Access control
The GDS catalog offers elevated access to administrator users.
Any user granted a role with the name admin
is considered an administrator by GDS.
A GDS administrator has access to graphs projected by any other user. This includes the ability to list, drop and run algorithms over these graphs.
Disambiguating identically named graphs
Sometimes, several users (including the admin user themselves) could have a graph with the same name.
To disambiguate between these graphs, the username
configuration parameter can be used.
Examples
We will illustrate the administrator capabilities using a small example. In this example we have three users where one is an administrator. We create the users and set up the roles using the following Cypher commands:
CREATE USER alice SET PASSWORD $alice_pw CHANGE NOT REQUIRED;
CREATE USER bob SET PASSWORD $bob_pw CHANGE NOT REQUIRED;
CREATE USER carol SET PASSWORD $carol_pw CHANGE NOT REQUIRED;
GRANT ROLE reader TO alice;
GRANT ROLE reader TO bob;
GRANT ROLE admin TO carol;
As we can see, alice
and bob
are standard users with read access to the database.
carol
is an administrator by virtue of being granted the admin
role (for more information about this role see the Operations manual).
Now alice
and bob
each project a few graphs.
They both project a graph called graphA
and bob
also projects a graph called graphB
.
Listing
To list all graphs from all users, carol
simply uses the graph list procedure.
CALL gds.graph.list()
YIELD graphName
graphName |
---|
"graphA" |
"graphA" |
"graphB" |
Notice that all graphs from all users are visible to carol
since they are considered a GDS admin.
Running algorithms with other users' graphs
carol
may use graphB
by simply naming it.
carol
can run WCC on the graphB
graph owned by bob
:CALL gds.wcc.stats('graphB')
YIELD componentCount
To use the graphA
owned by alice
, carol
must use the username
override.
carol
can run WCC on graphA
owned by alice
:CALL gds.wcc.stats('graphA', { username: 'alice' })
YIELD componentCount
Dropping other users' graphs
Unlike for listing, the full procedure signature must be used when using the username
override to disambiguate.
In the query below we have used the default values for the second and third parameter for the drop procedure.
username
is the fourth parameter.
For more details see Dropping graphs.
graphA
owned by bob
, carol
can run the following:CALL gds.graph.drop('graphA', true, '', 'bob')
YIELD graphName