<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-28 -->
<p>Role-Based Access Control (RBAC) is the foundation of Geode’s authorization system, providing a structured approach to managing permissions through roles rather than direct user grants. RBAC simplifies permission management, improves security consistency, and enables scalable access control for organizations of any size.</p>
<h3 id="rbac-fundamentals" class="position-relative d-flex align-items-center group">
<span>RBAC Fundamentals</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="rbac-fundamentals"
aria-haspopup="dialog"
aria-label="Share link: RBAC Fundamentals">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>RBAC operates on three core concepts:</p>
<ol>
<li><strong>Users</strong>: Individual accounts that authenticate to the database</li>
<li><strong>Roles</strong>: Named collections of permissions</li>
<li><strong>Permissions</strong>: Specific capabilities to perform operations</li>
</ol>
<p>Users are assigned to roles, and roles are granted permissions. This separation allows administrators to manage access for groups of users efficiently rather than maintaining individual permissions for each user.</p>
<h3 id="benefits-of-rbac" class="position-relative d-flex align-items-center group">
<span>Benefits of RBAC</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="benefits-of-rbac"
aria-haspopup="dialog"
aria-label="Share link: Benefits of RBAC">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><strong>Simplified Administration</strong>: Manage permissions for groups rather than individuals</li>
<li><strong>Consistency</strong>: All users with the same role have identical permissions</li>
<li><strong>Audit Compliance</strong>: Clear documentation of who has access to what</li>
<li><strong>Least Privilege</strong>: Easier to implement and maintain minimal access</li>
<li><strong>Scalability</strong>: Add users to roles without modifying permission grants</li>
<li><strong>Reduced Errors</strong>: Fewer permission changes means fewer mistakes</li>
</ul>
<h3 id="creating-roles" class="position-relative d-flex align-items-center group">
<span>Creating Roles</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="creating-roles"
aria-haspopup="dialog"
aria-label="Share link: Creating Roles">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="basic-role-creation" class="position-relative d-flex align-items-center group">
<span>Basic Role Creation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="basic-role-creation"
aria-haspopup="dialog"
aria-label="Share link: Basic Role Creation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">simple</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">description</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_engineer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">DESCRIPTION</span><span class="w"> </span><span class="err">'</span><span class="py">Full</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">ETL</span><span class="w"> </span><span class="py">pipelines</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">transformation</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">attributes</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">temp_contractor</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">DESCRIPTION</span><span class="w"> </span><span class="err">'</span><span class="py">Temporary</span><span class="w"> </span><span class="py">contractor</span><span class="w"> </span><span class="py">access</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">VALID</span><span class="w"> </span><span class="py">UNTIL</span><span class="w"> </span><span class="err">'</span><span class="py">2026</span><span class="err">-</span><span class="py">06</span><span class="err">-</span><span class="py">30</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MAX_CONNECTIONS</span><span class="w"> </span><span class="py">5</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="system-roles" class="position-relative d-flex align-items-center group">
<span>System Roles</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="system-roles"
aria-haspopup="dialog"
aria-label="Share link: System Roles">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode includes built-in system roles:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">View</span><span class="w"> </span><span class="py">system</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">SYSTEM</span><span class="w"> </span><span class="py">ROLES</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">System</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span><span class="py">include</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="nc">public</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">Automatically</span><span class="w"> </span><span class="py">granted</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">users</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">Full</span><span class="w"> </span><span class="py">administrative</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">dba</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">Database</span><span class="w"> </span><span class="py">administration</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">security</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">Security</span><span class="w"> </span><span class="py">administration</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">monitor</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">Read</span><span class="err">-</span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">monitoring</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="role-attributes" class="position-relative d-flex align-items-center group">
<span>Role Attributes</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="role-attributes"
aria-haspopup="dialog"
aria-label="Share link: Role Attributes">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">attributes</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">senior_analyst</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">DESCRIPTION</span><span class="w"> </span><span class="err">'</span><span class="py">Senior</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">elevated</span><span class="w"> </span><span class="py">access</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">LOGIN</span><span class="w"> </span><span class="py">FALSE</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Cannot</span><span class="w"> </span><span class="py">be</span><span class="w"> </span><span class="py">used</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">direct</span><span class="w"> </span><span class="py">login</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">INHERIT</span><span class="w"> </span><span class="py">TRUE</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Inherits</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">parent</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">VALID</span><span class="w"> </span><span class="py">UNTIL</span><span class="w"> </span><span class="err">'</span><span class="py">2027</span><span class="err">-</span><span class="py">01</span><span class="err">-</span><span class="py">01</span><span class="err">'</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Time</span><span class="err">-</span><span class="py">limited</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MAX_CONNECTIONS</span><span class="w"> </span><span class="py">10</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Limit</span><span class="w"> </span><span class="py">concurrent</span><span class="w"> </span><span class="py">connections</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CONNECTION_LIMIT_PER_USER</span><span class="w"> </span><span class="py">3</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Per</span><span class="err">-</span><span class="py">user</span><span class="w"> </span><span class="py">connection</span><span class="w"> </span><span class="py">limit</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="granting-permissions-to-roles" class="position-relative d-flex align-items-center group">
<span>Granting Permissions to Roles</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="granting-permissions-to-roles"
aria-haspopup="dialog"
aria-label="Share link: Granting Permissions to Roles">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="data-access-permissions" class="position-relative d-flex align-items-center group">
<span>Data Access Permissions</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="data-access-permissions"
aria-haspopup="dialog"
aria-label="Share link: Data Access Permissions">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">read</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">data_analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">write</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Event</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">data_engineer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">full</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">,</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">,</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">operations</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">operations_team</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">labels</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Order</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Product</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">sales_team</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="schema-permissions" class="position-relative d-flex align-items-center group">
<span>Schema Permissions</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="schema-permissions"
aria-haspopup="dialog"
aria-label="Share link: Schema Permissions">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="kd">schema</span><span class="w"> </span><span class="py">modification</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">CONSTRAINT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="kd">schema</span><span class="py">_admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">INDEX</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">data_engineer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">full</span><span class="w"> </span><span class="kd">schema</span><span class="w"> </span><span class="py">control</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">CREATE</span><span class="p">,</span><span class="w"> </span><span class="py">ALTER</span><span class="p">,</span><span class="w"> </span><span class="py">DROP</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">development</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">developer</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="administrative-permissions" class="position-relative d-flex align-items-center group">
<span>Administrative Permissions</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="administrative-permissions"
aria-haspopup="dialog"
aria-label="Share link: Administrative Permissions">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">management</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="p">,</span><span class="w"> </span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="p">,</span><span class="w"> </span><span class="py">DROP</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">user_admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">management</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="p">,</span><span class="w"> </span><span class="py">ALTER</span><span class="w"> </span><span class="py">ROLE</span><span class="p">,</span><span class="w"> </span><span class="py">DROP</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">security_admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">backup</span><span class="w"> </span><span class="py">capabilities</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">BACKUP</span><span class="p">,</span><span class="w"> </span><span class="py">RESTORE</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">backup_operator</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="assigning-roles-to-users" class="position-relative d-flex align-items-center group">
<span>Assigning Roles to Users</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="assigning-roles-to-users"
aria-haspopup="dialog"
aria-label="Share link: Assigning Roles to Users">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="basic-assignment" class="position-relative d-flex align-items-center group">
<span>Basic Assignment</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="basic-assignment"
aria-haspopup="dialog"
aria-label="Share link: Basic Assignment">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Assign</span><span class="w"> </span><span class="py">single</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_analyst</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Assign</span><span class="w"> </span><span class="py">multiple</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_analyst</span><span class="p">,</span><span class="w"> </span><span class="py">report_viewer</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">bob</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Assign</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">during</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">creation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">charlie</span><span class="w"> </span><span class="py">PASSWORD</span><span class="w"> </span><span class="err">'</span><span class="py">secure_pass_123</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_analyst</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="role-assignment-with-options" class="position-relative d-flex align-items-center group">
<span>Role Assignment with Options</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="role-assignment-with-options"
aria-haspopup="dialog"
aria-label="Share link: Role Assignment with Options">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Allow</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">grant</span><span class="w"> </span><span class="py">this</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">others</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_analyst</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">ADMIN</span><span class="w"> </span><span class="py">OPTION</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Time</span><span class="err">-</span><span class="py">limited</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">assignment</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">elevated_access</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">consultant</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">VALID</span><span class="w"> </span><span class="py">UNTIL</span><span class="w"> </span><span class="err">'</span><span class="py">2026</span><span class="err">-</span><span class="py">03</span><span class="err">-</span><span class="py">31</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Conditional</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">assignment</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">regional_admin</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">manager</span><span class="err">.</span><span class="py">region</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">EMEA</span><span class="err">';</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="viewing-role-assignments" class="position-relative d-flex align-items-center group">
<span>Viewing Role Assignments</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="viewing-role-assignments"
aria-haspopup="dialog"
aria-label="Share link: Viewing Role Assignments">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">ROLES</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">members</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">MEMBERS</span><span class="w"> </span><span class="py">OF</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">membership</span><span class="w"> </span><span class="py">details</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_members</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">role_name</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">data_analyst</span><span class="err">';</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="role-hierarchies" class="position-relative d-flex align-items-center group">
<span>Role Hierarchies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="role-hierarchies"
aria-haspopup="dialog"
aria-label="Share link: Role Hierarchies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Role hierarchies allow roles to inherit permissions from parent roles, creating a structured permission model.</p>
<h4 id="creating-role-hierarchies" class="position-relative d-flex align-items-center group">
<span>Creating Role Hierarchies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="creating-role-hierarchies"
aria-haspopup="dialog"
aria-label="Share link: Creating Role Hierarchies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">base</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">viewer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">editor</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">manager</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Build</span><span class="w"> </span><span class="py">hierarchy</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">inheritance</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">editor</span><span class="w"> </span><span class="py">INHERIT</span><span class="w"> </span><span class="py">viewer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">manager</span><span class="w"> </span><span class="py">INHERIT</span><span class="w"> </span><span class="py">editor</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">INHERIT</span><span class="w"> </span><span class="py">manager</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Now</span><span class="p">:</span><span class="w"> </span><span class="nc">admin</span><span class="w"> </span><span class="py">inherits</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">manager</span><span class="p">,</span><span class="w"> </span><span class="py">which</span><span class="w"> </span><span class="py">inherits</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">editor</span><span class="p">,</span><span class="w"> </span><span class="py">which</span><span class="w"> </span><span class="py">inherits</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">viewer</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="hierarchy-with-multiple-parents" class="position-relative d-flex align-items-center group">
<span>Hierarchy with Multiple Parents</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="hierarchy-with-multiple-parents"
aria-haspopup="dialog"
aria-label="Share link: Hierarchy with Multiple Parents">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">specialized</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">viewer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_writer</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">viewer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">combined</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">multiple</span><span class="w"> </span><span class="py">parents</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_analyst</span><span class="w"> </span><span class="py">INHERIT</span><span class="w"> </span><span class="py">analyst</span><span class="p">,</span><span class="w"> </span><span class="py">data_writer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">data_analyst</span><span class="w"> </span><span class="py">has</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">both</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">data_writer</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="viewing-role-hierarchy" class="position-relative d-flex align-items-center group">
<span>Viewing Role Hierarchy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="viewing-role-hierarchy"
aria-haspopup="dialog"
aria-label="Share link: Viewing Role Hierarchy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">complete</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">hierarchy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">HIERARCHY</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Output</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="nc">admin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="py">manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="err">│</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="py">editor</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="err">│</span><span class="w"> </span><span class="err">│</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="py">viewer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="py">security_admin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">data_analyst</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="py">analyst</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="err">│</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="py">viewer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="py">data_writer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="py">viewer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">hierarchy</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">HIERARCHY</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">manager</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Show</span><span class="w"> </span><span class="py">effective</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">including</span><span class="w"> </span><span class="py">inherited</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">EFFECTIVE</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">manager</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="role-groups" class="position-relative d-flex align-items-center group">
<span>Role Groups</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="role-groups"
aria-haspopup="dialog"
aria-label="Share link: Role Groups">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Organize related roles into groups for easier management:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">group</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">GROUP</span><span class="w"> </span><span class="py">analytics_roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">DESCRIPTION</span><span class="w"> </span><span class="err">'</span><span class="py">All</span><span class="w"> </span><span class="py">analytics</span><span class="err">-</span><span class="py">related</span><span class="w"> </span><span class="py">roles</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Add</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">group</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">GROUP</span><span class="w"> </span><span class="py">analytics_roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ADD</span><span class="w"> </span><span class="py">data_analyst</span><span class="p">,</span><span class="w"> </span><span class="py">report_viewer</span><span class="p">,</span><span class="w"> </span><span class="py">dashboard_user</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">entire</span><span class="w"> </span><span class="py">group</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">metrics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">GROUP</span><span class="w"> </span><span class="py">analytics_roles</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">View</span><span class="w"> </span><span class="py">group</span><span class="w"> </span><span class="py">membership</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">MEMBERS</span><span class="w"> </span><span class="py">OF</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">GROUP</span><span class="w"> </span><span class="py">analytics_roles</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="revoking-roles-and-permissions" class="position-relative d-flex align-items-center group">
<span>Revoking Roles and Permissions</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="revoking-roles-and-permissions"
aria-haspopup="dialog"
aria-label="Share link: Revoking Roles and Permissions">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="revoke-role-from-user" class="position-relative d-flex align-items-center group">
<span>Revoke Role from User</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="revoke-role-from-user"
aria-haspopup="dialog"
aria-label="Share link: Revoke Role from User">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Remove</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">assignment</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_analyst</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Remove</span><span class="w"> </span><span class="py">multiple</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">editor</span><span class="p">,</span><span class="w"> </span><span class="py">viewer</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">bob</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">option</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ADMIN</span><span class="w"> </span><span class="py">OPTION</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">data_analyst</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="revoke-permissions-from-role" class="position-relative d-flex align-items-center group">
<span>Revoke Permissions from Role</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="revoke-permissions-from-role"
aria-haspopup="dialog"
aria-label="Share link: Revoke Permissions from Role">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Remove</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">permission</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">sales_team</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Remove</span><span class="w"> </span><span class="py">multiple</span><span class="w"> </span><span class="py">permissions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">,</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">archive</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Remove</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">permissions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">development</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">developer</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="cascading-revocation" class="position-relative d-flex align-items-center group">
<span>Cascading Revocation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="cascading-revocation"
aria-haspopup="dialog"
aria-label="Share link: Cascading Revocation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">cascade</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">users</span><span class="w"> </span><span class="py">who</span><span class="w"> </span><span class="py">were</span><span class="w"> </span><span class="py">granted</span><span class="w"> </span><span class="py">via</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">option</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">elevated_access</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">manager</span><span class="w"> </span><span class="py">CASCADE</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">permission</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">remove</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span><span class="py">that</span><span class="w"> </span><span class="py">have</span><span class="w"> </span><span class="py">it</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">ConfidentialData</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">CASCADE</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLES</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="dropping-roles" class="position-relative d-flex align-items-center group">
<span>Dropping Roles</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="dropping-roles"
aria-haspopup="dialog"
aria-label="Share link: Dropping Roles">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Drop</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="p">(</span><span class="py">must</span><span class="w"> </span><span class="py">have</span><span class="w"> </span><span class="py">no</span><span class="w"> </span><span class="py">members</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DROP</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">temp_contractor</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Drop</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">revoke</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">members</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DROP</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">obsolete_role</span><span class="w"> </span><span class="py">CASCADE</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Drop</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">if</span><span class="w"> </span><span class="py">it</span><span class="w"> </span><span class="py">exists</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DROP</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">IF</span><span class="w"> </span><span class="py">EXISTS</span><span class="w"> </span><span class="py">legacy_role</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="rbac-configuration-examples" class="position-relative d-flex align-items-center group">
<span>RBAC Configuration Examples</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="rbac-configuration-examples"
aria-haspopup="dialog"
aria-label="Share link: RBAC Configuration Examples">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="organization-structure-model" class="position-relative d-flex align-items-center group">
<span>Organization Structure Model</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="organization-structure-model"
aria-haspopup="dialog"
aria-label="Share link: Organization Structure Model">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Executive</span><span class="w"> </span><span class="py">level</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">executive</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">executive</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Department</span><span class="w"> </span><span class="py">heads</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">department_head</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">executive</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">,</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">department_data</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">department_head</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Team</span><span class="w"> </span><span class="py">leads</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">team_lead</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">team_data</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">team_lead</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Task</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">team_lead</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Individual</span><span class="w"> </span><span class="py">contributors</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">employee</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">PublicInfo</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Department</span><span class="err">-</span><span class="py">specific</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">engineering</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">employee</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">sales</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">employee</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">hr</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">employee</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">department</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Code</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Project</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Deployment</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">engineering</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Lead</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Opportunity</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">sales</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Compensation</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">hr</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="application-service-roles" class="position-relative d-flex align-items-center group">
<span>Application Service Roles</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="application-service-roles"
aria-haspopup="dialog"
aria-label="Share link: Application Service Roles">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Read</span><span class="err">-</span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">API</span><span class="w"> </span><span class="py">service</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">api_reader</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">production</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">api_reader</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Write</span><span class="w"> </span><span class="py">API</span><span class="w"> </span><span class="py">service</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">api_writer</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">api_reader</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">UserEvent</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Transaction</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">api_writer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Background</span><span class="w"> </span><span class="py">worker</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">background_worker</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">,</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Job</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Task</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">background_worker</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Analytics</span><span class="w"> </span><span class="py">service</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analytics_service</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">production</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analytics_service</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analytics_service</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="multi-tenant-rbac" class="position-relative d-flex align-items-center group">
<span>Multi-Tenant RBAC</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="multi-tenant-rbac"
aria-haspopup="dialog"
aria-label="Share link: Multi-Tenant RBAC">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Base</span><span class="w"> </span><span class="py">tenant</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">tenant_base</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Tenant</span><span class="err">-</span><span class="py">specific</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span><span class="p">(</span><span class="py">dynamically</span><span class="w"> </span><span class="py">created</span><span class="w"> </span><span class="py">per</span><span class="w"> </span><span class="py">tenant</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">tenant_acme_admin</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">tenant_base</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">tenant_acme_user</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">tenant_base</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">tenant_acme_viewer</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">tenant_base</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Apply</span><span class="w"> </span><span class="py">tenant</span><span class="w"> </span><span class="py">isolation</span><span class="w"> </span><span class="py">via</span><span class="w"> </span><span class="py">RLS</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="err">*</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nc">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">tenant_id</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">based</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">tenant</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">tenant_data</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">tenant_acme_admin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">tenant_id</span><span class="err">'</span><span class="p">)</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">acme</span><span class="err">';</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="role-based-workflows" class="position-relative d-flex align-items-center group">
<span>Role-Based Workflows</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="role-based-workflows"
aria-haspopup="dialog"
aria-label="Share link: Role-Based Workflows">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="new-employee-onboarding" class="position-relative d-flex align-items-center group">
<span>New Employee Onboarding</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="new-employee-onboarding"
aria-haspopup="dialog"
aria-label="Share link: New Employee Onboarding">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">new</span><span class="w"> </span><span class="py">employee</span><span class="w"> </span><span class="py">account</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">new_employee</span><span class="nd">@company</span><span class="err">.</span><span class="py">com</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">PASSWORD</span><span class="w"> </span><span class="err">'</span><span class="py">initial_password</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">REQUIRE</span><span class="w"> </span><span class="py">PASSWORD_CHANGE</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Assign</span><span class="w"> </span><span class="py">base</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">employee</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">new_employee</span><span class="nd">@company</span><span class="err">.</span><span class="py">com</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Assign</span><span class="w"> </span><span class="py">department</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">engineering</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">new_employee</span><span class="nd">@company</span><span class="err">.</span><span class="py">com</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Assign</span><span class="w"> </span><span class="py">project</span><span class="err">-</span><span class="py">specific</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">project_alpha_team</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">new_employee</span><span class="nd">@company</span><span class="err">.</span><span class="py">com</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="employee-role-change" class="position-relative d-flex align-items-center group">
<span>Employee Role Change</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="employee-role-change"
aria-haspopup="dialog"
aria-label="Share link: Employee Role Change">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Employee</span><span class="w"> </span><span class="py">promoted</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">team</span><span class="w"> </span><span class="py">lead</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">employee</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">alice</span><span class="nd">@company</span><span class="err">.</span><span class="py">com</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">team_lead</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="nd">@company</span><span class="err">.</span><span class="py">com</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Employee</span><span class="w"> </span><span class="py">changes</span><span class="w"> </span><span class="py">department</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">engineering</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">bob</span><span class="nd">@company</span><span class="err">.</span><span class="py">com</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">sales</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">bob</span><span class="nd">@company</span><span class="err">.</span><span class="py">com</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="employee-offboarding" class="position-relative d-flex align-items-center group">
<span>Employee Offboarding</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="employee-offboarding"
aria-haspopup="dialog"
aria-label="Share link: Employee Offboarding">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Remove</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ROLES</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">departing_employee</span><span class="nd">@company</span><span class="err">.</span><span class="py">com</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Disable</span><span class="w"> </span><span class="py">account</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">departing_employee</span><span class="nd">@company</span><span class="err">.</span><span class="py">com</span><span class="w"> </span><span class="py">DISABLE</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Or</span><span class="w"> </span><span class="py">delete</span><span class="w"> </span><span class="py">account</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DROP</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">departing_employee</span><span class="nd">@company</span><span class="err">.</span><span class="py">com</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="temporary-role-assignments" class="position-relative d-flex align-items-center group">
<span>Temporary Role Assignments</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="temporary-role-assignments"
aria-haspopup="dialog"
aria-label="Share link: Temporary Role Assignments">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="time-limited-access" class="position-relative d-flex align-items-center group">
<span>Time-Limited Access</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="time-limited-access"
aria-haspopup="dialog"
aria-label="Share link: Time-Limited Access">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">temporary</span><span class="w"> </span><span class="py">elevated</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">consultant</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">VALID</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="err">'</span><span class="py">2026</span><span class="err">-</span><span class="py">02</span><span class="err">-</span><span class="py">01</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">VALID</span><span class="w"> </span><span class="py">UNTIL</span><span class="w"> </span><span class="err">'</span><span class="py">2026</span><span class="err">-</span><span class="py">02</span><span class="err">-</span><span class="py">28</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Extend</span><span class="w"> </span><span class="py">temporary</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">GRANT</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">consultant</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">VALID</span><span class="w"> </span><span class="py">UNTIL</span><span class="w"> </span><span class="err">'</span><span class="py">2026</span><span class="err">-</span><span class="py">03</span><span class="err">-</span><span class="py">15</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">View</span><span class="w"> </span><span class="py">expiring</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">assignments</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">member</span><span class="p">,</span><span class="w"> </span><span class="py">role_name</span><span class="p">,</span><span class="w"> </span><span class="py">valid_until</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_members</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">valid_until</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">7</span><span class="w"> </span><span class="py">days</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">valid_until</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="emergency-access-procedures" class="position-relative d-flex align-items-center group">
<span>Emergency Access Procedures</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="emergency-access-procedures"
aria-haspopup="dialog"
aria-label="Share link: Emergency Access Procedures">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">emergency</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="p">(</span><span class="py">normally</span><span class="w"> </span><span class="py">unassigned</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">emergency_admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ADMIN</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">DATABASE</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">emergency_admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Emergency</span><span class="w"> </span><span class="py">procedure</span><span class="p">:</span><span class="w"> </span><span class="nc">grant</span><span class="w"> </span><span class="py">temporary</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">emergency_admin</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="kd">on</span><span class="py">_call_engineer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">VALID</span><span class="w"> </span><span class="py">UNTIL</span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">4</span><span class="w"> </span><span class="py">hours</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">REASON</span><span class="w"> </span><span class="err">'</span><span class="py">Production</span><span class="w"> </span><span class="py">incident</span><span class="w"> </span><span class="py">INC</span><span class="err">-</span><span class="py">12345</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Automatic</span><span class="w"> </span><span class="py">audit</span><span class="w"> </span><span class="py">logging</span><span class="w"> </span><span class="py">captures</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">emergency</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="auditing-rbac" class="position-relative d-flex align-items-center group">
<span>Auditing RBAC</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="auditing-rbac"
aria-haspopup="dialog"
aria-label="Share link: Auditing RBAC">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="permission-audit-queries" class="position-relative d-flex align-items-center group">
<span>Permission Audit Queries</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="permission-audit-queries"
aria-haspopup="dialog"
aria-label="Share link: Permission Audit Queries">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Find</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">users</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">rm</span><span class="err">.</span><span class="py">member</span><span class="p">,</span><span class="w"> </span><span class="py">r</span><span class="err">.</span><span class="py">role_name</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_members</span><span class="w"> </span><span class="py">rm</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">JOIN</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">roles</span><span class="w"> </span><span class="py">r</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">rm</span><span class="err">.</span><span class="py">role_name</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">r</span><span class="err">.</span><span class="py">role_name</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">r</span><span class="err">.</span><span class="py">role_name</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">admin</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">r</span><span class="err">.</span><span class="py">role_name</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">(</span><span class="py">SELECT</span><span class="w"> </span><span class="py">child_role</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_hierarchy</span><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">parent_role</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">admin</span><span class="err">'</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Find</span><span class="w"> </span><span class="py">unused</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span><span class="p">(</span><span class="py">no</span><span class="w"> </span><span class="py">members</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">r</span><span class="err">.</span><span class="py">role_name</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">roles</span><span class="w"> </span><span class="py">r</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">LEFT</span><span class="w"> </span><span class="py">JOIN</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_members</span><span class="w"> </span><span class="py">rm</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">r</span><span class="err">.</span><span class="py">role_name</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">rm</span><span class="err">.</span><span class="py">role_name</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">rm</span><span class="err">.</span><span class="py">member</span><span class="w"> </span><span class="py">IS</span><span class="w"> </span><span class="py">NULL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">r</span><span class="err">.</span><span class="py">role_name</span><span class="w"> </span><span class="py">NOT</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">(</span><span class="err">'</span><span class="py">public</span><span class="err">'</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Find</span><span class="w"> </span><span class="py">over</span><span class="err">-</span><span class="py">privileged</span><span class="w"> </span><span class="py">users</span><span class="w"> </span><span class="p">(</span><span class="py">multiple</span><span class="w"> </span><span class="py">high</span><span class="err">-</span><span class="py">privilege</span><span class="w"> </span><span class="py">roles</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">member</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="err">*</span><span class="p">)</span><span class="w"> </span><span class="py">as</span><span class="w"> </span><span class="py">admin_role_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_members</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">role_name</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">(</span><span class="err">'</span><span class="py">admin</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">dba</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">security_admin</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GROUP</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">member</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">HAVING</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="err">*</span><span class="p">)</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">1</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="role-usage-audit" class="position-relative d-flex align-items-center group">
<span>Role Usage Audit</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="role-usage-audit"
aria-haspopup="dialog"
aria-label="Share link: Role Usage Audit">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Track</span><span class="w"> </span><span class="py">which</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span><span class="py">are</span><span class="w"> </span><span class="py">actively</span><span class="w"> </span><span class="py">used</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">rm</span><span class="err">.</span><span class="py">role_name</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">rm</span><span class="err">.</span><span class="py">member</span><span class="p">)</span><span class="w"> </span><span class="py">as</span><span class="w"> </span><span class="py">member_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MAX</span><span class="p">(</span><span class="py">al</span><span class="err">.</span><span class="py">last_activity</span><span class="p">)</span><span class="w"> </span><span class="py">as</span><span class="w"> </span><span class="py">last_used</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_members</span><span class="w"> </span><span class="py">rm</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">LEFT</span><span class="w"> </span><span class="py">JOIN</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">activity_log</span><span class="w"> </span><span class="py">al</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">rm</span><span class="err">.</span><span class="py">member</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">al</span><span class="err">.</span><span class="py">username</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GROUP</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">rm</span><span class="err">.</span><span class="py">role_name</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">last_used</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Identify</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">never</span><span class="w"> </span><span class="py">used</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">role_name</span><span class="p">,</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">privilege</span><span class="p">,</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">object_name</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">privileges</span><span class="w"> </span><span class="py">p</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">LEFT</span><span class="w"> </span><span class="py">JOIN</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">access_log</span><span class="w"> </span><span class="py">al</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">object_name</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">al</span><span class="err">.</span><span class="py">object_name</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">al</span><span class="err">.</span><span class="py">username</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">(</span><span class="py">SELECT</span><span class="w"> </span><span class="py">member</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_members</span><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">role_name</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">role_name</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">al</span><span class="err">.</span><span class="py">last_access</span><span class="w"> </span><span class="py">IS</span><span class="w"> </span><span class="py">NULL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">al</span><span class="err">.</span><span class="py">last_access</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">90</span><span class="w"> </span><span class="py">days</span><span class="err">';</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="rbac-best-practices" class="position-relative d-flex align-items-center group">
<span>RBAC Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="rbac-best-practices"
aria-haspopup="dialog"
aria-label="Share link: RBAC Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="1-design-role-hierarchy-first" class="position-relative d-flex align-items-center group">
<span>1. Design Role Hierarchy First</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="1-design-role-hierarchy-first"
aria-haspopup="dialog"
aria-label="Share link: 1. Design Role Hierarchy First">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Plan</span><span class="w"> </span><span class="py">your</span><span class="w"> </span><span class="py">hierarchy</span><span class="w"> </span><span class="py">before</span><span class="w"> </span><span class="py">implementation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Level</span><span class="w"> </span><span class="py">1</span><span class="p">:</span><span class="w"> </span><span class="nc">Base</span><span class="w"> </span><span class="py">organizational</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Level</span><span class="w"> </span><span class="py">2</span><span class="p">:</span><span class="w"> </span><span class="nc">Department</span><span class="err">/</span><span class="py">function</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Level</span><span class="w"> </span><span class="py">3</span><span class="p">:</span><span class="w"> </span><span class="nc">Application</span><span class="err">-</span><span class="py">specific</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Level</span><span class="w"> </span><span class="py">4</span><span class="p">:</span><span class="w"> </span><span class="nc">Temporary</span><span class="err">/</span><span class="py">emergency</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">base_user</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Level</span><span class="w"> </span><span class="py">1</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">department</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">base_user</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Level</span><span class="w"> </span><span class="py">2</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">app_role</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">department</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Level</span><span class="w"> </span><span class="py">3</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">emergency_access</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Level</span><span class="w"> </span><span class="py">4</span><span class="w"> </span><span class="p">(</span><span class="py">no</span><span class="w"> </span><span class="py">inheritance</span><span class="p">)</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="2-follow-principle-of-least-privilege" class="position-relative d-flex align-items-center group">
<span>2. Follow Principle of Least Privilege</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="2-follow-principle-of-least-privilege"
aria-haspopup="dialog"
aria-label="Share link: 2. Follow Principle of Least Privilege">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Start</span><span class="w"> </span><span class="py">minimal</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">new_role</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Add</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">incrementally</span><span class="w"> </span><span class="py">as</span><span class="w"> </span><span class="py">needed</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">PublicData</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">new_role</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Review</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">justify</span><span class="w"> </span><span class="py">each</span><span class="w"> </span><span class="py">addition</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Document</span><span class="w"> </span><span class="py">why</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">are</span><span class="w"> </span><span class="py">needed</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="3-use-descriptive-role-names" class="position-relative d-flex align-items-center group">
<span>3. Use Descriptive Role Names</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="3-use-descriptive-role-names"
aria-haspopup="dialog"
aria-label="Share link: 3. Use Descriptive Role Names">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Good</span><span class="p">:</span><span class="w"> </span><span class="nc">Clear</span><span class="p">,</span><span class="w"> </span><span class="py">descriptive</span><span class="w"> </span><span class="py">names</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">sales_readonly</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">hr_employee_admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">api_order_writer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Avoid</span><span class="p">:</span><span class="w"> </span><span class="nc">Vague</span><span class="w"> </span><span class="py">or</span><span class="w"> </span><span class="py">personal</span><span class="w"> </span><span class="py">names</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">role1</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">johns_role</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="4-regular-access-reviews" class="position-relative d-flex align-items-center group">
<span>4. Regular Access Reviews</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="4-regular-access-reviews"
aria-haspopup="dialog"
aria-label="Share link: 4. Regular Access Reviews">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Schedule quarterly access reviews</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Generate role report</span>
</span></span><span class="line"><span class="cl">geode admin roles report --format<span class="o">=</span>csv --output<span class="o">=</span>role_report.csv
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Review for:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Unused roles</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Over-privileged users</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Expired temporary access</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Orphaned permissions</span>
</span></span></code></pre></div>
<h4 id="5-separate-duties" class="position-relative d-flex align-items-center group">
<span>5. Separate Duties</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="5-separate-duties"
aria-haspopup="dialog"
aria-label="Share link: 5. Separate Duties">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Security</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">cannot</span><span class="w"> </span><span class="py">modify</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">security_admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="p">,</span><span class="w"> </span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="p">,</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="p">,</span><span class="w"> </span><span class="py">ALTER</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">security_admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="p">,</span><span class="w"> </span><span class="py">INSERT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="p">,</span><span class="w"> </span><span class="py">DELETE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">security_admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">DBA</span><span class="w"> </span><span class="py">cannot</span><span class="w"> </span><span class="py">manage</span><span class="w"> </span><span class="py">security</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">dba</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">BACKUP</span><span class="p">,</span><span class="w"> </span><span class="py">RESTORE</span><span class="p">,</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">GRAPH</span><span class="p">,</span><span class="w"> </span><span class="py">DROP</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">dba</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="p">,</span><span class="w"> </span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="p">,</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="p">,</span><span class="w"> </span><span class="py">ALTER</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">dba</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="troubleshooting-rbac" class="position-relative d-flex align-items-center group">
<span>Troubleshooting RBAC</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="troubleshooting-rbac"
aria-haspopup="dialog"
aria-label="Share link: Troubleshooting RBAC">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="permission-denied-issues" class="position-relative d-flex align-items-center group">
<span>Permission Denied Issues</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="permission-denied-issues"
aria-haspopup="dialog"
aria-label="Share link: Permission Denied Issues">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">user</span><span class="err">'</span><span class="py">s</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">ROLES</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">effective</span><span class="w"> </span><span class="py">permissions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">EFFECTIVE</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">deny</span><span class="w"> </span><span class="py">rules</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">privileges</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">grantee</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">(</span><span class="py">SELECT</span><span class="w"> </span><span class="py">role_name</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_members</span><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">member</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">alice</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">is_deny</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">hierarchy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">HIERARCHY</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="role-assignment-issues" class="position-relative d-flex align-items-center group">
<span>Role Assignment Issues</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="role-assignment-issues"
aria-haspopup="dialog"
aria-label="Share link: Role Assignment Issues">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Verify</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">exists</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">ROLES</span><span class="w"> </span><span class="py">LIKE</span><span class="w"> </span><span class="err">'</span><span class="py">analyst</span><span class="err">%';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">if</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">is</span><span class="w"> </span><span class="py">assignable</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">role_name</span><span class="p">,</span><span class="w"> </span><span class="py">is_assignable</span><span class="p">,</span><span class="w"> </span><span class="py">valid_until</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">role_name</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">analyst</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">option</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">member</span><span class="p">,</span><span class="w"> </span><span class="py">role_name</span><span class="p">,</span><span class="w"> </span><span class="py">with_admin_option</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">role_members</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">member</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">alice</span><span class="err">';</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="server-configuration" class="position-relative d-flex align-items-center group">
<span>Server Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="server-configuration"
aria-haspopup="dialog"
aria-label="Share link: Server Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">rbac</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default_role</span><span class="p">:</span><span class="w"> </span><span class="l">public</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Role caching</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">size</span><span class="p">:</span><span class="w"> </span><span class="m">5000</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ttl_seconds</span><span class="p">:</span><span class="w"> </span><span class="m">300</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Audit settings</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">audit</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log_role_changes</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log_permission_checks</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="c"># Can be verbose</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Security settings</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_roles_per_user</span><span class="p">:</span><span class="w"> </span><span class="m">50</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_role_depth</span><span class="p">:</span><span class="w"> </span><span class="m">10</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prevent_self_grant</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="related-topics" class="position-relative d-flex align-items-center group">
<span>Related Topics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="related-topics"
aria-haspopup="dialog"
aria-label="Share link: Related Topics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/tags/authorization/"
>Authorization</a>
- Comprehensive access control</li>
<li><a
href="/tags/rls/"
>Row-Level Security</a>
- Fine-grained data access policies</li>
<li><a
href="/tags/authentication/"
>Authentication</a>
- User identity verification</li>
<li><a
href="/tags/audit-logging/"
>Audit Logging</a>
- Tracking access and changes</li>
<li><a
href="/tags/compliance/"
>Compliance</a>
- Regulatory requirements</li>
<li><a
href="/tags/security/"
>Security</a>
- Security overview</li>
</ul>
<h3 id="further-reading" class="position-relative d-flex align-items-center group">
<span>Further Reading</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="further-reading"
aria-haspopup="dialog"
aria-label="Share link: Further Reading">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/docs/architecture/security-architecture/"
>Security Architecture</a>
- Security design details</li>
<li><a
href="/docs/security/authorization/"
>Authorization Guide</a>
- Authorization best practices</li>
<li><a
href="/docs/reference/"
>User Management</a>
- User administration reference</li>
<li>RBAC Implementation Whitepaper - Detailed RBAC patterns</li>
</ul>
Tag
1 article
Role-Based Access Control (RBAC)
Complete guide to Role-Based Access Control in Geode. Learn how to implement RBAC with roles, permissions, hierarchies, and best practices for managing secure access to your graph database.