memgraph · matea16 · Dec 8, 2025 · Dec 5, 2025 · Dec 5, 2025 · Dec 5, 2025
@@ -184,6 +184,13 @@ of the following commands:
 For a comprehensive reference of which privileges are required for specific queries and operations, see the [Query privileges reference](/database-management/authentication-and-authorization/query-privileges) documentation.
 </Callout>
 
+### First user privileges
+
+When you create the first user in Memgraph, that user automatically becomes a
+superuser (administrator account with full system access) with all privileges.
+See the [templates for granting privileges](#templates-for-granting-privileges)
+section for details on what privileges are granted.
+
 ## Authentication and authorization requirements
 
 <Callout type="info">
@@ -258,14 +265,19 @@ In this setup:
 - Application data is stored in tenant-specific databases, not in the default
   "memgraph" database
 
-After the first user is created, Memgraph will execute a query if and only if
-either a user or its role is granted that privilege and neither the user nor its
-role are denied that privilege. Otherwise, Memgraph will not execute that
-specific query. Note that `DENY` is a stronger operation than `GRANT`. This is
-also notable from the fact that if neither the user nor its role are explicitly
-granted or denied a certain privilege, that user will not be able to perform
-that specific query. This effect is also known as a silent deny. The information
-above is neatly condensed in the following table:
+After the first user is created, Memgraph switches from "allow everything" mode
+(when no users exist) to "access controlled" mode. From that point forward, all
+connections must authenticate with valid credentials, and unauthenticated
+connections will be rejected.
+
+Memgraph will execute a query if and only if either a user or its role is
+granted that privilege and neither the user nor its role are denied that
+privilege. Otherwise, Memgraph will not execute that specific query. Note that
+`DENY` is a stronger operation than `GRANT`. This is also notable from the fact
+that if neither the user nor its role are explicitly granted or denied a certain
+privilege, that user will not be able to perform that specific query. This effect
+is also known as a silent deny. The information above is neatly condensed in the
+following table:
 
 User Status | Role Status | Effective Status
 ------------|-------------|------------------
@@ -724,6 +736,14 @@ permissions) for the user or role in the specified database context.
 
 ### Templates for granting privileges
 
+<Callout type="info">
+
+**Note**: The first user created automatically receives all privileges (as
+described in the [First user privileges](#first-user-privileges) section). The
+following templates are for granting privileges to additional users or roles.
+
+</Callout>
+
 To grant all privileges to a superuser (admin):
 
 ```cypher

@@ -33,6 +33,15 @@ CREATE USER [IF NOT EXISTS] user_name [IDENTIFIED BY 'password'];
 ```
 If the user already exists, you can use `IF NOT EXISTS` to only create new users.
 
+<Callout type="info">
+
+**First user privileges**: The first user created in Memgraph automatically
+becomes a superuser with all privileges. See the [Role-based access
+control](/database-management/authentication-and-authorization/role-based-access-control#first-user-privileges)
+documentation for details.
+
+</Callout>
+
 If the username is an email address, you need to enclose it in backticks (``` ` ```):
 
 ```cypher