Security Best Practices



How can I secure login access to TigerGraph?

Answer Overview:

User Access Management

Enabling User Authentication

When the TigerGraph platform is first installed, user authentication is disabled. There are three ways to access the TigerGraph system, either through the GSQL shell, GraphStudio GUI or through REST++ requests. Because GraphStudio uses the same authentication as GSQL, there are two steps needed to set up a secure system with user authentication for the other two points of entry:

1.Change the default password of the tigergraph GSQL user to something other than tigergraph

2.To enable OAuth 2 authentication for RESTPP, use the gadmin program to configure the RESTPP.Authentication parameter. See details below.

For changing the TigerGraph password, see: Enabling and Using User Authentication

For enabling RESTPP authentication, see: Enabling REST++ Authentication



The TigerGraph system supports LDAP authentication by allowing a TigerGraph user to log in using an LDAP username and credentials. During the authentication process, the GSQL server connects to the LDAP server and requests the LDAP server to authenticate the user.


Single Sign-On

TigerGraph enables you to use your organization’s identity provider (IDP) to authenticate users to access TigerGraph GraphStudio and Admin Portal UI.

Currently, we have verified following the identity providers which support SAML 2.0 protocol:

For supporting additional IDPs, please inquire and submit a feature request.

Role-based access control

TigerGraph supports multiple users with role-based access control. This allows to fine-tune access to privileged information.

In version 3.2+, TigerGraph now offers the ability to create custom roles as well as utilize the built-in roles.

For more information on how to manage users and roles in Admin Portal, see:

Pre v3.2 Built-In-Roles

Vertex-Level Access Control

VLAC takes data access control to the next level by presenting updatable views of base graphs using vertex tags, where tags are properties attached to individual vertices without any vertex type boundary. Admin users can declare tags, and use tags to define tag-based graphs, grant privileges to other users on these tag-based graphs, and explicitly set and clear tags on data.

Note: currently in beta.


Whitelist IP’s

TigerGraph supports an allowed CIDR list (allowlist) to prevent unauthorized access to TigerGraph. We recommend enabling this as a hardening step.

see Nginx



How is the data secured?

Answer Overview:

Data Security



The TigerGraph graph data store uses a proprietary encoding scheme that both compresses the data and obscures the data unless the user knows the encoding/decoding scheme.

The TigerGraph system supports integration with industry-standard methods for encrypting data when stored in disk ("data at rest").

For more information on the file system, see Encrypting Data At Rest

Transport Layer Security (TLS)

TigerGraph supports secure data-in-flight communication, using SSL/TLS encryption protocol. This applies to any outward-facing channel, including GSQL clients, RESTPP endpoints, and the GraphStudio web interface. When SSL/TLS is enabled, HTTPS takes the place of HTTP for RESTPP and GraphStudio connections.

To enable SSL, see Encrypting Connections

Related Articles: User access management - User Access Management - TigerGraph Server

TG Cloud Security

Security and user management -