home shape
one query background

User Management

In ArangoDB 3.2 we introduced a new more finer grained permission management. You can now limit read and write access to databases as well as collections. The public API meanwhile is mostly unchanged, existing code should mostly run as it is.

The most basic task, of course, is creating a user and granting him some level of access.

var users = require("@arangodb/users");
require("@arangodb/users").save("admin@arango", "pass", true);

Then maybe you would like this user to have complete (read/write) access to a database named “fullaccess”, including all collections in it. This can be accomplished by granting the user access to the special “*” collection (which is not an actual collection, but just symbolizes the default).

users.grantDatabase("admin@arango", "fullaccess", "rw");
// then you have to allow the user to access all collections
users.grantCollection("admin@arango", "fullaccess", "*", "rw");

Exclude certain collections

Maybe you then want to specifically exclude a secret collection in the “fullaccess” database. This can be accomplished by granting the user the none right.

users.grantCollection("admin@arango", "fullaccess", "secret", "none");

Similarly, you might want to ensure users have no administrative access to a database (they cannot change indexes, drop collections etc.). In this case you might also want to ensure read only access to all collections in that database.

users.grantDatabase("admin@arango", "restricted", "ro");
users.grantCollection("admin@arango", "restricted", "*", "ro");
// Maybe you still want to allow RW access to a specific collection:
users.grantCollection("admin@arango", "restricted", "accessible", "rw");

Keep in mind that the order in which you assign those rights does not matter. There is a preference of more specific right grants over the default “*”. The system will always try to look up at the rights for the specific collection / database name and only then falls back to the default.

Creating databases with users

When you create a database you can create corresponding users in the same API call. This was already possible in older versions of ArangoDB, but the semantic of _createDatabase slightly changes:
Users created with _createDatabase automatically have administrative access to the database and read/write access to all collections in it.

db._createDatabase("test", {}, [ { username: "admin@arango", passwd: "", active: true } ] );
// is equivalent to
require("@arangodb/users").save("admin@arango", "", true);
require("@arangodb/users").grantDatabase("admin@arango", "test");
require("@arangodb/users").grantCollection("admin@arango", "test", "*"); // new in 3.2
screenshot 1 1 (1)