SHOW ROLES/PRIVILEGES ON

Author: andrejtonev

pages/database-management/authentication-and-authorization.mdx

@@ -25,6 +25,54 @@ In addition to the `AUTH` privilege, users must also have access to the default
 
 Replication queries (such as `REGISTER REPLICA`, `SHOW REPLICAS`, `DROP REPLICA`, etc.) and multi-database queries (such as `SHOW DATABASES`, `CREATE DATABASE`, `DROP DATABASE`, etc.) also now target the "memgraph" database and require access to it.
 
+To execute these queries, users must have:
+- The appropriate privileges (`REPLICATION`, `MULTI_DATABASE_EDIT`)
+- Access to the default "memgraph" database
+
+## Multi-tenant query syntax changes
+
+Recent changes to Memgraph have also modified the syntax for certain queries in multi-tenant environments. The `SHOW ROLE` and `SHOW PRIVILEGES` commands now require specifying the database context.
+
+### SHOW ROLE syntax in multi-tenant environments
+
+In multi-tenant environments, you must specify which database context to use when showing roles:
+
+1. **Show roles for the user's main database:**
+```cypher
+SHOW ROLE FOR user_name ON MAIN;
+```
+
+2. **Show roles for the current database:**
+```cypher
+SHOW ROLE FOR user_name ON CURRENT;
+```
+
+3. **Show roles for a specific database:**
+```cypher
+SHOW ROLE FOR user_name ON DATABASE database_name;
+```
+
+### SHOW PRIVILEGES syntax in multi-tenant environments
+
+Similarly, the `SHOW PRIVILEGES` command requires database context specification:
+
+1. **Show privileges for the user's main database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON MAIN;
+```
+
+2. **Show privileges for the current database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON CURRENT;
+```
+
+3. **Show privileges for a specific database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON DATABASE database_name;
+```
+
+These commands return the aggregated roles and privileges for the user in the specified database context. The `ON MAIN` option shows information for the user's main database, `ON CURRENT` shows information for whatever database is currently active, and `ON DATABASE` shows information for the explicitly specified database.
+
 ### Multi-tenant recommendations
 
 For multi-tenant environments, we recommend:

pages/database-management/authentication-and-authorization/multiple-roles.mdx

@@ -262,6 +262,25 @@ To see which roles a user has for a specific database:
 SHOW ROLES FOR user_name ON database_name;
 ```
 
+In multi-tenant environments, you can also use these additional options:
+
+1. **Show roles for the user's main database:**
+```cypher
+SHOW ROLES FOR user_name ON MAIN;
+```
+
+2. **Show roles for the current database:**
+```cypher
+SHOW ROLES FOR user_name ON CURRENT;
+```
+
+3. **Show roles for a specific database:**
+```cypher
+SHOW ROLES FOR user_name ON DATABASE database_name;
+```
+
+These commands return the aggregated roles for the user in the specified database context.
+
 ### Viewing permissions for a specific database
 
 To see what permissions a user has in a specific database:
@@ -270,6 +289,24 @@ To see what permissions a user has in a specific database:
 SHOW PRIVILEGES FOR user_name ON database_name;
 ```
 
+In multi-tenant environments, you can also use these additional options:
+
+1. **Show privileges for the user's main database:**
+```cypher
+SHOW PRIVILEGES FOR user_name ON MAIN;
+```
+
+2. **Show privileges for the current database:**
+```cypher
+SHOW PRIVILEGES FOR user_name ON CURRENT;
+```
+
+3. **Show privileges for a specific database:**
+```cypher
+SHOW PRIVILEGES FOR user_name ON DATABASE database_name;
+```
+
+These commands return the aggregated privileges for the user in the specified database context.
 
 ### SSO integration with multi-tenant roles
 
@@ -351,3 +388,6 @@ SET ROLE multi_db_role FOR user1 ON db2;
 10. **Ensure multi-database privilege access**: Users who need to perform multi-database operations must have the appropriate privileges (`MULTI_DATABASE_USE`, `MULTI_DATABASE_EDIT`) and access to the "memgraph" database
 11. **Separate application data**: Store all application data in tenant-specific databases, not in the default "memgraph" database
 12. **Plan for administrative operations**: Design your role structure to ensure that users who need to manage users, roles, replication, or multi-database operations have appropriate access to the "memgraph" database
+13. **Use explicit database context**: Always specify the database context when using `SHOW ROLE` and `SHOW PRIVILEGES` commands in multi-tenant environments
+14. **Choose appropriate context**: Use `ON MAIN` for the user's main database, `ON CURRENT` for the currently active database, or `ON DATABASE` for a specific database
+15. **Verify permissions in context**: Always check roles and privileges in the specific database context where they will be used

pages/database-management/authentication-and-authorization/role-based-access-control.mdx

@@ -79,6 +79,25 @@ To show what roles a user has, run the following query:
 SHOW ROLE FOR user_name;
 ```
 
+In multi-tenant environments, you must specify which database context to use when showing roles. There are three options:
+
+1. **Show roles for the user's main database:**
+```cypher
+SHOW ROLE FOR user_name ON MAIN;
+```
+
+2. **Show roles for the current database:**
+```cypher
+SHOW ROLE FOR user_name ON CURRENT;
+```
+
+3. **Show roles for a specific database:**
+```cypher
+SHOW ROLE FOR user_name ON DATABASE database_name;
+```
+
+These commands return the aggregated roles for the user in the specified database context. The `ON MAIN` option shows roles for the user's main database, `ON CURRENT` shows roles for whatever database is currently active, and `ON DATABASE` shows roles for the explicitly specified database.
+
 TODO: multi-tenant environment show role for user_name 
 
 To list all defined user roles run:
@@ -295,6 +314,25 @@ To check privilege for a certain user or role, run the following query:
 SHOW PRIVILEGES FOR user_or_role;
 ```
 
+In multi-tenant environments, you must specify which database context to use when showing privileges. There are three options:
+
+1. **Show privileges for the user's main database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON MAIN;
+```
+
+2. **Show privileges for the current database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON CURRENT;
+```
+
+3. **Show privileges for a specific database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON DATABASE database_name;
+```
+
+These commands return the aggregated privileges (including label-based permissions) for the user or role in the specified database context.
+
 ## Fine-grained access control
 
 Sometimes, authorizing the database by granting and denying clause privileges is
@@ -398,6 +436,25 @@ SHOW PRIVILEGES FOR user_or_role;
 
 and all the values of clause privileges, as well as label-based permissions will be displayed.
 
+In multi-tenant environments, you must specify which database context to use when showing privileges. There are three options:
+
+1. **Show privileges for the user's main database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON MAIN;
+```
+
+2. **Show privileges for the current database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON CURRENT;
+```
+
+3. **Show privileges for a specific database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON DATABASE database_name;
+```
+
+These commands return the aggregated privileges (including label-based permissions) for the user or role in the specified database context.
+
 ### Templates for granting privileges
 
 To grant all privileges to a superuser (admin):

pages/database-management/multi-tenancy.md

@@ -142,13 +142,55 @@ Access to all databases can be granted or revoked using wildcards:
 
 ### Multi-database queries and the memgraph database
 
-Recent changes to Memgraph have modified how multi-database queries are executed. Multi-database queries (such as `SHOW DATABASES`, `CREATE DATABASE`, `DROP DATABASE`, etc.) now target the default "memgraph" database and require access to it.
+Recent changes to Memgraph have modified how multi-database queries are executed. Multi-database queries (such as `SHOW DATABASES`, `CREATE DATABASE`, `DROP DATABASE`, etc.) now target the "memgraph" database and require access to it.
 
-#### Requirements for multi-database queries
+To execute these queries, users must have:
+- The appropriate privileges (`MULTI_DATABASE_USE`, `MULTI_DATABASE_EDIT`)
+- Access to the default "memgraph" database
 
-To execute multi-database queries, users must have:
-1. The appropriate multi-database privileges (`MULTI_DATABASE_USE`, `MULTI_DATABASE_EDIT`)
-2. Access to the default "memgraph" database
+### Multi-tenant query syntax changes
+
+Recent changes to Memgraph have also modified the syntax for certain queries in multi-tenant environments. The `SHOW ROLE` and `SHOW PRIVILEGES` commands now require specifying the database context.
+
+#### SHOW ROLE syntax in multi-tenant environments
+
+In multi-tenant environments, you must specify which database context to use when showing roles:
+
+1. **Show roles for the user's main database:**
+```cypher
+SHOW ROLE FOR user_name ON MAIN;
+```
+
+2. **Show roles for the current database:**
+```cypher
+SHOW ROLE FOR user_name ON CURRENT;
+```
+
+3. **Show roles for a specific database:**
+```cypher
+SHOW ROLE FOR user_name ON DATABASE database_name;
+```
+
+#### SHOW PRIVILEGES syntax in multi-tenant environments
+
+Similarly, the `SHOW PRIVILEGES` command requires database context specification:
+
+1. **Show privileges for the user's main database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON MAIN;
+```
+
+2. **Show privileges for the current database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON CURRENT;
+```
+
+3. **Show privileges for a specific database:**
+```cypher
+SHOW PRIVILEGES FOR user_or_role ON DATABASE database_name;
+```
+
+These commands return the aggregated roles and privileges for the user in the specified database context. The `ON MAIN` option shows information for the user's main database, `ON CURRENT` shows information for whatever database is currently active, and `ON DATABASE` shows information for the explicitly specified database.
 
 #### Impact on multi-tenant environments
 

pages/help-center/errors/auth.mdx

@@ -73,6 +73,62 @@ GRANT DATABASE memgraph TO role_name;
 
 In multi-tenant environments, we recommend treating the "memgraph" database as an administrative/system database and restricting access to privileged users only. See the [multi-tenancy documentation](/database-management/multi-tenancy#default-database-best-practices) for recommended setup patterns.
 
+## Database context must be specified for SHOW ROLE in multi-tenant environment
+
+This error occurs when attempting to use `SHOW ROLE` or `SHOW ROLES` in a multi-tenant environment without specifying the database context.
+
+### Solution
+
+In multi-tenant environments, you must specify which database context to use:
+
+```cypher
+-- Show roles for the user's main database
+SHOW ROLE FOR user_name ON MAIN;
+
+-- Show roles for the current database
+SHOW ROLE FOR user_name ON CURRENT;
+
+-- Show roles for a specific database
+SHOW ROLE FOR user_name ON DATABASE database_name;
+```
+
+### When this occurs
+
+This error typically occurs when:
+- Running `SHOW ROLE` or `SHOW ROLES` in a multi-tenant environment
+- The system detects multiple databases and requires explicit context specification
+- The user is connected to a multi-tenant Memgraph instance
+
+## Database context must be specified for SHOW PRIVILEGES in multi-tenant environment [#error-9]
+
+This error occurs when attempting to use `SHOW PRIVILEGES` in a multi-tenant environment without specifying the database context.
+
+### Solution
+
+In multi-tenant environments, you must specify which database context to use:
+
+```cypher
+-- Show privileges for the user's main database
+SHOW PRIVILEGES FOR user_or_role ON MAIN;
+
+-- Show privileges for the current database
+SHOW PRIVILEGES FOR user_or_role ON CURRENT;
+
+-- Show privileges for a specific database
+SHOW PRIVILEGES FOR user_or_role ON DATABASE database_name;
+```
+
+### When this occurs
+
+This error typically occurs when:
+- Running `SHOW PRIVILEGES` in a multi-tenant environment
+- The system detects multiple databases and requires explicit context specification
+- The user is connected to a multi-tenant Memgraph instance
+
+### Best practice
+
+Always specify the database context when working in multi-tenant environments to ensure you're viewing the correct roles and privileges for the intended database.
+
 ## User doesn't have REPLICATION privilege
 
 This error occurs when a user attempts to execute replication queries (such as `REGISTER REPLICA`, `SHOW REPLICAS`, `DROP REPLICA`, etc.) without the required `REPLICATION` privilege.