Security Best Practices

When the TigerGraph platform is first installed, user authentication is disabled. There are three ways to access the TigerGraph system, either through the GSQL shell, GraphStudio GUI or through REST++ requests. Because GraphStudio uses the same authentication as GSQL, there are two steps needed to set up a secure system with user authentication for the other two points of entry:

1.Change the default password of the tigergraph GSQL user to something other than tigergraph

2.To enable OAuth 2 authentication for RESTPP, use the gadmin program to configure the RESTPP.Authentication parameter. See details below.

For changing the TigerGraph password, see: Enabling and Using User Authentication

For enabling RESTPP authentication, see: Enabling REST++ Authentication

The TigerGraph system supports LDAP authentication by allowing a TigerGraph user to log in using an LDAP username and credentials. During the authentication process, the GSQL server connects to the LDAP server and requests the LDAP server to authenticate the user.

See LDAP

TigerGraph enables you to use your organization’s identity provider (IDP) to authenticate users to access TigerGraph GraphStudio and Admin Portal UI.

Currently, we have verified following the identity providers which support SAML 2.0 protocol:

Okta

Auth0

For supporting additional IDPs, please inquire sales@tigergraph.com and submit a feature request.

See Single Sign-On

TigerGraph supports multiple users with role-based access control. This allows to fine-tune access to privileged information.

In version 3.2+, TigerGraph now offers the ability to create custom roles as well as utilize the built-in roles.

For more information on how to manage users and roles in Admin Portal, see:

v3.2+ User Management

Pre v3.2 Built-In-Roles

VLAC takes data access control to the next level by presenting updatable views of base graphs using vertex tags, where tags are properties attached to individual vertices without any vertex type boundary. Admin users can declare tags, and use tags to define tag-based graphs, grant privileges to other users on these tag-based graphs, and explicitly set and clear tags on data.

Note: currently in beta.

See VLAC

TigerGraph supports an allowed CIDR list (allowlist) to prevent unauthorized access to TigerGraph. We recommend enabling this as a hardening step.

see Nginx

The TigerGraph graph data store uses a proprietary encoding scheme that both compresses the data and obscures the data unless the user knows the encoding/decoding scheme.

The TigerGraph system supports integration with industry-standard methods for encrypting data when stored in disk ("data at rest").

For more information on the file system, see Encrypting Data At Rest

TigerGraph supports secure data-in-flight communication, using SSL/TLS encryption protocol. This applies to any outward-facing channel, including GSQL clients, RESTPP endpoints, and the GraphStudio web interface. When SSL/TLS is enabled, HTTPS takes the place of HTTP for RESTPP and GraphStudio connections.

To enable SSL, see Encrypting Connections

Related Articles: User access management - User Access Management - TigerGraph Server

Data encryption - https://docs.tigergraph.com/admin/admin-guide/data-encryption

Security and user management - https://docs.tigergraph.com/cloud/security

FAQs- FAQs - TigerGraph Cloud