4.2 User Authentication and Authorization

The Oracle Graph server (PGX) uses an Oracle Database as identity manager. Both username and password based as well as Kerberos based authentication is supported.

The actions that you are allowed to do on the graph server are determined by the privileges enabled by roles that have been granted to you in the Oracle Database.

• Privileges and Roles in Oracle Database
  All database users that work with graphs require the CREATE SESSION privilege in the database.
• Basic Steps for Using an Oracle Database for Authentication
  You can follow the steps explained in this section to authenticate users to the graph server (PGX).
• Prepare the Graph Server for Database Authentication
  Locate the pgx.conf file of your installation.
• Store the Database Password in a Keystore
  
• Token Expiration
  By default, tokens are valid for 1 hour.
• Advanced Access Configuration
  You can customize the following fields inside the pgx_realm block in the pgx.conf file to customize login behavior.
• Customizing Roles and Permissions
  You can fully customize the permissions to roles mapping by adding and removing roles and specifying permissions for a role. You can also authorize individual users instead of roles.
• Revoking Access to the Graph Server
  To revoke a user's ability to access the graph server, either drop the user from the database or revoke the corresponding roles from the user, depending on how you defined the access rules in your pgx.conf file.
• Examples of Custom Authorization Rules
  You can define custom authorization rules for developers.
• Kerberos Enabled Authentication for the Graph Server (PGX)
  The graph server (PGX) can authenticate users using an Oracle Database with Kerberos enabled as identity provider.