Security Best Practices
FAQ 1
Answer Overview:
User Access Management
Enabling User Authentication
When the TigerGraph platform is first installed, user authentication is disabled. There are three ways to access the TigerGraph system, either through the GSQL shell, GraphStudio GUI or through REST++ requests. Because GraphStudio uses the same authentication as GSQL, there are two steps needed to set up a secure system with user authentication for the other two points of entry:
1.Change the default password of the tigergraph GSQL user to something other than tigergraph
2.To enable OAuth 2 authentication for RESTPP, use the gadmin program to configure the RESTPP.Authentication parameter. See details below.
For changing the TigerGraph password, see: Enabling and Using User Authentication
For enabling RESTPP authentication, see: Enabling REST++ Authentication
Definitions:
LDAP
The TigerGraph system supports LDAP authentication by allowing a TigerGraph user to log in using an LDAP username and credentials. During the authentication process, the GSQL server connects to the LDAP server and requests the LDAP server to authenticate the user.
See LDAP
Single Sign-On
TigerGraph enables you to use your organization’s identity provider (IDP) to authenticate users to access TigerGraph GraphStudio and Admin Portal UI.
Currently, we have verified following the identity providers which support SAML 2.0 protocol:
For supporting additional IDPs, please inquire sales@tigergraph.com and submit a feature request.
See Single Sign-On
Role-based access control
TigerGraph supports multiple users with role-based access control. This allows to fine-tune access to privileged information.
In version 3.2+, TigerGraph now offers the ability to create custom roles as well as utilize the built-in roles.
For more information on how to manage users and roles in Admin Portal, see:
v3.2+ User Management
Pre v3.2 Built-In-Roles
Vertex-Level Access Control
VLAC takes data access control to the next level by presenting updatable views of base graphs using vertex tags, where tags are properties attached to individual vertices without any vertex type boundary. Admin users can declare tags, and use tags to define tag-based graphs, grant privileges to other users on these tag-based graphs, and explicitly set and clear tags on data.
Note: currently in beta.
See VLAC
Whitelist IP’s
TigerGraph supports an allowed CIDR list (allowlist) to prevent unauthorized access to TigerGraph. We recommend enabling this as a hardening step.
see Nginx
FAQ 2
Definitions:
Encryption-at-rest
The TigerGraph graph data store uses a proprietary encoding scheme that both compresses the data and obscures the data unless the user knows the encoding/decoding scheme.
The TigerGraph system supports integration with industry-standard methods for encrypting data when stored in disk ("data at rest").
For more information on the file system, see Encrypting Data At Rest
Transport Layer Security (TLS)
TigerGraph supports secure data-in-flight communication, using SSL/TLS encryption protocol. This applies to any outward-facing channel, including GSQL clients, RESTPP endpoints, and the GraphStudio web interface. When SSL/TLS is enabled, HTTPS takes the place of HTTP for RESTPP and GraphStudio connections.
To enable SSL, see Encrypting Connections
Related Articles: User access management - User Access Management - TigerGraph Server
Data encryption - https://docs.tigergraph.com/admin/admin-guide/data-encryption
TG Cloud Security
Security and user management - https://docs.tigergraph.com/cloud/security
FAQs- FAQs - TigerGraph Cloud