diff --git a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx index adc5d31a5..ebd0a6f8a 100644 --- a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx +++ b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx @@ -13,8 +13,8 @@ might have different access levels than an employee's role. Through RBAC, organizations efficiently ensure that users only access data relevant to their role, enhancing security and minimizing risks. -With role-based access control, database administrator can assign various -priviledges to roles, but for even more control over who can access certain +With role-based access control, a database administrator can assign various +privileges to roles, but for even more control over who can access certain data, Memgraph Enterprise offers [fine-grained access control](/database-management/authentication-and-authorization/role-based-access-control#fine-grained-access-control). @@ -23,10 +23,10 @@ control](/database-management/authentication-and-authorization/role-based-access Each user can be assigned at most one user role. User roles are abstractions that capture the privilege levels of a set of users. -For example, suppose that `Dominik` and `Marko` belong to upper management of a +For example, suppose that `Dominik` and `Marko` belong to the upper management of a certain company. It makes sense to grant them a set of privileges that other users are not entitled to so, instead of granting those privileges to each of -them, we can create a role with those privileges called `manager` which we +them, we can create a role with those privileges called `manager`, which we assign to `Dominik` and `Marko`. In other words, each privilege that is granted to a user role is automatically @@ -35,13 +35,15 @@ to that user). Similarly, each privilege that is denied to a user role is automatically denied to all users with that role (even if it has been explicitly granted to that user). -To creat a user role, run the following query: +To create a user role, run the following query: ```cypher -CREATE ROLE role_name; +CREATE ROLE [IF NOT EXISTS] role_name; ``` -To assigning a user with a certain user role, run the following query: +If a role already exists, you can use `IF NOT EXISTS` to only create new roles. + +To assign a user with a certain user role, run the following query: ```cypher SET ROLE FOR user_name TO role_name; @@ -74,7 +76,7 @@ SHOW ROLES; ## Privileges At the moment, privileges are confined to users' abilities to perform certain -`OpenCypher` queries. Namely users can be given permission to execute a subset +`OpenCypher` queries. Namely, users can be given permission to execute a subset of the following commands: | Privilege description | Clause | @@ -110,7 +112,7 @@ role are denied that privilege. Otherwise, Memgraph will not execute that specific query. Note that `DENY` is a stronger operation than `GRANT`. This is also notable from the fact that if neither the user nor its role are explicitly granted or denied a certain privilege, that user will not be able to perform -that specific query. This effect also is known as a silent deny. The information +that specific query. This effect is also known as a silent deny. The information above is neatly condensed in the following table: User Status | Role Status | Effective Status @@ -125,7 +127,7 @@ NULL | GRANT | GRANT NULL | DENY | DENY NULL | NULL | DENY -Once the privilages are changed, they take full effect once the user reconnects +Once the privileges are changed, they take full effect once the user reconnects to the database. #### Grant privileges @@ -172,12 +174,12 @@ raised by using `REVOKE`. For instance, if a user has been denied the `INDEX` privilege, but the role it belongs to is granted that privilege, the user is unable to use indexing features. -If the user's `INDEX` privilege is revoked, they will be able to do use indexing -features because his role is granted that privilege. +If the user's `INDEX` privilege is revoked, they will be able to use indexing +features because the role is granted that privilege. #### Manage all privileges at once -To grant, deny or revoke all privileges use the `ALL PRIVILEGES` construct: +To grant, deny or revoke all privileges, use the `ALL PRIVILEGES` construct: ```cypher GRANT ALL PRIVILEGES FROM ; diff --git a/pages/database-management/authentication-and-authorization/users.mdx b/pages/database-management/authentication-and-authorization/users.mdx index c43989266..156d40357 100644 --- a/pages/database-management/authentication-and-authorization/users.mdx +++ b/pages/database-management/authentication-and-authorization/users.mdx @@ -20,8 +20,9 @@ and [auth system integrations](/database-management/authentication-and-authoriza Creating a user can be done by executing the following command: ```cypher -CREATE USER user_name [IDENTIFIED BY 'password']; +CREATE USER [IF NOT EXISTS] user_name [IDENTIFIED BY 'password']; ``` +If the user already exists, you can use `IF NOT EXISTS` to only create new users. If the username is an email address, you need to enclose it in backticks (``` ` ```): @@ -35,22 +36,22 @@ the `--auth-user-or-role-regex` flag to include spaces. For example, If the user should authenticate themselves on each session, i.e. provide their password on each session, the part within the brackets is mandatory. Otherwise, -the password is set to `null` and the user will be allowed to log-in using +the password is set to `null`, and the user will be allowed to log-in using any password, provided that they use the correct username. -To set or alter a user's password run the following command: +To set or alter a user's password, run the following command: ```cypher SET PASSWORD FOR user_name TO 'new_password'; ``` -Setting the users's password to null removes the password, allowing the user to +Setting the user's password to null removes the password, allowing the user to log-in using any password: ```cypher SET PASSWORD FOR user_name TO null; ``` -To delete a user run the following command: +To delete a user, run the following command: ```cypher DROP USER user_name; @@ -68,7 +69,7 @@ appropriate values of `bcrypt`, `sha256` or `sha256-multiple`. **BCrypt** This algorithm is the default algorithm for password encryption. It's the most secure algorithm and has the best -protection against brute-force attack. However, if you're running connecting multiple concurrent enterprise users with +protection against brute-force attacks. However, if you're connecting multiple concurrent enterprise users with passwords at the same time, it may not be the best choice for you as you might experience slower performance. The performance is slower only during authentication of the users, and should not degrade once the connection has been established.