# Privilege ## 1.Introduce > The permissions of TuGraph are managed based on role-based access control. The permissions that define access control are assigned to roles, and the roles are then assigned to users. ## 2.Level of permissions - Global layer: indicates global permissions, which have permissions for management and graph operations. - Graph layer: control permissions on each graph; - Property level (Commercial version only) : control permissions on a property ## 3.Permission keyword At present, the control of permissions is relatively simple - The Global layer currently has admin permission, and the admin user is preset. * The Graph layer has four operation permissions: none, read, write, and full - none: No permission, no operation permission for the graph - read: Read-only permission, only has read permission for the graph - write: Read and write permission, not only has read permission for the graph, but also has write permission - full: All permissions, not only have read and write permissions for graphs, but also have permissions to delete graphs, modify graphs, and modify schemas * The Property layer (Commercial version only) has the following permissions: none, read, and write - none: No permission, no operation permission for the property - read: Read-only permission, only has read permission for the property - write: Read and write permission, not only has read permission for the property, but also has write permission ## 4.Common permission operations ### 4.1.User action - Creating a user ```cypher CALL dbms.security.createUser(user_name::STRING,password::STRING) ``` - Deleting a user ```cypher CALL dbms.security.deleteUser(user_name::STRING) ``` - Change the password of the current user ```cypher CALL dbms.security.changePassword(current_password::STRING,new_password::STRING) ``` - Changes the password of a specified user ```cypher CALL dbms.security.changeUserPassword(user_name::STRING,new_password::STRING) ``` - Disable or enable a user ```cypher CALL dbms.security.disableUser(user::STRING,disable::BOOLEAN) ``` - List all users ```cypher CALL dbms.security.listUsers() ``` - Lists the current user information ```cypher CALL dbms.security.showCurrentUser() ``` - Obtain user details ```cypher CALL dbms.security.getUserInfo(user::STRING) ``` ### 4.2.Role actions - Create a role ```cypher CALL dbms.security.createRole(role_name::STRING,desc::STRING) ``` - Delete a role ```cypher CALL dbms.security.deleteRole(role_name::STRING ``` - List all characters ```cypher CALL dbms.security.listRoles() ``` - Disable or enable the role ```cypher CALL dbms.security.disableRole(role::STRING,disable::BOOLEAN) ``` ### 4.3.Assign roles to users - Adds the association between the user and the role ```cypher CALL dbms.security.addUserRoles(user::STRING,roles::LIST) ``` - Deletes the association between the user and the role CALL dbms.security.deleteUserRoles(user::STRING,roles::LIST) - Clears the relationship between user roles and rebuilds them ```cypher CALL dbms.security.rebuildUserRoles(user::STRING,roles::LIST) ``` ### 4.4.Role empowerment - Modifies the access permission of a role to a specified graph ```cypher CALL dbms.security.modRoleAccessLevel(role::STRING,access_level::MAP) ``` Example ```cypher CALL dbms.security.modRoleAccessLevel("test_role", {test_graph1:"FULL", test_graph2:"NONE"}) ```