Authorization is the process of mapping a user to a set of specific permissions. GraphDB implements Spring security for authorization. Spring security acts as an interceptor and filter. Each permission, therefore, can be treated as a set of intercepted urls that are grouped logically for ease of visualization.

User roles and permissions

GraphDB implements the minimal Role Based Access Control (RBAC1) model with role hierarchy support. The model defines 4 entities:

  • User - every user regardless if it is a anonymous or authenticated user;
  • Session - the current session connections; every session always works in the context of a specific user;
  • Roles - a group of permissions associated with a role; the roles may be organized in hierarchies i.e. Admin role give you all other roles without explicitly defining them;
  • Permission - gives rights to execute a specific operation.

The roles defined in GraphDB security model follow a hierarchy

Role name Associated permissions
Admin Perform any server operations i.e. the security never rejects an operation
Repo Manager Full read and write permissions to all repositories.
User Can save SPARQL queries, graph visualizations or user pecific server side settings (“Setup” > “My settings”)

Each user may only be either a regular user, an admin or a repository manager. However, users can have multiple READ/WRITE roles.

Permissions User Repo Manager Admin
Granted read access to a repository yes yes yes
Granted read/write access to a repository yes yes yes
Read and write all repositories no yes yes
Create, edit and delete repositories no yes yes
Access monitoring no yes yes
Manage Connectors no yes yes
Manage Users and Access no no yes
Manage the cluster no no yes
Attach remote locations no no yes
View system information no no yes

Built-in users and roles

GraphDB has three special internal users that cannot be deleted and are needed for the functioning of the database.

User name Enabled by default Associated roles Description
Admin yes ROLE_ADMIN Default username and password in the local security database. Requires HTTP basic authentication.
<cluster user> yes ROLE_CLUSTER READ_REPO_* WRITE_REPO_* The communication mechanisms in the cluster, where every request is signed with a special header “Authorization: GDB-Signature token”
<free access user> no none The default user associated with anonymous user if anonymous access is enabled