diff --git a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx index dd7059cf3..9e1bcb725 100644 --- a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx +++ b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx @@ -184,6 +184,13 @@ of the following commands: For a comprehensive reference of which privileges are required for specific queries and operations, see the [Query privileges reference](/database-management/authentication-and-authorization/query-privileges) documentation. +### First user privileges + +When you create the first user in Memgraph, that user automatically becomes a +superuser (administrator account with full system access) with all privileges. +See the [templates for granting privileges](#templates-for-granting-privileges) +section for details on what privileges are granted. + ## Authentication and authorization requirements @@ -258,14 +265,19 @@ In this setup: - Application data is stored in tenant-specific databases, not in the default "memgraph" database -After the first user is created, Memgraph will execute a query if and only if -either a user or its role is granted that privilege and neither the user nor its -role are denied that privilege. Otherwise, Memgraph will not execute that -specific query. Note that `DENY` is a stronger operation than `GRANT`. This is -also notable from the fact that if neither the user nor its role are explicitly -granted or denied a certain privilege, that user will not be able to perform -that specific query. This effect is also known as a silent deny. The information -above is neatly condensed in the following table: +After the first user is created, Memgraph switches from "allow everything" mode +(when no users exist) to "access controlled" mode. From that point forward, all +connections must authenticate with valid credentials, and unauthenticated +connections will be rejected. + +Memgraph will execute a query if and only if either a user or its role is +granted that privilege and neither the user nor its role are denied that +privilege. Otherwise, Memgraph will not execute that specific query. Note that +`DENY` is a stronger operation than `GRANT`. This is also notable from the fact +that if neither the user nor its role are explicitly granted or denied a certain +privilege, that user will not be able to perform that specific query. This effect +is also known as a silent deny. The information above is neatly condensed in the +following table: User Status | Role Status | Effective Status ------------|-------------|------------------ @@ -724,6 +736,14 @@ permissions) for the user or role in the specified database context. ### Templates for granting privileges + + +**Note**: The first user created automatically receives all privileges (as +described in the [First user privileges](#first-user-privileges) section). The +following templates are for granting privileges to additional users or roles. + + + To grant all privileges to a superuser (admin): ```cypher diff --git a/pages/database-management/authentication-and-authorization/users.mdx b/pages/database-management/authentication-and-authorization/users.mdx index c9b8b5392..5d33d6ca1 100644 --- a/pages/database-management/authentication-and-authorization/users.mdx +++ b/pages/database-management/authentication-and-authorization/users.mdx @@ -33,6 +33,15 @@ CREATE USER [IF NOT EXISTS] user_name [IDENTIFIED BY 'password']; ``` If the user already exists, you can use `IF NOT EXISTS` to only create new users. + + +**First user privileges**: The first user created in Memgraph automatically +becomes a superuser with all privileges. See the [Role-based access +control](/database-management/authentication-and-authorization/role-based-access-control#first-user-privileges) +documentation for details. + + + If the username is an email address, you need to enclose it in backticks (``` ` ```): ```cypher