auth database

Author: andrejtonev

pages/database-management/authentication-and-authorization.mdx

@@ -9,6 +9,28 @@ Learn how authentication and authorization works in Memgraph. Manage users and
 roles, secure the database with role-based and fine-grained access control and
 learn how to integrate with other authentication systems.
 
+## Recent changes to authentication requirements
+
+Recent updates to Memgraph have introduced new requirements for authentication and authorization operations, particularly affecting multi-tenant environments:
+
+### AUTH privilege requirement
+
+Authentication and authorization queries (such as `CREATE USER`, `CREATE ROLE`, `GRANT`, `DENY`, `REVOKE`, etc.) now require the `AUTH` privilege. Users must be explicitly granted this privilege to perform user and role management operations.
+
+### Default database access requirement
+
+In addition to the `AUTH` privilege, users must also have access to the default "memgraph" database to execute authentication and authorization queries. This requirement applies even when the user is working in other databases within a multi-tenant environment.
+
+### Multi-tenant recommendations
+
+For multi-tenant environments, we recommend:
+- Treating the default "memgraph" database as an administrative/system database
+- Restricting access to the "memgraph" database to privileged users only
+- Storing application data in tenant-specific databases
+- Ensuring users who need to perform authentication operations have appropriate access
+
+For detailed information about these requirements and best practices, see the [Role-based access control](/database-management/authentication-and-authorization/role-based-access-control#authentication-and-authorization-requirements) and [Multi-tenancy](/database-management/multi-tenancy#default-database-best-practices) documentation.
+
 ## [Users](/database-management/authentication-and-authorization/users)
 
 Learn how to manage users in Memgraph.

pages/database-management/authentication-and-authorization/multiple-roles.mdx

@@ -17,6 +17,59 @@ Key benefits:
 - **Tenant Isolation**: Users can have different permissions for different databases
 - **SSO Integration**: Support for external identity providers that return multiple roles
 
+## Authentication and authorization requirements
+
+Recent changes to Memgraph have introduced new requirements for authentication and authorization operations in multi-tenant environments. These changes affect how users can perform user and role management operations.
+
+### AUTH privilege requirement
+
+Authentication and authorization queries (such as `CREATE USER`, `CREATE ROLE`, `GRANT`, `DENY`, `REVOKE`, etc.) now require the `AUTH` privilege. Users must be explicitly granted this privilege to perform user and role management operations.
+
+### Default database access requirement
+
+In addition to the `AUTH` privilege, users must also have access to the default "memgraph" database to execute authentication and authorization queries. This requirement applies even when the user is working in other databases within a multi-tenant environment.
+
+<Callout type="warning">
+**Multi-tenant environments**: This requirement is only a concern in multi-tenant environments where users have access to databases other than the default "memgraph" database. In single-database deployments, this requirement is automatically satisfied.
+</Callout>
+
+### Impact on multi-tenant role management
+
+When using multi-tenant roles, ensure that users who need to perform authentication and authorization operations have:
+1. The `AUTH` privilege granted to their roles
+2. Access to the default "memgraph" database
+3. Appropriate role assignments for the "memgraph" database
+
+#### Example: Admin user with multi-tenant roles
+
+```cypher
+-- Create admin role with full privileges
+CREATE ROLE system_admin;
+GRANT ALL PRIVILEGES TO system_admin;
+GRANT DATABASE memgraph TO system_admin;
+
+-- Create tenant-specific admin roles
+CREATE ROLE tenant1_admin;
+CREATE ROLE tenant2_admin;
+GRANT MATCH, CREATE, MERGE, SET, DELETE, INDEX TO tenant1_admin;
+GRANT MATCH, CREATE, MERGE, SET, DELETE, INDEX TO tenant2_admin;
+GRANT DATABASE tenant1_db TO tenant1_admin;
+GRANT DATABASE tenant2_db TO tenant2_admin;
+
+-- Create admin user
+CREATE USER admin_user IDENTIFIED BY 'admin_password';
+
+-- Assign roles with database-specific assignments
+SET ROLE FOR admin_user TO system_admin ON memgraph;
+SET ROLE FOR admin_user TO tenant1_admin ON tenant1_db;
+SET ROLE FOR admin_user TO tenant2_admin ON tenant2_db;
+```
+
+In this setup, `admin_user` can:
+- Perform authentication/authorization operations when connected to the "memgraph" database
+- Manage tenant1_db data when connected to tenant1_db
+- Manage tenant2_db data when connected to tenant2_db
+
 ## Database access with users and roles
 
 ### Basic database access
@@ -287,3 +340,7 @@ SET ROLE multi_db_role FOR user1 ON db2;
 4. **Test permission combinations**: Verify that multi-tenant permissions work correctly in each database
 5. **Document role assignments**: Keep track of which users have which roles for which databases
 6. **Use deny sparingly**: Remember that deny takes precedence over grant across all databases
+7. **Treat memgraph database as admin database**: In multi-tenant environments, restrict access to the default "memgraph" database to privileged users only
+8. **Ensure AUTH privilege access**: Users who need to perform authentication/authorization operations must have both the `AUTH` privilege and access to the "memgraph" database
+9. **Separate application data**: Store all application data in tenant-specific databases, not in the default "memgraph" database
+10. **Plan for authentication operations**: Design your role structure to ensure that users who need to manage users and roles have appropriate access to the "memgraph" database

pages/database-management/authentication-and-authorization/role-based-access-control.mdx

@@ -121,6 +121,66 @@ of the following commands:
 | Privileges to specific labels. | `ALL LABELS` |
 | Privileges to specific relationships types. | `ALL EDGE TYPES` |
 
+## Authentication and authorization requirements
+
+Recent changes to Memgraph have modified how user privileges are generated for authentication and authorization operations. These changes affect multi-tenant environments where users have access to databases other than the default "memgraph" database.
+
+### AUTH privilege requirement
+
+Authentication and authorization queries (such as `CREATE USER`, `CREATE ROLE`, `GRANT`, `DENY`, `REVOKE`, etc.) now require the `AUTH` privilege. Users must be explicitly granted this privilege to perform user and role management operations.
+
+### Default database access requirement
+
+In addition to the `AUTH` privilege, users must also have access to the default "memgraph" database to execute authentication and authorization queries. This requirement applies even when the user is working in other databases within a multi-tenant environment.
+
+<Callout type="warning">
+**Multi-tenant environments**: This requirement is only a concern in multi-tenant environments where users have access to databases other than the default "memgraph" database. In single-database deployments, this requirement is automatically satisfied.
+</Callout>
+
+### Recommended approach for multi-tenant environments
+
+In multi-tenant environments, we recommend treating the default "memgraph" database as an administrative/system database rather than storing application data in it. This approach provides better security and isolation:
+
+1. **Restrict access to the memgraph database**: Only grant access to privileged users who need to perform authentication and authorization operations
+2. **Use tenant-specific databases**: Store application data in dedicated tenant databases rather than the default database
+3. **Separate administrative functions**: Keep user management and system administration separate from application data
+
+#### Example setup for multi-tenant environments
+
+```cypher
+-- Create admin role with full privileges
+CREATE ROLE admin;
+GRANT ALL PRIVILEGES TO admin;
+GRANT DATABASE memgraph TO admin;
+
+-- Create tenant-specific roles
+CREATE ROLE tenant1_user;
+CREATE ROLE tenant2_user;
+
+-- Grant appropriate permissions to tenant roles
+GRANT MATCH, CREATE, MERGE, SET, DELETE TO tenant1_user;
+GRANT MATCH, CREATE, MERGE, SET, DELETE TO tenant2_user;
+
+-- Grant access to tenant databases only
+GRANT DATABASE tenant1_db TO tenant1_user;
+GRANT DATABASE tenant2_db TO tenant2_user;
+
+-- Create users
+CREATE USER admin_user IDENTIFIED BY 'admin_password';
+CREATE USER tenant1_user_account IDENTIFIED BY 'password1';
+CREATE USER tenant2_user_account IDENTIFIED BY 'password2';
+
+-- Assign roles
+SET ROLE FOR admin_user TO admin;
+SET ROLE FOR tenant1_user_account TO tenant1_user;
+SET ROLE FOR tenant2_user_account TO tenant2_user;
+```
+
+In this setup:
+- `admin_user` has access to the "memgraph" database and can perform all authentication/authorization operations
+- `tenant1_user_account` and `tenant2_user_account` can only access their respective tenant databases
+- Application data is stored in tenant-specific databases, not in the default "memgraph" database
+
 After the first user is created, Memgraph will execute a query if and only if
 either a user or its role is granted that privilege and neither the user nor its
 role are denied that privilege. Otherwise, Memgraph will not execute that

pages/database-management/multi-tenancy.md

@@ -20,6 +20,65 @@ A default database named 'memgraph' is automatically created during startup. New
 users are granted access only to this default database. The default
 database name cannot be altered.
 
+### Default database best practices
+
+In multi-tenant environments, we recommend treating the default "memgraph" database as an administrative/system database rather than storing application data in it. This approach provides better security and isolation, especially given recent changes to authentication and authorization requirements.
+
+#### Why treat memgraph as an admin database?
+
+Recent changes to Memgraph require that users have both the `AUTH` privilege and access to the default "memgraph" database to execute authentication and authorization queries. This requirement affects multi-tenant environments where users might have access to other databases but not the default one.
+
+#### Recommended setup
+
+1. **Restrict memgraph database access**: Only grant access to the "memgraph" database to privileged users who need to perform system administration tasks
+2. **Use tenant-specific databases**: Store all application data in dedicated tenant databases
+3. **Separate concerns**: Keep user management, role management, and system administration separate from application data
+
+#### Example configuration
+
+```cypher
+-- Create admin role with full system privileges
+CREATE ROLE system_admin;
+GRANT ALL PRIVILEGES TO system_admin;
+GRANT DATABASE memgraph TO system_admin;
+
+-- Create tenant-specific roles (no access to memgraph database)
+CREATE ROLE tenant1_admin;
+CREATE ROLE tenant1_user;
+CREATE ROLE tenant2_admin;
+CREATE ROLE tenant2_user;
+
+-- Grant appropriate permissions to tenant roles
+GRANT MATCH, CREATE, MERGE, SET, DELETE, INDEX TO tenant1_admin;
+GRANT MATCH, CREATE, MERGE, SET, DELETE TO tenant1_user;
+GRANT MATCH, CREATE, MERGE, SET, DELETE, INDEX TO tenant2_admin;
+GRANT MATCH, CREATE, MERGE, SET, DELETE TO tenant2_user;
+
+-- Grant access only to tenant databases
+GRANT DATABASE tenant1_db TO tenant1_admin, tenant1_user;
+GRANT DATABASE tenant2_db TO tenant2_admin, tenant2_user;
+
+-- Create users
+CREATE USER system_admin_user IDENTIFIED BY 'admin_password';
+CREATE USER tenant1_admin_user IDENTIFIED BY 't1_admin_pass';
+CREATE USER tenant1_regular_user IDENTIFIED BY 't1_user_pass';
+CREATE USER tenant2_admin_user IDENTIFIED BY 't2_admin_pass';
+CREATE USER tenant2_regular_user IDENTIFIED BY 't2_user_pass';
+
+-- Assign roles
+SET ROLE FOR system_admin_user TO system_admin;
+SET ROLE FOR tenant1_admin_user TO tenant1_admin;
+SET ROLE FOR tenant1_regular_user TO tenant1_user;
+SET ROLE FOR tenant2_admin_user TO tenant2_admin;
+SET ROLE FOR tenant2_regular_user TO tenant2_user;
+```
+
+In this configuration:
+- `system_admin_user` can perform all authentication/authorization operations and has access to the "memgraph" database
+- Tenant users can only access their respective tenant databases
+- Application data is completely isolated in tenant-specific databases
+- The "memgraph" database serves purely as an administrative database
+
 ## Isolated databases
 
 Isolated databases within Memgraph function as distinct single-database Memgraph

pages/help-center/errors/auth.mdx

@@ -33,5 +33,45 @@ be missing.
 Queries that modify a user's authentication data are forbidden while using 
 an auth module. Users are handled by the module and local users are disabled.
 
+## User doesn't have AUTH privilege
+
+This error occurs when a user attempts to execute authentication or authorization queries (such as `CREATE USER`, `CREATE ROLE`, `GRANT`, `DENY`, `REVOKE`, etc.) without the required `AUTH` privilege.
+
+### Solution
+
+Grant the `AUTH` privilege to the user or their role:
+
+```cypher
+-- Grant AUTH privilege to a user
+GRANT AUTH TO username;
+
+-- Grant AUTH privilege to a role
+GRANT AUTH TO role_name;
+```
+
+### Multi-tenant environments
+
+In multi-tenant environments, users must also have access to the default "memgraph" database to execute authentication and authorization queries. See the [authentication requirements documentation](/database-management/authentication-and-authorization/role-based-access-control#authentication-and-authorization-requirements) for more details.
+
+## User doesn't have access to the memgraph database [#error-4]
+
+This error occurs in multi-tenant environments when a user attempts to execute authentication or authorization queries but doesn't have access to the default "memgraph" database.
+
+### Solution
+
+Grant access to the "memgraph" database to the user or their role:
+
+```cypher
+-- Grant access to memgraph database for a user
+GRANT DATABASE memgraph TO username;
+
+-- Grant access to memgraph database for a role
+GRANT DATABASE memgraph TO role_name;
+```
+
+### Best practice
+
+In multi-tenant environments, we recommend treating the "memgraph" database as an administrative/system database and restricting access to privileged users only. See the [multi-tenancy documentation](/database-management/multi-tenancy#default-database-best-practices) for recommended setup patterns.
+
 
 <CommunityLinks/>