memgraph · matea16 · Aug 28, 2025 · Sep 23, 2025 · Sep 24, 2025 · Sep 24, 2025
@@ -1,5 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
+/// <reference path="./.next/types/routes.d.ts" />
 
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/pages/api-reference/config/typescript for more information.
@@ -13,6 +13,12 @@ users to have different roles assigned to them for specific databases. This
 feature enables proper tenant isolation and fine-grained access control in
 multi-tenant environments.
 
+<Callout type="warning">
+
+User-role mappings are simple maps located in the user. Deleting or renaming the database will not update this information. The admin needs to make sure the correct access is maintained at all times.
+
+</Callout>
+
 ## Privileges with multiple roles
 
 When a user has multiple roles, their privileges are combined according to the
@@ -215,7 +221,7 @@ specification, even in multi-tenant environments. It will show all roles
 assigned to the user across all databases.
 
 ```cypher
--- Show all roles for a user (works in all environments)
+-- Show all roles for a user (works in all environments)  
 SHOW ROLE FOR user_name;
 SHOW ROLES FOR user_name;
 ```

@@ -114,6 +114,12 @@ SHOW ROLE FOR user_name ON CURRENT;
 SHOW ROLE FOR user_name ON DATABASE database_name;
 ```
 
+<Callout type="warning">
+
+User-role mappings are simple maps located in the user. Deleting or renaming the database will not update this information. The admin needs to make sure the correct access is maintained at all times.
+
+</Callout>
+
 These commands return the aggregated roles for the user in the specified
 database context. The `ON MAIN` option shows roles for the user's main database,
 `ON CURRENT` shows roles for whatever database is currently active, and `ON

@@ -3,7 +3,9 @@ title: Multi-tenancy (Enterprise)
 description: Discover the benefits of multi-tenancy for scalability, resource utilization, and performance. Also learn how to manage few isolated databases within a single instance in our detailed documentation.
 ---
 
-# Multi-tenancy (Enterprise)
+import { Callout } from 'nextra/components'
+
+# Multi-tenancy <sup style={{ fontSize: '0.6em', color: '#888' }}>Enterprise</sup>
 
 Multi-tenant support in Memgraph enables users to manage multiple isolated
 databases within a single instance. The primary objective is to facilitate
@@ -22,17 +24,30 @@ database name cannot be altered.
 
 ### Default database best practices
 
-In multi-tenant environments, we recommend treating the default "memgraph" database as an administrative/system database rather than storing application data in it. This approach provides better security and isolation, especially given recent changes to authentication and authorization requirements.
+In multi-tenant environments, we recommend treating the default "memgraph"
+database as an administrative/system database rather than storing application
+data in it. This approach provides better security and isolation, especially
+given recent changes to authentication and authorization requirements.
 
 #### Why treat memgraph as an admin database?
 
-As of Memgraph v3.5, users have to have both the `AUTH` privilege and access to the default "memgraph" database to execute authentication and authorization queries. Additionally, replication queries (such as `REGISTER REPLICA`, `SHOW REPLICAS`, etc.) and multi-database queries (such as `SHOW DATABASES`, `CREATE DATABASE`, etc.) also now target the "memgraph" database and require access to it. This requirement affects multi-tenant environments where users might have access to other databases but not the default one.
+As of Memgraph v3.5, users have to have both the `AUTH` privilege and access to
+the default "memgraph" database to execute authentication and authorization
+queries. Additionally, replication queries (such as `REGISTER REPLICA`, `SHOW
+REPLICAS`, etc.) and multi-database queries (such as `SHOW DATABASES`, `CREATE
+DATABASE`, etc.) also now target the "memgraph" database and require access to
+it. This requirement affects multi-tenant environments where users might have
+access to other databases but not the default one.
 
 #### Recommended setup
 
-1. **Restrict memgraph database access**: Only grant access to the "memgraph" database to privileged users who need to perform system administration tasks
-2. **Use tenant-specific databases**: Store all application data in dedicated tenant databases
-3. **Separate concerns**: Keep user management, role management, system administration, replication management, and multi-database management separate from application data
+1. **Restrict memgraph database access**: Only grant access to the "memgraph"
+   database to privileged users who need to perform system administration tasks
+2. **Use tenant-specific databases**: Store all application data in dedicated
+   tenant databases
+3. **Separate concerns**: Keep user management, role management, system
+   administration, replication management, and multi-database management
+   separate from application data
 
 #### Example configuration
 
@@ -82,7 +97,8 @@ SET ROLE FOR tenant2_regular_user TO tenant2_user;
 ```
 
 In this configuration:
-- `system_admin_user` can perform all authentication/authorization, replication, and multi-database operations and has access to the "memgraph" database
+- `system_admin_user` can perform all authentication/authorization, replication,
+  and multi-database operations and has access to the "memgraph" database
 - Tenant users can only access their respective tenant databases
 - Application data is completely isolated in tenant-specific databases
 - The "memgraph" database serves purely as an administrative database
@@ -94,8 +110,8 @@ instances. Queries executed on a specific database should operate as if it were
 the sole database in the system, preventing cross-database contamination. Users
 interact with individual databases, and cross-database queries are prohibited.
 
-Every database has its own database UUID, which can be read by running the `SHOW STORAGE INFO`
-query on a particular database.
+Every database has its own database UUID, which can be read by running the `SHOW
+STORAGE INFO` query on a particular database.
 
 ## Database configuration and data directory
 
@@ -119,20 +135,103 @@ based on configuration.
 Users interact with multi-tenant features through specialized Cypher queries:
 
 1. `CREATE DATABASE name`: Creates a new database.
-2. `DROP DATABASE name`: Deletes a specified database.
-3. `SHOW DATABASE`: Shows the current used database. It will return `NULL` if
-   no database is currently in use. You can also use `SHOW CURRENT DATABASE` for the same functionality. This command does not require any special privileges.
-
-4. `SHOW DATABASES`: Shows only the existing set of multitenant databases.
-5. `USE DATABASE name`: Switches focus to a specific database (disabled during
+2. `DROP DATABASE name [FORCE]`: Deletes a specified database.
+3. `RENAME DATABASE old_name TO new_name`: Renames a database.
+4. `SHOW DATABASE`: Shows the current used database. It will return `NULL` if no
+   database is currently in use. You can also use `SHOW CURRENT DATABASE` for
+   the same functionality. This command does not require any special privileges.
+
+5. `SHOW DATABASES`: Shows only the existing set of multitenant databases.
+6. `USE DATABASE name`: Switches focus to a specific database (disabled during
    transactions).
-6. `GRANT DATABASE name TO user`: Grants a user access to a specified database.
-7. `DENY DATABASE name FROM user`: Denies a user's access to a specified
+7. `GRANT DATABASE name TO user`: Grants a user access to a specified database.
+8. `DENY DATABASE name FROM user`: Denies a user's access to a specified
    database.
-8. `REVOKE DATABASE name FROM user`: Removes database from user's authentication
+9. `REVOKE DATABASE name FROM user`: Removes database from user's authentication
    context.
-9. `SET MAIN DATABASE name FOR user`: Sets a user's default (landing) database.
-10. `SHOW DATABASE PRIVILEGES FOR user`: Lists a user's database access rights.
+10. `SET MAIN DATABASE name FOR user`: Sets a user's default (landing) database.
+11. `SHOW DATABASE PRIVILEGES FOR user`: Lists a user's database access rights.
+
+### DROP DATABASE with FORCE
+
+The `DROP DATABASE` command removes an existing database. You can optionally
+include the `FORCE` parameter to delete a database even when it has active
+connections or transactions.
+
+{<h4 className="custom-header"> Syntax </h4>} 
+
+```cypher
+DROP DATABASE database_name [FORCE];
+```
+
+{<h4 className="custom-header"> Behavior </h4>} 
+
+- **Without `FORCE`**: The command will fail if the database is currently in use
+  by any active connections or transactions.
+- **With `FORCE`**: The database will be immediately hidden from new connections,
+  but actual deletion is deferred until it's safe to proceed. All active
+  transactions using the database will be terminated.
+
+{<h4 className="custom-header"> Use cases for FORCE </h4>} 
+
+- **Emergency cleanup**: Remove a database stuck in an inconsistent or
+  long-running state.
+- **Administrative maintenance**: Perform system maintenance requiring immediate
+  database removal.
+- **Development environments**: Quickly reset test environments that might still
+  have active connections.
+
+{<h4 className="custom-header"> Privileges required </h4>} 
+
+Using the `FORCE` option requires:
+- `MULTI_DATABASE_EDIT` privilege
+- Access to the `memgraph` database
+- `TRANSACTION_MANAGEMENT` privilege (to terminate active transactions)
+
+{<h4 className="custom-header"> Important considerations </h4>} 
+
+- All active transactions on the target database will be forcibly terminated.
+- The database becomes immediately unavailable to new connections.
+- Actual deletion may be deferred until existing connections are properly closed.
+- **This operation cannot be undone.**
+
+### RENAME DATABASE
+
+The `RENAME DATABASE` command allows you to rename an existing database to a new
+name. This simplifies administrative workflows by eliminating the need to create
+a new database, recover from a snapshot, and drop the old database.
+
+{<h4 className="custom-header"> Syntax </h4>} 
+
+```cypher
+RENAME DATABASE old_name TO new_name;
+```
+
+{<h4 className="custom-header"> Behavior </h4>} 
+
+- The database is **renamed immediately** without requiring unique access.
+- If you are currently using the database being renamed, the current database
+  context is automatically updated to the new name.
+- All existing data, indexes, constraints, and other database objects are
+  preserved.
+
+<Callout type="info"> 
+Current implementation of `RENAME` does not update auth data. User/role database
+access and database-specific roles information is not updated. This can lead to
+unindented access to databases. 
+</Callout>
+
+
+{<h4 className="custom-header"> Important considerations </h4>} 
+
+- The `RENAME DATABASE` command requires the `MULTI_DATABASE_EDIT` privilege and
+  access to the `memgraph` database.
+- The new database name must not already exist.
+- The old database name must exist.
+- This operation cannot be undone once completed.
+- All active connections to the database will continue to work seamlessly with
+  the new name.
+
 
 ### User's main database
 
@@ -148,29 +247,43 @@ unified source of truth. A single user can access multiple databases with a
 global set of privileges, but currently, per-database privileges cannot be
 granted.
 
+<Callout type="warning">
+
+User-role mappings are simple maps located in the user. Deleting or renaming the database will not update this information. The admin needs to make sure the correct access is maintained at all times.
+
+</Callout>
+
 Access to all databases can be granted or revoked using wildcards:
 `GRANT DATABASE * TO user;`, `DENY DATABASE * TO user;` or 
 `REVOKE DATABASE * FROM user;`.
 
 ### Multi-database queries and the memgraph database
 
-As of Memgraph v3.5 multi-database queries (such as `SHOW DATABASES`, `CREATE DATABASE`, `DROP DATABASE`, etc.) target the "memgraph" database and require access to it.
+As of Memgraph v3.5 multi-database queries (such as `SHOW DATABASES`, `CREATE
+DATABASE`, `DROP DATABASE`, `RENAME DATABASE`, etc.) target the "memgraph"
+database and require access to it.
 
 To execute these queries, users must have:
 - The appropriate privileges (`MULTI_DATABASE_USE`, `MULTI_DATABASE_EDIT`)
 - **AND** access to the default "memgraph" database
 
 ### Multi-tenant query syntax changes
 
-As of Memgraph v3.5 the syntax for certain queries in multi-tenant environments have changed. The `SHOW ROLE` and `SHOW PRIVILEGES` commands now require specifying the database context in some cases.
+As of Memgraph v3.5 the syntax for certain queries in multi-tenant environments
+have changed. The `SHOW ROLE` and `SHOW PRIVILEGES` commands now require
+specifying the database context in some cases.
 
-**SHOW ROLE FOR USER**: This command does not require database specification and will show all roles assigned to the user across all databases.
+**SHOW ROLE FOR USER**: This command does not require database specification and
+will show all roles assigned to the user across all databases.
 
-**SHOW PRIVILEGES FOR USER**: This command requires database specification in multi-tenant environments.
+**SHOW PRIVILEGES FOR USER**: This command requires database specification in
+multi-tenant environments.
 
-**SHOW PRIVILEGES FOR ROLE**: This command does not require database specification and will show all privileges for the role.
+**SHOW PRIVILEGES FOR ROLE**: This command does not require database
+specification and will show all privileges for the role.
 
-In multi-tenant environments, you must specify which database context to use when showing privileges for users:
+In multi-tenant environments, you must specify which database context to use
+when showing privileges for users:
 
 1. **Show roles for the user's main database:**
 ```cypher
@@ -206,11 +319,18 @@ SHOW PRIVILEGES FOR user_or_role ON CURRENT;
 SHOW PRIVILEGES FOR user_or_role ON DATABASE database_name;
 ```
 
-These commands return the aggregated roles and privileges for the user in the specified database context. The `ON MAIN` option shows information for the user's main database, `ON CURRENT` shows information for whatever database is currently active, and `ON DATABASE` shows information for the explicitly specified database.
+These commands return the aggregated roles and privileges for the user in the
+specified database context. The `ON MAIN` option shows information for the
+user's main database, `ON CURRENT` shows information for whatever database is
+currently active, and `ON DATABASE` shows information for the explicitly
+specified database.
 
 #### Impact on multi-tenant environments
 
-In multi-tenant environments where users might not have access to the "memgraph" database, multi-database management operations will fail. This reinforces the recommendation to treat the "memgraph" database as an administrative/system database.
+In multi-tenant environments where users might not have access to the "memgraph"
+database, multi-database management operations will fail. This reinforces the
+recommendation to treat the "memgraph" database as an administrative/system
+database.
 
 #### Example: Admin user with multi-database privileges
 
@@ -226,13 +346,18 @@ SET ROLE FOR db_admin TO multi_db_admin;
 ```
 
 In this setup, `db_admin` can:
-- Execute all multi-database queries (`SHOW DATABASES`, `CREATE DATABASE`, etc.)
+- Execute all multi-database queries (`SHOW DATABASES`, `CREATE DATABASE`, `DROP
+  DATABASE`, `RENAME DATABASE`, etc.)
 - Access the "memgraph" database for administrative operations
 - Manage the multi-tenant database configuration
 
 #### Best practice
 
-For multi-database management, ensure that users who need to perform multi-database operations have both the appropriate multi-database privileges and access to the "memgraph" database. This aligns with the overall recommendation to treat the "memgraph" database as an administrative database in multi-tenant environments.
+For multi-database management, ensure that users who need to perform
+multi-database operations have both the appropriate multi-database privileges
+and access to the "memgraph" database. This aligns with the overall
+recommendation to treat the "memgraph" database as an administrative database in
+multi-tenant environments.
 
 ### Additional multi-tenant privileges
 

@@ -281,4 +281,21 @@ SET n += props;
 This function **parses a JSON-formatted string into a Cypher map**, making it very useful for flexible security event ingestion pipelines
 where the event structure might vary slightly or be semi-structured.
 
+### Setting nested properties
+
+Cybersecurity data often consists of nested objects (such as cloud security configurations) that are efficiently stored as maps. Many graph
+database vendors do not support nested JSON objects and can only store them as strings within the property store. Memgraph, however, provides *full support
+for nested objects*, including the ability to update them directly using queries such as the following:
+
+```cypher
+MATCH (n:Node {id: 1}) SET n.details.created_at = date(), n.details.ip = '127.0.0.1';
+```
+
+This approach keeps the configuration schema consistent with the original data sources powering your cybersecurity solution, eliminating the need for
+manual and time-consuming graph modeling to represent configurations. In many cases, these configurations are so tightly coupled to the underlying objects
+that there is no real need to separate them into distinct nodes and relationships. Attempting to do so can lead to *graph explosion* due to the large number
+of values contained within nested configuration objects.
+
+For more information, read the [guide on setting nested propertes](/querying/clauses/set#9-setting-nested-properties).
+
 <CommunityLinks/>
@@ -172,6 +172,13 @@ This command retrieves the graph schema in **constant time**, enabling the LLM t
 minimal overhead. It’s a key part of the retrieval pipeline that helps bridge natural language questions and 
 structured graph queries.
 
+Additionally, `SHOW SCHEMA INFO;` is integrated with [fine-grained access control](/querying/schema#schema-with-memgraph-enterprise), 
+
+allowing you to restrict specific users or agents from viewing the full graph schema. This is particularly useful
+when working with LLMs, as it helps reduce schema noise in large enterprise graphs with many use cases.
+Limiting the visible schema ensures that the LLM focuses on relevant parts of the graph, improving its ability to
+generate meaningful answers or queries.
+
 While there's no single query pattern that fits all GraphRAG use cases. Since LLMs generate a wide variety of
 questions, **multi-hop queries** (i.e., traversals across multiple relationships) stand to benefit significantly from
 Memgraph’s **in-memory architecture**, offering fast and consistent response times even under complex traversal logic.