You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pages/database-management/multi-tenancy.mdx
+39-13Lines changed: 39 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,11 +16,13 @@ In the current version, all isolated databases share the underlying resources so
16
16
there is no provision to restrict CPU or RAM usage for a specific database.
17
17
Instead, global limitations are imposed on Memgraph as a whole.
18
18
19
-
## Default database
19
+
## Default (memgraph) database
20
20
21
-
A default database named `memgraph` is automatically created during startup. New
22
-
users are granted access only to this default database. The default
23
-
database name cannot be altered.
21
+
A default database named `memgraph` is automatically created during startup.
22
+
When you create a user or role, they have access to the default database
23
+
(memgraph) by default. The default database name cannot be altered.
24
+
25
+
To remove this default access, you should use `REVOKE DATABASE memgraph FROM role_name;`. Using `REVOKE` removes the default grant but allows the role to potentially receive access through other means (e.g., if combined with another role that has access). Using `DENY` would explicitly forbid access regardless of other roles.
24
26
25
27
### Default database best practices
26
28
@@ -41,8 +43,8 @@ access to other databases but not the default one.
41
43
42
44
#### Recommended setup
43
45
44
-
1.**Restrict memgraph database access**: Only grant access to the "memgraph"
45
-
database to privileged users who need to perform system administration tasks
46
+
1.**Restrict memgraph database access**: Treat the "memgraph" database as a
47
+
system database and allow only administrators to have access to it
46
48
2.**Use tenant-specific databases**: Store all application data in dedicated
47
49
tenant databases
48
50
3.**Separate concerns**: Keep user management, role management, system
@@ -59,9 +61,13 @@ GRANT DATABASE memgraph TO system_admin;
59
61
60
62
-- Create tenant-specific roles (no access to memgraph database)
61
63
CREATE ROLE tenant1_admin;
64
+
REVOKE DATABASE memgraph FROM tenant1_admin;
62
65
CREATE ROLE tenant1_user;
66
+
REVOKE DATABASE memgraph FROM tenant1_user;
63
67
CREATE ROLE tenant2_admin;
68
+
REVOKE DATABASE memgraph FROM tenant2_admin;
64
69
CREATE ROLE tenant2_user;
70
+
REVOKE DATABASE memgraph FROM tenant2_user;
65
71
66
72
-- Grant appropriate permissions to tenant roles
67
73
GRANT MATCH, CREATE, MERGE, SET, DELETE, INDEX TO tenant1_admin;
@@ -78,8 +84,10 @@ GRANT CREATE, READ, UPDATE, DELETE ON NODES CONTAINING LABELS * TO tenant2_user;
78
84
GRANT CREATE, READ, UPDATE, DELETE ON EDGES CONTAINING TYPES * TO tenant2_user;
79
85
80
86
-- Grant access only to tenant databases
81
-
GRANT DATABASE tenant1_db TO tenant1_admin, tenant1_user;
82
-
GRANT DATABASE tenant2_db TO tenant2_admin, tenant2_user;
87
+
GRANT DATABASE tenant1_db TO tenant1_admin;
88
+
GRANT DATABASE tenant1_db TO tenant1_user;
89
+
GRANT DATABASE tenant2_db TO tenant2_admin;
90
+
GRANT DATABASE tenant2_db TO tenant2_user;
83
91
84
92
-- Create users
85
93
CREATE USER system_admin_user IDENTIFIED BY 'admin_password';
@@ -144,14 +152,32 @@ Users interact with multi-tenant features through specialized Cypher queries:
144
152
5.`SHOW DATABASES`: Shows only the existing set of multitenant databases.
145
153
6.`USE DATABASE name`: Switches focus to a specific database (disabled during
146
154
transactions).
147
-
7.`GRANT DATABASE name TO user`: Grants a user access to a specified database.
148
-
8.`DENY DATABASE name FROM user`: Denies a user's access to a specified
149
-
database.
150
-
9.`REVOKE DATABASE name FROM user`: Removes database from user's authentication
151
-
context.
155
+
7.`GRANT DATABASE name TO user_or_role`: Grants a user or role access to a
156
+
specified database.
157
+
8.`DENY DATABASE name FROM user_or_role`: Explicitly denies a user or role
158
+
access to a specified database.
159
+
9.`REVOKE DATABASE name FROM user_or_role`: Removes the database from the
160
+
user's or role's database access list.
152
161
10.`SET MAIN DATABASE name FOR user`: Sets a user's default (landing) database.
153
162
11.`SHOW DATABASE PRIVILEGES FOR user`: Lists a user's database access rights.
154
163
164
+
### Removing database access: DENY vs REVOKE
165
+
166
+
There are two ways to remove access to a database: `DENY DATABASE x` or `REVOKE
167
+
DATABASE x`. They behave differently:
168
+
169
+
-**DENY** explicitly bans the user or role from the database. If any role that
170
+
a user has (or the user itself) is denied access to a database, the user
171
+
cannot access it. Deny trumps any other access granted—no combination of
172
+
grants can override a deny.
173
+
-**REVOKE** removes the database from the user's or role's database access
174
+
list. It does not block access: if the user has other roles (or the user
175
+
itself has access through another path) that still have access to that
176
+
database, the user can still use it when connected to that database
177
+
(tenant).
178
+
179
+
Use **DENY** when you need to explicitly forbid access to a database for any user with that role, regardless of their other roles. Use **REVOKE** when you simply want to remove the default access (like the default "memgraph" database access) or a previously granted access, allowing the user to potentially access the database if another of their roles grants it.
180
+
155
181
### DROP DATABASE with FORCE
156
182
157
183
The `DROP DATABASE` command removes an existing database. You can optionally
0 commit comments