I've created a new user for my coworker using CREATE USER mjhelix IDENTIFIED BY 'UTJkBgJFJUse';.
She can now access the Memgraph database using her credentials. I'd like to limit her access to creatin parts of the database, i.e. I don't want here to be able to make changes to certain nodes. How can I achieve this?
There is a thing called label-based authorization. You can use it to apply rules to a role in Memgraph. The GRANT command is used fo that. There are several permission levels that you can grant. The permission levels are NOTHING, READ, UPDATE, or CREATE_DELETE.
You can specify a set of node labels, separated with a comma and with a colon in front of each label (e.g. :L1), or * for specifying all labels in the graph.
Identify the role you want to assign the rule to. This should be a role that has already been created in Memgraph. Let's say that mjhelix is working as an analyst, you need to assign the role first:
SET ROLE FOR mjhelix TO analyst;
In such case you can use the following command to assign the rule:
GRANT permission_level ON LABELS label_list TO role;
Let's say that you want to grant READ permission on labels L1 and L2 to a role named analyst, you would write:
GRANT READ ON LABELS :L1, :L2 TO analyst;
And if you want to grant both READ and EDIT permissions for all labels in the graph to the same role, you would write:
GRANT UPDATE ON LABELS * TO analyst;
You can find more details in the Memgraph documentation.
Disclaimer: I work at Memgraph.