@@ -4,7 +4,7 @@ menuTitle: User Management
44weight : 25
55description : >-
66 User management is possible in the web interface and in _arangosh_ in the
7- contect of the `_system` database
7+ context of the `_system` database
88archetype : chapter
99---
1010Authentication needs to be enabled on the server in order to employ user
@@ -36,7 +36,7 @@ service arangodb restart
3636```
3737
3838User management is possible in the [ web interface] ( ../../../components/web-interface/users.md )
39- while logged on to the * \ _* database and in
39+ while logged on to the ` _system ` database and in
4040[ arangosh] ( in-arangosh.md ) , as well as via the
4141[ HTTP API] ( ../../../develop/http-api/users.md ) .
4242
@@ -115,7 +115,7 @@ access levels. The access levels are *Administrate* and
115115| update a user | Administrate |
116116| update user access level | Administrate |
117117| drop a user | Administrate |
118- | shutdown server | Administrate |
118+ | shutdown server | Administrate |
119119
120120To perform actions in a specific database (like creating or dropping collections),
121121a user needs at least the following access level.
@@ -179,16 +179,16 @@ from the database access level in the `_system` database, it is
179179
180180### Initial Access Levels
181181
182- When a user creates a database the access level of the user for that database
182+ When a user creates a database, the access level of the user for that database
183183is set to * Administrate* . The same is true for creating a collection, in this
184- case the user get * Read/Write* access to the collection.
184+ case the user gets * Read/Write* access to the collection.
185185
186186### Wildcard Database Access Level
187187
188188With the above definition, one must define the database access level for
189189all database/user pairs in the server, which would be very tedious. In
190- order to simplify this process, it is possible to define, for a user,
191- a wildcard database access level. This wildcard is used if the database
190+ order to simplify this process, it is possible to define a wildcard
191+ database access level for a user . This wildcard is used if the database
192192access level is * not* explicitly defined for a certain database. Each new
193193created user has an initial database wildcard of * No Access* .
194194
@@ -202,33 +202,52 @@ If you delete the wildcard, the default access level is defined as *No Access*.
202202
203203The ` root ` user has an initial database wildcard of * Administrate* .
204204
205- * Example*
205+ If a user has the access level * Access* or * Administrate* for the ` _system `
206+ database but a lower wildcard database access level, then the ` _system ` database
207+ access level is granted for all databases that do not have an explicit
208+ access level defined.
209+
210+ See [ Permission Resolution] ( #permission-resolution ) for details.
211+
212+ ** Example**
206213
207214Assume user * JohnSmith* has the following database access levels:
208215
209- | | access level |
210- | ------------------| --------------|
211- | database ` * ` | Access |
212- | database ` shop1 ` | Administrate |
213- | database ` shop2 ` | No Access |
216+ | | Access level |
217+ | --------------------| --------------|
218+ | database ` _system ` | No Access |
219+ | database ` shop1 ` | Administrate |
220+ | database ` shop2 ` | No Access |
221+ | database ` * ` | Access |
214222
215- This will give the user * JohnSmith* the following database level access:
223+ This gives the user * JohnSmith* the following database level access:
216224
225+ - database ` _system ` : * No Access*
217226- database ` shop1 ` : * Administrate*
218227- database ` shop2 ` : * No Access*
219228- database ` something ` : * Access*
220229
221- If the wildcard ` * ` is changed from * Access* to * No Access* then the
222- permissions will change as follows:
230+ If the wildcard ` * ` is changed from * Access* to * No Access* , then the
231+ permissions change as follows:
223232
233+ - database ` _system ` : * No Access*
224234- database ` shop1 ` : * Administrate*
225235- database ` shop2 ` : * No Access*
226236- database ` something ` : * No Access*
227237
238+ If the ` _system ` database access level is changed from * No Access* to
239+ * Administrate* , then the permissions change again for databases with no
240+ explicitly defined access level:
241+
242+ - database ` _system ` : * Administrate*
243+ - database ` shop1 ` : * Administrate*
244+ - database ` shop2 ` : * No Access*
245+ - database ` something ` : * Administrate*
246+
228247### Wildcard Collection Access Level
229248
230- For each user and database there is a wildcard collection access level.
231- This level is used for all collections pairs without an explicitly
249+ For each user and database, there is a wildcard collection access level.
250+ This level is used for all collections of a database without an explicitly
232251defined collection access level. Note that this includes collections
233252which will be created in the future and for which no explicit access
234253levels are set for a that user! Each new created user has an initial
@@ -239,93 +258,154 @@ If you delete the wildcard, the system defaults to *No Access*.
239258The ` root ` user has an initial collection wildcard of * Read/Write* in every database.
240259
241260When creating a user through
242- [ ` db._createDatabase() ` ] ( ../../../develop/javascript-api/@arangodb/db-object.md#db_createdatabasename--options--users )
243- the access level of the user for this database will be set to * Administrate*
244- and the wildcard for all collections within this database will be set to
245- * Read/Write* .
261+ [ ` db._createDatabase() ` ] ( ../../../develop/javascript-api/@arangodb/db-object.md#db_createdatabasename--options--users ) ,
262+ the access level of the user for this database is set to * Administrate* and the
263+ wildcard for all collections within this database are set to * Read/Write* .
246264
247- ** Example**
265+ If a user has the access level * Access* or * Administrate* for the ` _system `
266+ database but a lower wildcard database access level or wildcard collection
267+ access level, then the ` _system ` database access level is granted for all
268+ collections that do not have an explicit access level defined.
269+
270+ See [ Permission Resolution] ( #permission-resolution ) for details.
271+
272+ {{< security >}}
273+ It is recommended to use explicitly defined access levels for all databases and
274+ collections instead of wildcard grants to avoid accidentally granting more
275+ permissions than intended.
276+ {{< /security >}}
277+
278+ ** Examples**
248279
249280Assume user * JohnSmith* has the following database access levels:
250281
251- | | access level |
252- | --------------| --------------|
253- | database ` * ` | Access |
282+ | | Access level |
283+ | --------------------| --------------|
284+ | database ` _system ` | No Access |
285+ | database ` * ` | Access |
254286
255- and collection access levels:
287+ And the following collection access levels:
256288
257- | | access level |
289+ | | Access level |
258290| -----------------------------------------| --------------|
259291| database ` * ` , collection ` * ` | Read/Write |
260292| database ` shop1 ` , collection ` products ` | Read-Only |
261293| database ` shop1 ` , collection ` * ` | No Access |
262- | database ` shop2 ` , collection ` * ` | Read-Only |
294+ | database ` shop2 ` , collection ` reviews ` | No Access |
263295
264- Then the user * doe * will get the following collection access levels:
296+ Then the user * JohnSmith * gets the following collection access levels:
265297
266298- database ` shop1 ` , collection ` products ` : * Read-Only*
267- - database ` shop1 ` , collection ` customers ` : * No Access*
268- - database ` shop2 ` , collection ` reviews ` : * Read-Only*
269- - database ` something ` , collection ` else ` : * Read/Write*
299+ - database ` shop1 ` , collection ` customers ` : * Read/Write*
300+ - database ` shop2 ` , collection ` reviews ` : * No Access*
270301
271302Explanation:
272303
273304Database ` shop1 ` , collection ` products ` directly matches a defined
274- access level. This level is defined as * Read-Only* .
305+ collection access level and the database access level is higher
306+ than * No Access* , leading to * Read-Only* access for the collection.
275307
276308Database ` shop1 ` , collection ` customers ` does not match a defined access
277- level. However, database ` shop1 ` matches and the wildcard in this
278- database for collection level is * No Access* .
309+ level. There is a wildcard collection access level of * No Access* , but it cannot
310+ lower the access level granted by the wildcard combination of database ` * ` ,
311+ collection ` * ` , leading to * Read/Write* access for the collection.
312+
313+ Database ` shop2 ` does not match a defined access level. However, the database
314+ matches the database wildcard access level of * Access* . The access level for all
315+ collections with no defined access level would be * Read/Write* because of the
316+ wildcard combination of database ` * ` , collection ` * ` , but the ` reviews `
317+ collection has a defined access level of * No Access* , leading to no access for
318+ this collection.
279319
280- Database ` shop2 ` , collection ` reviews ` does not match a defined access
281- level. However, database ` shop2 ` matches and the wildcard in this
282- database for collection level is * Read-Only* .
320+ Assume user * JohnSmith* has the following database access levels:
283321
284- Database ` something ` , collection ` else ` does not match a defined access
285- level. The database ` something ` also does have a direct matches.
286- Therefore the wildcard is selected. The level is * Read/Write* .
322+ | | Access level |
323+ | --------------------| --------------|
324+ | database ` _system ` | Access |
325+ | database ` shop2 ` | Administrate |
326+ | database ` * ` | No Access |
327+
328+ And the following collection access levels:
329+
330+ | | Access level |
331+ | ------------------------------------------| --------------|
332+ | database ` shop1 ` , collection ` customers ` | No Access |
333+ | database ` shop1 ` , collection ` * ` | No Access |
334+
335+ Then the user * JohnSmith* gets the following collection access levels:
336+
337+ - database ` shop1 ` , collection ` products ` : * Read-Only*
338+ - database ` shop1 ` , collection ` customers ` : * No Access*
339+ - database ` shop2 ` , collection ` reviews ` : * Read/Write*
340+
341+ Explanation:
342+
343+ Database ` shop1 ` , collection ` products ` does not match a defined access
344+ level. There is a wildcard collection access level of * No Access* , but it cannot
345+ lower the access level granted via the ` _system ` database, leading to * Read-Only*
346+ access for the collection.
347+
348+ Database ` shop1 ` , collection ` customers ` directly matches a defined
349+ collection access level. The database access level is higher than * No Access*
350+ but the explicitly defined collection access level of * No Access* leads to no
351+ access for the collection.
352+
353+ Database ` shop2 ` has a defined access level of * Administrate* . No access level
354+ is defined for its collections, which is equal to a wildcard collection
355+ access level of * No Access* . However, the * Administrate* database access level
356+ leads to * Read-Write* access for all collections in the database, including the
357+ ` reviews ` collection.
287358
288359### Permission Resolution
289360
290361The access levels for databases and collections are resolved in the following way:
291362
292363For a database "* foo* ":
293- 1 . Check if there is a specific database grant for * foo* , if yes use the granted access level
294- 2 . Choose the higher access level of::
295- - A wildcard database grant ( for example ` grantDatabase('user', '*', 'rw' ` )
296- - A database grant on the ` _system ` database
297-
298- For a collection named "* bar* ":
299- 1 . Check if there is a specific database grant for * bar* , if yes use the granted access level
300- 2 . Choose the higher access level of::
301- - Any wildcard access grant in the same database, or on ` "*" ` (in this example ` grantCollection('user', 'foo', '*', 'rw') ` )
302- - The access level for the current database (in this example ` grantDatabase('user', 'foo', 'rw' ` )
303- - The access level for the ` _system ` database
304-
305- An exception to this are system collections, here only the access level for the database is used.
364+ 1 . Check if there is a specific database grant for * foo* .
365+ If yes, use the granted access level.
366+ 2 . Choose the higher access level of:
367+ - A wildcard database grant (like ` grantDatabase('user', '*', 'rw') ` ).
368+ - A database grant on the ` _system ` database.
369+
370+ For a collection named "* bar* " in a database "* foo* ":
371+ 1 . Check whether the effective access level for the database * foo* is higher than
372+ * No Access* (see above). If not, then you cannot access the collection * bar* .
373+ 2 . Check if there is a specific collection grant for * bar* .
374+ If yes, use the granted collection access level for * bar* .
375+ 3 . Choose the higher access level of:
376+ - A wildcard collection grant in the same database
377+ (like ` grantCollection('user', 'foo', '*', 'rw') ` ).
378+ - A wildcard database grant (like ` grantDatabase('user', '*', 'rw') ` ).
379+ - The access level for the current database (like ` grantDatabase('user', 'foo', 'rw' ` ).
380+ - The access level for the ` _system ` database.
381+
382+ An exception to this are system collections, where only the access level for the
383+ database is used.
306384
307385### System Collections
308386
309387The access level for system collections cannot be changed. They follow
310388different rules than user defined collections and may change without further
311- notice. Currently the system collections follow these rules:
389+ notice. The system collections follow these rules:
312390
313- | collection | access level |
314- | -----------------------| --------------|
315- | ` _users ` (in _ system) | No Access |
316- | ` _queues ` | Read-Only |
317- | ` _frontend ` | Read/Write |
318- | ` * ` | * same as db * |
391+ | Collection | Access level |
392+ | -------------------------------------- | --------------|
393+ | ` _users ` (in the ` _system ` database ) | No Access |
394+ | ` _queues ` | Read-Only |
395+ | ` _frontend ` | Read/Write |
396+ | ` * ` (default) | * based on the current database * |
319397
320398All other system collections have access level * Read/Write* if the
321399user has * Administrate* access to the database. They have access level
322400* Read/Only* if the user has * Access* to the database.
323401
324- To modify these system collections you should always use the
325- specialized APIs provided by ArangoDB. For example
326- no user has access to the * \ _* collection in the * \ _*
402+ To modify these system collections, you should always use the
403+ specialized APIs provided by ArangoDB. For example,
404+ no user has access to the ` _users ` collection in the ` _system `
327405database. All changes to the access levels must be done using the
328- * @arangodb/users * module, the ` /_users/ ` API or the web interface.
406+ [ ` @arangodb/users ` module of the JavaScript API] ( in-arangosh.md ) ,
407+ the [ ` /_api/user ` HTTP API endpoints] ( ../../../develop/http-api/users.md ) ,
408+ or the web interface.
329409
330410### LDAP Users
331411
0 commit comments