Role-Based Access Control (RBAC)
PuppyGraph supports role-based access control (RBAC) to restrict what each user can do. This page explains the built-in roles, how to manage users through the UI, and how to configure SSO group mappings.
Roles
PuppyGraph has five built-in roles:
| Role | Intended for | What they can do |
|---|---|---|
Admin |
PuppyGraph administrators | Everything: full access to all features including user management, graph schema, catalogs, queries, cluster, and system operations |
UserAdmin |
Team leads, security officers | Manage users and roles; read-only access to graphs, catalogs, and queries. Cannot modify graphs, catalogs, or cluster infrastructure |
GraphAdmin |
Data engineers | Build and maintain graph schemas; run queries; read catalog metadata. Cannot create or delete catalogs, and cannot manage users |
Analyst |
Data analysts, application developers | Run queries; read graph schemas and catalog metadata |
Viewer |
Stakeholders, reviewers | Read graph schemas and catalog metadata. Cannot run queries |
Permission Matrix
| Permission | Admin | UserAdmin | GraphAdmin | Analyst | Viewer |
|---|---|---|---|---|---|
| View graph schema | ✓ | ✓ | ✓ | ✓ | ✓ |
| Modify graph schema | ✓ | ✓ | |||
| View catalogs | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create/delete catalogs | ✓ | ||||
| Run queries | ✓ | ✓ | ✓ | ✓ | |
| View data and cache | ✓ | ✓ | ✓ | ✓ | |
| Manage data and cache | ✓ | ✓ | |||
| View cluster status | ✓ | ✓ | ✓ | ||
| Manage cluster nodes | ✓ | ||||
| System administration | ✓ | ||||
| View users and audit log | ✓ | ✓ | |||
| Manage users and roles | ✓ | ✓ | |||
| Assign Admin/UserAdmin roles | ✓ |
Note
UserAdmin and GraphAdmin are peers; neither is a superset of the other. Only Admin can assign the Admin or UserAdmin roles to other users.
Schema uploads with embedded catalogs
If a schema file includes a catalog section, uploading it requires CATALOG:write permission (Admin only). Users with the GraphAdmin role must remove the catalog section from their schema file and have an admin register the catalogs separately via Catalogs in the left sidebar.
Managing Users
RBAC settings are in Settings (gear icon in the left sidebar). The management tabs (Users, Service Accounts, SSO Configuration, and Audit Log) are only visible to users with the Admin or UserAdmin role.
Creating a Local User
Local users authenticate with a username and password managed by PuppyGraph.
- Go to Settings → Users
- Click Create User
- Enter a username and select a role (defaults to Analyst)
- Click Create. A generated password appears; copy it now, because it is shown only once and cannot be retrieved later.
- Share the username and password with the new user.
Note
Only Admin can assign the Admin or UserAdmin roles when creating a user.
Changing a User's Role
- Go to Settings → Users
- Find the user in the table
- Use the Role dropdown in their row to select a new role
The role change takes effect the next time the user logs in.
Resetting a User's Password
For local users who have forgotten their password:
- Go to Settings → Users
- Find the user and click the Password button
- Confirm the reset. A new generated password is shown once. Share it with the user.
Deleting a User
- Go to Settings → Users
- Find the user and click the Delete button
- Confirm the deletion
Note
The bootstrap admin (puppygraph by default) cannot be deleted or have its role changed.
Changing Your Own Password
Local users can change their own password from the Preferences tab:
- Go to Settings → Preferences
- Scroll to the Password section
- Click Change Password
- Enter your current password and new password (minimum 8 characters)
SSO Users
When SSO is enabled, users who authenticate through your identity provider (IdP) are created automatically on first login. For how to wire PuppyGraph up to your IdP, see OAuth / OIDC Single Sign-On. The role for each SSO user is determined in this order:
- Explicit assignment. If an admin has assigned a role via the Users tab, it takes precedence and is not re-evaluated on future logins.
- Group mapping. If the user's IdP groups match a configured mapping (see below), the matching role is assigned.
- Default role. Falls back to the
RBAC_DEFAULT_ROLEenvironment variable (default:Analyst).
Configuring SSO Group Mappings
Group mappings automatically assign roles to SSO users based on their IdP group membership, eliminating the need to manually assign roles to each user.
To add a group mapping:
- Go to Settings → SSO Configuration.
- Click Add Group Mapping.
- Fill in:
- SSO Group Name. Must match exactly how the group appears in your IdP's token claim.
- Role. The PuppyGraph role to assign to members of this group.
- Priority. Lower number = higher precedence, used when a user belongs to multiple mapped groups.
- Click Add.
For example: if a user belongs to both data-engineering (mapped to GraphAdmin, priority 10) and all-employees (mapped to Viewer, priority 100), they get GraphAdmin because 10 < 100.
To edit a mapping, click the edit icon on any row. You can change the Role and Priority, but not the Group Name. To delete a mapping, click the delete icon on the row.
Tip
Set SSO_GROUPS_CLAIM to the name of the claim your IdP uses for group memberships (default: groups).
Service Accounts
Service accounts provide programmatic access for scripts, pipelines, and applications. They authenticate using a name and secret instead of a password.
Creating a Service Account
- Go to Settings → Service Accounts.
- Click Create Service Account.
- Fill in:
- Name. Alphanumeric, hyphens, and underscores only; no colons.
- Role. The role this service account will have.
- Description. Optional, for identification.
- Allow user impersonation. Enables acting as a specific user (see Impersonation).
- Click Create. A secret is shown; copy it now, because it is shown only once.
Using a service account:
# REST API
curl -u 'etl-pipeline:<secret>' http://localhost:8081/schemajson
# Gremlin (WebSocket): use full sa: prefix
username: sa:etl-pipeline
password: <secret>
# Bolt (Neo4j driver): use full sa: prefix
auth=('sa:etl-pipeline', '<secret>')
Managing Service Accounts
From Settings → Service Accounts:
- Change role: use the Role dropdown in the service account's row.
- Toggle impersonation: use the switch in the Impersonation column.
- Rotate secret: click the refresh icon, then confirm to generate a new secret (shown once; old secret is immediately invalidated).
- Delete: click the delete icon.
The Last Used column shows when the service account last authenticated.
Impersonation
A service account with impersonation enabled can act as a specific user, inheriting that user's role and permissions. This is useful for multi-tenant applications where a single service account serves many users.
Constraints:
- The service account must have
Allow user impersonationenabled. - The target user's role must be equal to or lower than the service account's role (prevents privilege escalation).
- Impersonation is recorded in the audit log with both identities.
Using impersonation:
# Bolt (Neo4j Python driver)
with driver.session(impersonated_user='sso:alice@example.com') as session:
result = session.run('MATCH (n) RETURN n LIMIT 10')
# Gremlin (WebSocket): fixed per connection
c = client.Client(
'ws://puppygraph-host:8182/gremlin', 'g',
username='sa:dashboard-app', password='<secret>',
headers={'X-PuppyGraph-Assume-User': 'sso:alice@example.com'}
)
# REST API
curl -u 'dashboard-app:<secret>' \
-H 'X-PuppyGraph-Assume-User: sso:alice@example.com' \
http://localhost:8081/submitCypher -d '{"query": "MATCH (n) RETURN n"}'
Audit Log
The audit log records all RBAC-related actions.
- Go to Settings → Audit Log
- The table shows Timestamp, Actor (who performed the action), Action, and Target user
- Click the expand icon on any row to see the full detail (e.g., role before and after a change)
- Click Load More to fetch older entries
Recorded actions include: user creation, role changes, password resets, service account operations, group mapping changes, and access denials.
Configuration
| Environment Variable | Default | Description |
|---|---|---|
RBAC_ENABLED |
true |
Set to false to disable RBAC (all authenticated users treated as Admin) |
RBAC_DEFAULT_ROLE |
Analyst |
Default role for new SSO users who don't match any group mapping |
PUPPYGRAPH_USERNAME |
puppygraph |
Bootstrap admin username. Always Admin; cannot be changed via API |
PUPPYGRAPH_PASSWORD |
puppygraph123 |
Bootstrap admin password. For production deployments, set this to a strong secret and rotate it periodically; do not rely on the default value. |
SSO_GROUPS_CLAIM |
groups |
Name of the IdP token claim that contains the user's group memberships |