Security Features in TigerGraph

TigerGraph knows how important security and productivity are to enterprises. That’s why we’re announcing the capability to define multiple graphs, separate or overlapping, each with its own set of users and role-based privileges.

Graph-based Security

To continue our commitment of providing greater security and usability, TigerGraph will soon deliver graph-based access control, in coordination with support for multiple graphs.  With our new multiple graph feature, an enterprise will be able to define separate graphs within a single master graph schema. As a consequence, enterprises will be able to keep all their data in one system, while still limiting access between different business units.

Each graph will have its own set of users. A new role, the Superuser, defines the graphs and assigns Admin users to each graph domain. Furthermore, graphs can have shared, overlapping regions. The Superuser retains privilege over every graph and all users.

The command syntax for multiple graphs is very straightforward. Graph-level users will use the same commands as before while the Superuser can continue making more graphs, instead of being limited to just one. It’s that simple!

Benefits include:

• Simplified administration: one system, with centralized oversight as well as delegated local control for each graph.
• Data is already integrated: no need to export/import/transform.
• Fits smoothly with the existing role-based security.

Other Security Features

Role-based Security

The TigerGraph system employs role-based access control to provide sophisticated management of user privileges, in a natural and easy-to-deploy form. In addition to the Superuser who has full privilege on all graphs, TigerGraph provides five predefined roles for each graph:

• A Public user can see the schema of a particular graph but not the data itself.
• A QueryReader can run queries or data loading jobs for a particular graph.
• A QueryWriter, in addition to a QueryReader’s privileges, can create queries and run data manipulation commands for a graph.
• An Architect, in addition to a QueryWriter’s privileges, can modify the graph schema and create data loading jobs for a graph.
• An Admin, in addition to an Architect’s privileges, can create users and assign roles for a graph.

Oauth 2.0 for Secure Web Access

In the TigerGraph system, users typically send queries to the main system using a REST API, in the form of an HTTP request. Each user must provide credentials so that the TigerGraph system can authenticate the user’s identity. To avoid overexposure of the user’s password, TigerGraph implements an OAuth 2.0-compliant scheme of user secrets and tokens. Tokens expire after a designated time period.

For more details about TigerGraph’s current security features, see Managing User Privileges and Authentication at doc.tigergraph.com.