Detailed list of queries and their privileges (#1433)

andrejtonev · matea16 · web-flow · commit e1d10bb00dff · 2025-10-13T10:20:53.000+02:00
* Added detailed list of queries and their privileges

* Apply suggestions from code review

---------

Co-authored-by: Matea Pesic &lt;80577904+matea16@users.noreply.github.com&gt;
diff --git a/pages/database-management/authentication-and-authorization/query-privileges.mdx b/pages/database-management/authentication-and-authorization/query-privileges.mdx
@@ -0,0 +1,270 @@
+---
+title: Query privileges reference
+description: Comprehensive reference for query privileges and required permissions in Memgraph.
+---
+
+import { Callout } from 'nextra/components'
+
+# Query privileges reference <sup style={{ fontSize: '0.6em', color: '#888' }}>Enterprise</sup>
+
+This comprehensive reference provides detailed information about the privilege system in Memgraph, including which privileges are required for different types of queries and operations.
+
+<Callout type="info">
+This page complements the [Role-based access control](/database-management/authentication-and-authorization/role-based-access-control) documentation by providing detailed privilege requirements for specific queries and operations.
+</Callout>
+
+
+Memgraph's privilege system controls access to various database operations through a comprehensive set of privileges. The system analyzes queries and determines the required privileges using the `PrivilegeExtractor` class, which implements the visitor pattern to traverse the Abstract Syntax Tree (AST) and extract privilege requirements.
+
+## Cypher query privileges
+
+### Basic operations
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `CREATE` | `CREATE` | `CREATE (n:Person {name: "Alice"})` |
+| `MATCH` | `MATCH` | `MATCH (n:Person) RETURN n` |
+| `DELETE` | `DELETE` | `MATCH (n) DELETE n` |
+| `MERGE` | `MERGE` | `MERGE (n:Person {id: 1})` |
+| `SET` (properties) | `SET` | `MATCH (n) SET n.name = "Bob"` |
+| `SET` (labels) | `SET` | `MATCH (n) SET n:Employee` |
+| `REMOVE` (properties) | `REMOVE` | `MATCH (n) REMOVE n.temp` |
+| `REMOVE` (labels) | `REMOVE` | `MATCH (n) REMOVE n:Temp` |
+
+### Complex queries
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `MATCH` + `DELETE` | `MATCH`, `DELETE` | `MATCH (n) DELETE n` |
+| `MATCH` + `CREATE` | `MATCH`, `CREATE` | `MATCH (n) CREATE (m)-[:KNOWS]->(n)` |
+| `MATCH` + `SET` | `MATCH`, `SET` | `MATCH (n) SET n.updated = true` |
+| `MATCH` + `REMOVE` | `MATCH`, `REMOVE` | `MATCH (n) REMOVE n:Old` |
+
+## Index operations
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `CREATE INDEX` | `INDEX` | `CREATE INDEX ON :Person(name)` |
+| `DROP INDEX` | `INDEX` | `DROP INDEX ON :Person(name)` |
+| `CREATE EDGE INDEX` | `INDEX` | `CREATE EDGE INDEX ON :KNOWS` |
+| `CREATE TEXT INDEX` | `INDEX` | `CREATE TEXT INDEX ON :Person(name)` |
+| `CREATE VECTOR INDEX` | `INDEX` | `CREATE VECTOR INDEX ON :Document(embedding)` |
+| `CREATE TEXT EDGE INDEX` | `INDEX` | `CREATE TEXT EDGE INDEX ON :KNOWS(description)` |
+| `CREATE VECTOR EDGE INDEX` | `INDEX` | `CREATE VECTOR EDGE INDEX ON :SIMILAR(embedding)` |
+| `ANALYZE GRAPH` | `INDEX` | `ANALYZE GRAPH` |
+| `DROP ALL INDEXES` | `INDEX` | `DROP ALL INDEXES` |
+
+## Constraint operations
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `CREATE CONSTRAINT` | `CONSTRAINT` | `CREATE CONSTRAINT ON (n:Person) ASSERT n.id IS UNIQUE` |
+| `DROP CONSTRAINT` | `CONSTRAINT` | `DROP CONSTRAINT ON (n:Person) ASSERT n.id IS UNIQUE` |
+| `DROP ALL CONSTRAINTS` | `CONSTRAINT` | `DROP ALL CONSTRAINTS` |
+
+## Authentication and authorization
+
+| Query Type | Required Privileges | Special Cases |
+|------------|-------------------|---------------|
+| `CREATE ROLE` | `AUTH` | |
+| `DROP ROLE` | `AUTH` | |
+| `SHOW ROLES` | `AUTH` | |
+| `CREATE USER` | `AUTH` | |
+| `SET PASSWORD` | `AUTH` | |
+| `CHANGE PASSWORD` | **None** | Users can change their own password. |
+| `DROP USER` | `AUTH` | |
+| `SHOW CURRENT USER` | **None** | Users can always see their own info. |
+| `SHOW CURRENT ROLE` | **None** | Users can always see their current role. |
+| `SHOW USERS` | `AUTH` | |
+| `SET ROLE` | `AUTH` | |
+| `CLEAR ROLE` | `AUTH` | |
+| `GRANT PRIVILEGE` | `AUTH` | |
+| `DENY PRIVILEGE` | `AUTH` | |
+| `REVOKE PRIVILEGE` | `AUTH` | |
+| `SHOW PRIVILEGES` | `AUTH` | |
+| `SHOW ROLE FOR USER` | `AUTH` | |
+| `SHOW USERS FOR ROLE` | `AUTH` | |
+| `GRANT DATABASE TO USER` | `AUTH` | |
+| `DENY DATABASE FROM USER` | `AUTH` | |
+| `REVOKE DATABASE FROM USER` | `AUTH` | |
+| `SHOW DATABASE PRIVILEGES` | `AUTH` | |
+| `SET MAIN DATABASE` | `AUTH` | |
+| `GRANT IMPERSONATE USER` | `AUTH` | |
+| `DENY IMPERSONATE USER` | `AUTH` | |
+
+## Database information queries
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `SHOW INDEX INFO` | `INDEX` | `SHOW INDEX INFO` |
+| `SHOW EDGE TYPES` | `INDEX` | `SHOW EDGE_TYPES INFO` |
+| `SHOW NODE LABELS` | `INDEX` | `SHOW NODE_LABELS INFO` |
+| `SHOW VECTOR INDEX INFO` | `INDEX` | `SHOW VECTOR INDEX INFO` |
+| `SHOW CONSTRAINT INFO` | `CONSTRAINT` | `SHOW CONSTRAINT INFO` |
+| `SHOW METRICS` | `STATS` | `SHOW METRICS INFO` |
+
+## System information queries
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `SHOW STORAGE INFO` | `STATS` | `SHOW STORAGE INFO` |
+| `SHOW BUILD INFO` | `STATS` | `SHOW BUILD INFO` |
+| `SHOW ACTIVE USERS` | `STATS` | `SHOW ACTIVE USERS` |
+| `SHOW LICENSE INFO` | `CONFIG` | `SHOW LICENSE INFO` |
+| `SHOW INSTANCE` | `STATS` | `SHOW INSTANCE` |
+| `SHOW INSTANCES` | `STATS` | `SHOW INSTANCES` |
+
+## Administrative operations
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `DUMP DATABASE` | `DUMP` | `DUMP DATABASE` |
+| `LOCK DATA DIRECTORY` | `DURABILITY` | `LOCK DATA DIRECTORY` |
+| `UNLOCK DATA DIRECTORY` | `DURABILITY` | `UNLOCK DATA DIRECTORY` |
+| `DATA DIRECTORY LOCK STATUS` | `DURABILITY` | `DATA DIRECTORY LOCK STATUS` |
+| `FREE MEMORY` | `FREE_MEMORY` | `FREE MEMORY` |
+| `SHOW CONFIG` | `CONFIG` | `SHOW CONFIG` |
+| `CREATE TRIGGER` | `TRIGGER` | `CREATE TRIGGER ...` |
+| `DROP TRIGGER` | `TRIGGER` | `DROP TRIGGER ...` |
+| `SHOW TRIGGERS` | `TRIGGER` | `SHOW TRIGGERS` |
+| `SHOW TRIGGER INFO` | `TRIGGER` | `SHOW TRIGGER INFO` |
+| `CREATE STREAM` | `STREAM` | `CREATE STREAM ...` |
+| `DROP STREAM` | `STREAM` | `DROP STREAM ...` |
+| `SET ISOLATION LEVEL` | `CONFIG` | `SET ISOLATION LEVEL ...` |
+| `SET STORAGE MODE` | `STORAGE_MODE` | `SET STORAGE MODE ...` |
+| `CREATE SNAPSHOT` | `DURABILITY` | `CREATE SNAPSHOT` |
+| `RECOVER SNAPSHOT` | `DURABILITY` | `RECOVER SNAPSHOT` |
+| `SHOW SNAPSHOTS` | `DURABILITY` | `SHOW SNAPSHOTS` |
+| `SHOW NEXT SNAPSHOT` | `DURABILITY` | `SHOW NEXT SNAPSHOT` |
+| `SET SETTING` | `CONFIG` | `SET SETTING ...` |
+| `SHOW VERSION` | `STATS` | `SHOW VERSION` |
+| `SHOW TRANSACTIONS` | `TRANSACTION_MANAGEMENT` | `SHOW TRANSACTIONS` |
+| `TERMINATE TRANSACTIONS` | `TRANSACTION_MANAGEMENT` | `TERMINATE TRANSACTIONS 'transaction_id'` |
+
+## Replication operations
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `REPLICATION` operations | `REPLICATION` | Various replication commands. |
+| `SHOW REPLICATION ROLE` | `REPLICATION` | `SHOW REPLICATION ROLE` |
+| `SHOW REPLICAS` | `REPLICATION` | `SHOW REPLICAS` |
+| `SHOW REPLICATION LAG` | `COORDINATOR` | `SHOW REPLICATION LAG` |
+
+## Multi-database operations
+
+| Query Type | Required Privileges | Special Cases |
+|------------|-------------------|---------------|
+| `CREATE DATABASE` | `MULTI_DATABASE_EDIT` | |
+| `DROP DATABASE` | `MULTI_DATABASE_EDIT` | |
+| `RENAME DATABASE` | `MULTI_DATABASE_EDIT` | |
+| `DROP DATABASE FORCE` | `MULTI_DATABASE_EDIT`, `TRANSACTION_MANAGEMENT` | Requires both privileges. |
+| `USE DATABASE` | `MULTI_DATABASE_USE` | |
+| `SHOW DATABASE` | **None** | Users can see current database. |
+| `SHOW DATABASES` | `MULTI_DATABASE_USE` | |
+
+## Enum operations
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `CREATE ENUM` | `CREATE` | `CREATE ENUM ...` |
+| `SHOW ENUMS` | `STATS` | `SHOW ENUMS` |
+| `ALTER ENUM ADD VALUE` | `CREATE` | `ALTER ENUM ... ADD VALUE ...` |
+| `ALTER ENUM UPDATE VALUE` | `CREATE` | `ALTER ENUM ... UPDATE VALUE ...` |
+| `ALTER ENUM REMOVE VALUE` | `DELETE` | `ALTER ENUM ... REMOVE VALUE ...` |
+| `DROP ENUM` | `DELETE` | `DROP ENUM ...` |
+
+## TTL operations
+
+| Query Type | Required Privileges | Note |
+|------------|-------------------|------|
+| `TTL` operations | `CONFIG`, `INDEX`, `MATCH`, `DELETE` | Requires multiple privileges. |
+
+## Coordinator operations
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `COORDINATOR` operations | `COORDINATOR` | Various coordinator commands. |
+| `SHOW COORDINATOR SETTINGS` | `COORDINATOR` | `SHOW COORDINATOR SETTINGS` |
+
+## Schema information
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `SHOW SCHEMA INFO` | `STATS` | `SHOW SCHEMA INFO` |
+
+## User profile operations
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `USER PROFILE` operations | `PROFILE_RESTRICTION` | User profile management. |
+
+## Procedure calls
+
+| Procedure Type | Required Privileges | Example |
+|----------------|-------------------|---------|
+| `mg.get_module_files` | `MODULE_READ` | `CALL mg.get_module_files()` |
+| `mg.create_module_file` | `MODULE_WRITE` | `CALL mg.create_module_file(...)` |
+| `mg.update_module_file` | `MODULE_WRITE` | `CALL mg.update_module_file(...)` |
+| `mg.get_module_file` | `MODULE_READ` | `CALL mg.get_module_file(...)` |
+| `mg.delete_module_file` | `MODULE_WRITE` | `CALL mg.delete_module_file(...)` |
+| Other procedures | **Procedure-specific** | Depends on procedure definition. |
+
+## File operations
+
+| Query Type | Required Privileges | Example |
+|------------|-------------------|---------|
+| `LOAD CSV` | `READ_FILE` | `LOAD CSV FROM "file.csv" AS row` |
+
+## Special cases
+
+| Query Type | Required Privileges | Notes |
+|------------|-------------------|-------|
+| `EXPLAIN` | **Inherits privileges from inner query** | Privileges depend on the explained query. |
+| `PROFILE` | **Inherits privileges from inner query** | Privileges depend on the profiled query. |
+| `SET SESSION TRACE` | **None** | No privileges required. |
+
+### Examples
+
+```cypher
+-- EXPLAIN inherits privileges from the inner query
+EXPLAIN MATCH (n:Person) RETURN n;  -- Requires MATCH privilege
+
+-- PROFILE inherits privileges from the inner query
+PROFILE CREATE (n:Person {name: "Alice"});  -- Requires CREATE privilege
+```
+
+## Troubleshooting
+
+### Common privilege errors
+
+<Callout type="warning">
+If you encounter "Vertex not created due to not having enough permission!" errors, you likely need to grant fine-grained access control privileges to the user.
+</Callout>
+
+### Checking privileges
+
+```cypher
+-- Show all privileges for a user or role
+SHOW PRIVILEGES FOR username;
+
+-- Show privileges in specific database context
+SHOW PRIVILEGES FOR username ON DATABASE db_name;
+
+-- Verify the current logged-in user
+SHOW CURRENT USER;
+
+-- Show current user's privileges
+SHOW PRIVILEGES FOR CURRENT USER;
+```
+
+### Privilege inheritance
+
+Remember that:
+- **Grants**: If any role grants a permission, the user has that permission
+- **Denies**: If any role denies a permission, the user is denied that permission
+- **Database Access**: If any role grants access to a database, the user has access
+- **Fine-grained Permissions**: Combined using the same grant/deny logic
+
+<Callout type="info">
+Privilege changes take effect after the user reconnects to the database.
+</Callout>
diff --git a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx
@@ -172,10 +172,16 @@ of the following commands:
 | Privilege to change [storage mode](/fundamentals/storage-memory-usage#storage-modes). | `STORAGE_MODE` |
 | Privilege to manage [multi-tenant databases](/database-management/multi-tenancy). | `MULTI_DATABASE_EDIT` |
 | Privilege to use a database within the multi-tenant architecture. | `MULTI_DATABASE_USE` |
+| Privilege to configure [high-availability](/clustering/high-availability) coordinators. | `COORDINATOR` |
+| Privilege to [impersonate other users](/database-management/authentication-and-authorization/impersonate-user). | `IMPERSONATE_USER` |
 | Privilege to set limits and monitor resource usage per user. | `PROFILE_RESTRICTION` |
 | Privileges to specific labels. | `ALL LABELS` |
 | Privileges to specific relationships types. | `ALL EDGE TYPES` |
 
+<Callout type="info">
+For a comprehensive reference of which privileges are required for specific queries and operations, see the [Query privileges reference](/database-management/authentication-and-authorization/query-privileges) documentation.
+</Callout>
+
 ## Authentication and authorization requirements
 
 <Callout type="info">
