From 4caac462a8a41733c47028d766576e4b285d3915 Mon Sep 17 00:00:00 2001 From: imilinovic Date: Fri, 5 Dec 2025 11:11:23 +0100 Subject: [PATCH 1/5] first user docs --- .../role-based-access-control.mdx | 72 ++++++++++++++++--- .../users.mdx | 11 +++ pages/database-management/configuration.mdx | 10 +++ 3 files changed, 84 insertions(+), 9 deletions(-) diff --git a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx index dd7059cf3..023243773 100644 --- a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx +++ b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx @@ -255,17 +255,63 @@ In this setup: authentication/authorization, replication, and multi-database operations - `tenant1_user_account` and `tenant2_user_account` can only access their respective tenant databases -- Application data is stored in tenant-specific databases, not in the default + - Application data is stored in tenant-specific databases, not in the default "memgraph" database -After the first user is created, Memgraph will execute a query if and only if -either a user or its role is granted that privilege and neither the user nor its -role are denied that privilege. Otherwise, Memgraph will not execute that -specific query. Note that `DENY` is a stronger operation than `GRANT`. This is -also notable from the fact that if neither the user nor its role are explicitly -granted or denied a certain privilege, that user will not be able to perform -that specific query. This effect is also known as a silent deny. The information -above is neatly condensed in the following table: +### First user privileges + +When you create the first user in Memgraph, that user automatically receives +**all privileges** and becomes a superuser (administrator account with full +system access). This is intended to provide a secure starting point for database +administration. + +#### Privileges granted + +**Community Edition:** +- All global privileges: CREATE, DELETE, MATCH, MERGE, SET, REMOVE, INDEX, STATS, + AUTH, CONSTRAINT, DUMP, REPLICATION, DURABILITY, READ_FILE, FREE_MEMORY, + TRIGGER, CONFIG, STREAM, MODULE_READ, MODULE_WRITE, WEBSOCKET, + TRANSACTION_MANAGEMENT, STORAGE_MODE, MULTI_DATABASE_EDIT, MULTI_DATABASE_USE, + COORDINATOR, IMPERSONATE_USER, PROFILE_RESTRICTION + +**Enterprise Edition:** +- All global privileges (same as Community Edition) +- All label-based privileges: READ, UPDATE, CREATE, DELETE permissions on all + labels (`*`) +- All edge type privileges: READ, UPDATE, CREATE, DELETE permissions on all edge + types (`*`) +- Access to all databases + + + +**Security best practices:** +- Use a strong password for the first user, as this account has full system + access +- Consider creating additional users with limited privileges for day-to-day + operations +- Keep the first user credentials secure and use it primarily for administrative + tasks + + + +For a complete list of available privileges, see the [Privileges](#privileges) +section. + +#### System behavior after first user creation + +After the first user is created, Memgraph switches from "allow everything" mode +(when no users exist) to "access controlled" mode. From that point forward, all +connections must authenticate with valid credentials, and unauthenticated +connections will be rejected. + +Memgraph will execute a query if and only if either a user or its role is +granted that privilege and neither the user nor its role are denied that +privilege. Otherwise, Memgraph will not execute that specific query. Note that +`DENY` is a stronger operation than `GRANT`. This is also notable from the fact +that if neither the user nor its role are explicitly granted or denied a certain +privilege, that user will not be able to perform that specific query. This effect +is also known as a silent deny. The information above is neatly condensed in the +following table: User Status | Role Status | Effective Status ------------|-------------|------------------ @@ -724,6 +770,14 @@ permissions) for the user or role in the specified database context. ### Templates for granting privileges + + +**Note**: The first user created automatically receives all privileges (as +described in the [First user privileges](#first-user-privileges) section). The +following templates are for granting privileges to additional users or roles. + + + To grant all privileges to a superuser (admin): ```cypher diff --git a/pages/database-management/authentication-and-authorization/users.mdx b/pages/database-management/authentication-and-authorization/users.mdx index c9b8b5392..ae134b0e5 100644 --- a/pages/database-management/authentication-and-authorization/users.mdx +++ b/pages/database-management/authentication-and-authorization/users.mdx @@ -33,6 +33,17 @@ CREATE USER [IF NOT EXISTS] user_name [IDENTIFIED BY 'password']; ``` If the user already exists, you can use `IF NOT EXISTS` to only create new users. + + +**First user privileges**: The first user created in Memgraph automatically +receives all privileges and becomes a superuser. This includes all global +privileges, all label-based privileges (Enterprise), all edge type privileges +(Enterprise), and access to all databases (Enterprise). See the [Role-based +access control](/database-management/authentication-and-authorization/role-based-access-control#first-user-privileges) +documentation for details. + + + If the username is an email address, you need to enclose it in backticks (``` ` ```): ```cypher diff --git a/pages/database-management/configuration.mdx b/pages/database-management/configuration.mdx index 866e9fa0d..28fc29698 100644 --- a/pages/database-management/configuration.mdx +++ b/pages/database-management/configuration.mdx @@ -654,6 +654,16 @@ to create users and set their passwords allowing only authorized users to access the data in the first run. The CYPHERL file the `init-data-file` points to is usually used to populate the database. + + +**First user privileges**: The first user created (either via `init-file` or +environment variables like `MEMGRAPH_USER`/`MEMGRAPH_PASSWORD`) automatically +receives all privileges and becomes a superuser. See the [Role-based access +control](/database-management/authentication-and-authorization/role-based-access-control#first-user-privileges) +documentation for details. + + + If you will run Memgraph with Docker, make sure that the `init-file` and `init-data-file` configuration flags are referring to the files inside the container before Memgraph starts. Files can't be directly copied into a From 0f431be4864dee9ccd2cc1c9cf6e60f67c1bd11e Mon Sep 17 00:00:00 2001 From: imilinovic Date: Fri, 5 Dec 2025 11:26:18 +0100 Subject: [PATCH 2/5] changes --- .../role-based-access-control.mdx | 63 +++++++------------ 1 file changed, 21 insertions(+), 42 deletions(-) diff --git a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx index 023243773..46d3c2aa2 100644 --- a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx +++ b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx @@ -184,6 +184,26 @@ of the following commands: For a comprehensive reference of which privileges are required for specific queries and operations, see the [Query privileges reference](/database-management/authentication-and-authorization/query-privileges) documentation. +#### First user privileges + +When you create the first user in Memgraph, that user automatically receives +**all privileges** and becomes a superuser (administrator account with full +system access). This includes all global privileges, and in Enterprise Edition, +also includes all label-based privileges, all edge type privileges, and access +to all databases. + + + +**Security best practices:** +- Use a strong password for the first user, as this account has full system + access +- Consider creating additional users with limited privileges for day-to-day + operations +- Keep the first user credentials secure and use it primarily for administrative + tasks + + + ## Authentication and authorization requirements @@ -255,50 +275,9 @@ In this setup: authentication/authorization, replication, and multi-database operations - `tenant1_user_account` and `tenant2_user_account` can only access their respective tenant databases - - Application data is stored in tenant-specific databases, not in the default +- Application data is stored in tenant-specific databases, not in the default "memgraph" database -### First user privileges - -When you create the first user in Memgraph, that user automatically receives -**all privileges** and becomes a superuser (administrator account with full -system access). This is intended to provide a secure starting point for database -administration. - -#### Privileges granted - -**Community Edition:** -- All global privileges: CREATE, DELETE, MATCH, MERGE, SET, REMOVE, INDEX, STATS, - AUTH, CONSTRAINT, DUMP, REPLICATION, DURABILITY, READ_FILE, FREE_MEMORY, - TRIGGER, CONFIG, STREAM, MODULE_READ, MODULE_WRITE, WEBSOCKET, - TRANSACTION_MANAGEMENT, STORAGE_MODE, MULTI_DATABASE_EDIT, MULTI_DATABASE_USE, - COORDINATOR, IMPERSONATE_USER, PROFILE_RESTRICTION - -**Enterprise Edition:** -- All global privileges (same as Community Edition) -- All label-based privileges: READ, UPDATE, CREATE, DELETE permissions on all - labels (`*`) -- All edge type privileges: READ, UPDATE, CREATE, DELETE permissions on all edge - types (`*`) -- Access to all databases - - - -**Security best practices:** -- Use a strong password for the first user, as this account has full system - access -- Consider creating additional users with limited privileges for day-to-day - operations -- Keep the first user credentials secure and use it primarily for administrative - tasks - - - -For a complete list of available privileges, see the [Privileges](#privileges) -section. - -#### System behavior after first user creation - After the first user is created, Memgraph switches from "allow everything" mode (when no users exist) to "access controlled" mode. From that point forward, all connections must authenticate with valid credentials, and unauthenticated From 0f35d06addc0e178dea6bdfa43633e6f13d78ce7 Mon Sep 17 00:00:00 2001 From: imilinovic Date: Fri, 5 Dec 2025 11:45:35 +0100 Subject: [PATCH 3/5] changes --- .../role-based-access-control.mdx | 21 ++++--------------- pages/database-management/configuration.mdx | 10 --------- 2 files changed, 4 insertions(+), 27 deletions(-) diff --git a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx index 46d3c2aa2..f03bc7fe2 100644 --- a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx +++ b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx @@ -186,23 +186,10 @@ For a comprehensive reference of which privileges are required for specific quer #### First user privileges -When you create the first user in Memgraph, that user automatically receives -**all privileges** and becomes a superuser (administrator account with full -system access). This includes all global privileges, and in Enterprise Edition, -also includes all label-based privileges, all edge type privileges, and access -to all databases. - - - -**Security best practices:** -- Use a strong password for the first user, as this account has full system - access -- Consider creating additional users with limited privileges for day-to-day - operations -- Keep the first user credentials secure and use it primarily for administrative - tasks - - +When you create the first user in Memgraph, that user automatically becomes a +superuser (administrator account with full system access) with all privileges. +See the [templates for granting privileges](#templates-for-granting-privileges) +section for details on what privileges are granted. ## Authentication and authorization requirements diff --git a/pages/database-management/configuration.mdx b/pages/database-management/configuration.mdx index 28fc29698..866e9fa0d 100644 --- a/pages/database-management/configuration.mdx +++ b/pages/database-management/configuration.mdx @@ -654,16 +654,6 @@ to create users and set their passwords allowing only authorized users to access the data in the first run. The CYPHERL file the `init-data-file` points to is usually used to populate the database. - - -**First user privileges**: The first user created (either via `init-file` or -environment variables like `MEMGRAPH_USER`/`MEMGRAPH_PASSWORD`) automatically -receives all privileges and becomes a superuser. See the [Role-based access -control](/database-management/authentication-and-authorization/role-based-access-control#first-user-privileges) -documentation for details. - - - If you will run Memgraph with Docker, make sure that the `init-file` and `init-data-file` configuration flags are referring to the files inside the container before Memgraph starts. Files can't be directly copied into a From 9f18892c4262542114667826f7514a146c4667eb Mon Sep 17 00:00:00 2001 From: imilinovic Date: Fri, 5 Dec 2025 11:48:14 +0100 Subject: [PATCH 4/5] changes --- .../authentication-and-authorization/users.mdx | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/pages/database-management/authentication-and-authorization/users.mdx b/pages/database-management/authentication-and-authorization/users.mdx index ae134b0e5..5d33d6ca1 100644 --- a/pages/database-management/authentication-and-authorization/users.mdx +++ b/pages/database-management/authentication-and-authorization/users.mdx @@ -36,10 +36,8 @@ If the user already exists, you can use `IF NOT EXISTS` to only create new users **First user privileges**: The first user created in Memgraph automatically -receives all privileges and becomes a superuser. This includes all global -privileges, all label-based privileges (Enterprise), all edge type privileges -(Enterprise), and access to all databases (Enterprise). See the [Role-based -access control](/database-management/authentication-and-authorization/role-based-access-control#first-user-privileges) +becomes a superuser with all privileges. See the [Role-based access +control](/database-management/authentication-and-authorization/role-based-access-control#first-user-privileges) documentation for details. From d4253b23095a44e29482ca65858dd057539c3115 Mon Sep 17 00:00:00 2001 From: Matea Pesic <80577904+matea16@users.noreply.github.com> Date: Mon, 8 Dec 2025 10:47:54 +0100 Subject: [PATCH 5/5] Update pages/database-management/authentication-and-authorization/role-based-access-control.mdx --- .../role-based-access-control.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx index f03bc7fe2..9e1bcb725 100644 --- a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx +++ b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx @@ -184,7 +184,7 @@ of the following commands: For a comprehensive reference of which privileges are required for specific queries and operations, see the [Query privileges reference](/database-management/authentication-and-authorization/query-privileges) documentation. -#### First user privileges +### First user privileges When you create the first user in Memgraph, that user automatically becomes a superuser (administrator account with full system access) with all privileges.