AUTH | |
SET MAIN DATABASE | AUTH | |
GRANT IMPERSONATE USER | AUTH | |
DENY IMPERSONATE USER | AUTH |
Database information queries
| Query Type | Required Privileges | Example |
|---|---|---|
SHOW INDEX INFO | INDEX | SHOW INDEX INFO |
SHOW EDGE TYPES | INDEX | SHOW EDGE_TYPES INFO |
SHOW NODE LABELS | INDEX | SHOW NODE_LABELS INFO |
SHOW VECTOR INDEX INFO | INDEX | SHOW VECTOR INDEX INFO |
SHOW CONSTRAINT INFO | CONSTRAINT | SHOW CONSTRAINT INFO |
SHOW METRICS | STATS | SHOW METRICS INFO |
System information queries
| Query Type | Required Privileges | Example |
|---|---|---|
SHOW STORAGE INFO | STATS | SHOW STORAGE INFO |
SHOW BUILD INFO | STATS | SHOW BUILD INFO |
SHOW ACTIVE USERS | STATS | SHOW ACTIVE USERS |
SHOW LICENSE INFO | CONFIG | SHOW LICENSE INFO |
SHOW INSTANCE | STATS | SHOW INSTANCE |
SHOW INSTANCES | STATS | SHOW INSTANCES |
Administrative operations
| Query Type | Required Privileges | Example |
|---|---|---|
DUMP DATABASE | DUMP | DUMP DATABASE |
LOCK DATA DIRECTORY | DURABILITY | LOCK DATA DIRECTORY |
UNLOCK DATA DIRECTORY | DURABILITY | UNLOCK DATA DIRECTORY |
DATA DIRECTORY LOCK STATUS | DURABILITY | DATA DIRECTORY LOCK STATUS |
FREE MEMORY | FREE_MEMORY | FREE MEMORY |
SHOW CONFIG | CONFIG | SHOW CONFIG |
CREATE TRIGGER | TRIGGER | CREATE TRIGGER ... |
DROP TRIGGER | TRIGGER | DROP TRIGGER ... |
SHOW TRIGGERS | TRIGGER | SHOW TRIGGERS |
SHOW TRIGGER INFO | TRIGGER | SHOW TRIGGER INFO |
CREATE STREAM | STREAM | CREATE STREAM ... |
DROP STREAM | STREAM | DROP STREAM ... |
SET ISOLATION LEVEL | CONFIG | SET ISOLATION LEVEL ... |
SET STORAGE MODE | STORAGE_MODE | SET STORAGE MODE ... |
CREATE SNAPSHOT | DURABILITY | CREATE SNAPSHOT |
RECOVER SNAPSHOT | DURABILITY | RECOVER SNAPSHOT |
SHOW SNAPSHOTS | DURABILITY | SHOW SNAPSHOTS |
SHOW NEXT SNAPSHOT | DURABILITY | SHOW NEXT SNAPSHOT |
SET SETTING | CONFIG | SET SETTING ... |
SHOW VERSION | STATS | SHOW VERSION |
SHOW TRANSACTIONS | TRANSACTION_MANAGEMENT | SHOW TRANSACTIONS |
TERMINATE TRANSACTIONS | TRANSACTION_MANAGEMENT | TERMINATE TRANSACTIONS 'transaction_id' |
Replication operations
| Query Type | Required Privileges | Example |
|---|---|---|
REPLICATION operations | REPLICATION | Various replication commands. |
SHOW REPLICATION ROLE | REPLICATION | SHOW REPLICATION ROLE |
SHOW REPLICAS | REPLICATION | SHOW REPLICAS |
SHOW REPLICATION LAG | COORDINATOR | SHOW REPLICATION LAG |
Multi-database operations
| Query Type | Required Privileges | Special Cases |
|---|---|---|
CREATE DATABASE | MULTI_DATABASE_EDIT | |
DROP DATABASE | MULTI_DATABASE_EDIT | |
RENAME DATABASE | MULTI_DATABASE_EDIT | |
DROP DATABASE FORCE | MULTI_DATABASE_EDIT, TRANSACTION_MANAGEMENT | Requires both privileges. |
USE DATABASE | MULTI_DATABASE_USE | |
SHOW DATABASE | None | Users can see current database. |
SHOW DATABASES | MULTI_DATABASE_USE |
Enum operations
| Query Type | Required Privileges | Example |
|---|---|---|
CREATE ENUM | CREATE | CREATE ENUM ... |
SHOW ENUMS | STATS | SHOW ENUMS |
ALTER ENUM ADD VALUE | CREATE | ALTER ENUM ... ADD VALUE ... |
ALTER ENUM UPDATE VALUE | CREATE | ALTER ENUM ... UPDATE VALUE ... |
ALTER ENUM REMOVE VALUE | DELETE | ALTER ENUM ... REMOVE VALUE ... |
DROP ENUM | DELETE | DROP ENUM ... |
TTL operations
| Query Type | Required Privileges | Note |
|---|---|---|
TTL operations | CONFIG, INDEX, MATCH, DELETE | Requires multiple privileges. |
Coordinator operations
| Query Type | Required Privileges | Example |
|---|---|---|
COORDINATOR operations | COORDINATOR | Various coordinator commands. |
SHOW COORDINATOR SETTINGS | COORDINATOR | SHOW COORDINATOR SETTINGS |
Schema information
| Query Type | Required Privileges | Example |
|---|---|---|
SHOW SCHEMA INFO | STATS | SHOW SCHEMA INFO |
User profile operations
| Query Type | Required Privileges | Example |
|---|---|---|
USER PROFILE operations | PROFILE_RESTRICTION | User profile management. |
Procedure calls
| Procedure Type | Required Privileges | Example |
|---|---|---|
mg.get_module_files | MODULE_READ | CALL mg.get_module_files() |
mg.create_module_file | MODULE_WRITE | CALL mg.create_module_file(...) |
mg.update_module_file | MODULE_WRITE | CALL mg.update_module_file(...) |
mg.get_module_file | MODULE_READ | CALL mg.get_module_file(...) |
mg.delete_module_file | MODULE_WRITE | CALL mg.delete_module_file(...) |
| Other procedures | Procedure-specific | Depends on procedure definition. |
File operations
| Query Type | Required Privileges | Example |
|---|---|---|
LOAD CSV | READ_FILE | LOAD CSV FROM "file.csv" AS row |
Special cases
| Query Type | Required Privileges | Notes |
|---|---|---|
EXPLAIN | Inherits privileges from inner query | Privileges depend on the explained query. |
PROFILE | Inherits privileges from inner query | Privileges depend on the profiled query. |
SET SESSION TRACE | None | No privileges required. |
Examples
-- EXPLAIN inherits privileges from the inner query
EXPLAIN MATCH (n:Person) RETURN n; -- Requires MATCH privilege
-- PROFILE inherits privileges from the inner query
PROFILE CREATE (n:Person {name: "Alice"}); -- Requires CREATE privilegeTroubleshooting
Common privilege errors
⚠️
If you encounter “Vertex not created due to not having enough permission!” errors, you likely need to grant fine-grained access control privileges to the user.
Checking privileges
-- Show all privileges for a user or role
SHOW PRIVILEGES FOR username;
-- Show privileges in specific database context
SHOW PRIVILEGES FOR username ON DATABASE db_name;
-- Verify the current logged-in user
SHOW CURRENT USER;
-- Show current user's privileges
SHOW PRIVILEGES FOR CURRENT USER;Privilege inheritance
Remember that:
- Grants: If any role grants a permission, the user has that permission
- Denies: If any role denies a permission, the user is denied that permission
- Database Access: If any role grants access to a database, the user has access
- Fine-grained Permissions: Combined using the same grant/deny logic
Privilege changes take effect after the user reconnects to the database.