Access control

The GDS catalog offers elevated access to administrator users. Any user granted a role with the name admin is considered an administrator by GDS.

A GDS administrator has access to graphs projected by any other user. This includes the ability to list, drop and run algorithms over these graphs.

Disambiguating identically named graphs

Sometimes, several users (including the admin user themselves) could have a graph with the same name. To disambiguate between these graphs, the username configuration parameter can be used.

Examples

We will illustrate the administrator capabilities using a small example. In this example we have three users where one is an administrator. We create the users and set up the roles using the following Cypher commands:

CREATE USER alice SET PASSWORD $alice_pw CHANGE NOT REQUIRED;
CREATE USER bob SET PASSWORD $bob_pw CHANGE NOT REQUIRED;
CREATE USER carol SET PASSWORD $carol_pw CHANGE NOT REQUIRED;

GRANT ROLE reader TO alice;
GRANT ROLE reader TO bob;
GRANT ROLE admin TO carol;

As we can see, alice and bob are standard users with read access to the database. carol is an administrator by virtue of being granted the admin role (for more information about this role see the Operations manual).

Now alice and bob each project a few graphs. They both project a graph called graphA and bob also projects a graph called graphB.

Listing

To list all graphs from all users, carol simply uses the graph list procedure.

Listing all graphs as administrator user:

CALL gds.graph.list()
YIELD graphName

Table 1. Results
graphName
"graphA"
"graphA"
"graphB"

Notice that all graphs from all users are visible to carol since they are considered a GDS admin.

Running algorithms with other users' graphs

carol may use graphB by simply naming it.

carol can run WCC on the graphB graph owned by bob:

CALL gds.wcc.stats('graphB')
YIELD componentCount

To use the graphA owned by alice, carol must use the username override.

carol can run WCC on graphA owned by alice:

CALL gds.wcc.stats('graphA', { username: 'alice' })
YIELD componentCount

Dropping other users' graphs

Unlike for listing, the full procedure signature must be used when using the username override to disambiguate. In the query below we have used the default values for the second and third parameter for the drop procedure. username is the fourth parameter. For more details see Dropping graphs.

To drop graphA owned by bob, carol can run the following:

CALL gds.graph.drop('graphA', true, '', 'bob')
YIELD graphName