vesoft-inc · foesa-yang · Sep 1, 2021 · Aug 31, 2021
diff --git a/docs-2.0/7.data-security/1.authentication/1.authentication.md b/docs-2.0/7.data-security/1.authentication/1.authentication.md
@@ -4,7 +4,7 @@ Nebula Graph replies on local authentication or LDAP authentication to implement
 
 Nebula Graph creates a session when a client connects to it. The session stores information about the connection, including the user information.
 
-By default, authentication is disabled and Nebula Graph allows connections with any username and password. If the authentication system is enabled, Nebula Graph checks a session according to the authentication configuration, and decides whether the session should be allowed or denied.
+By default, authentication is disabled and Nebula Graph allows connections with the username `root` and any password. If the authentication system is enabled, Nebula Graph checks a session according to the authentication configuration, and decides whether the session should be allowed or denied.
 
 ## Local authentication
 
@@ -26,10 +26,10 @@ Local authentication indicates that usernames and passwords are stored locally o
 
 ## LDAP authentication
 
-Lightweight Directory Access Protocol (LDAP), is a lightweight client-server protocol for accessing directories and building a centralized account management system.
+!!! Enterpriseonly
 
-LDAP authentication and local authentication can be enabled at the same time, but LDAP authentication has a higher priority. If the local authentication server and the LDAP server both have the information of user `Amber`, Nebula Graph reads from the LDAP server first.
+    LDAP authentication is an Enterprise-only feature. For how to enable LDAP, see Authenticate with an LDAP server (TODO: doc).
 
-### Enable LDAP authentication
+Lightweight Directory Access Protocol (LDAP), is a lightweight client-server protocol for accessing directories and building a centralized account management system.
 
-The Nebula Graph Enterprise Edition supports LDAP authentication. For how to enable LDAP, see Authenticate with an LDAP server (TODO: doc).
+LDAP authentication and local authentication can be enabled at the same time, but LDAP authentication has a higher priority. If the local authentication server and the LDAP server both have the information of user `Amber`, Nebula Graph reads from the LDAP server first.
diff --git a/docs-2.0/7.data-security/1.authentication/2.management-user.md b/docs-2.0/7.data-security/1.authentication/2.management-user.md
@@ -2,7 +2,9 @@
 
 This topic describes how to manage users and roles.
 
-By default, Nebula Graph allows connections with any username and password. After [enabling authentication](1.authentication.md), only valid users can connect to Nebula Graph and access the resources according to the [user roles](3.role-list.md).
+By default, Nebula Graph allows connections with the username `root` and any password. After [enabling authentication](1.authentication.md), only valid users can connect to Nebula Graph and access the resources according to the [user roles](3.role-list.md).
+
+Once the role of a user is modified, the user has to re-login to make the new role takes effect.
 
 ## CREATE USER
 
@@ -40,6 +42,27 @@ Users with the GOD role or the ADMIN role can run `GRANT ROLE` to assign a built
     nebula> GRANT ROLE USER ON basketballplayer TO user1;
     ```
 
+## SHOW ROLES
+
+Run `SHOW ROLES` to list the roles in a graph space.
+
+* Syntax
+
+  ```ngql
+  SHOW ROLES IN <space_name>;
+  ```
+
+* Example
+
+  ```ngql
+  nebula> SHOW ROLES IN basketballplayer;
+  +---------+-----------+
+  | Account | Role Type |
+  +---------+-----------+
+  | "user1" | "ADMIN"   |
+  +---------+-----------+
+  ```
+
 ## REVOKE ROLE
 
 Users with the GOD role or the ADMIN role can run `REVOKE ROLE` to revoke a user's role in a graph space.

diff --git a/docs-2.0/7.data-security/1.authentication/3.role-list.md b/docs-2.0/7.data-security/1.authentication/3.role-list.md
@@ -41,13 +41,13 @@ The privileges of roles and the nGQL statements that each role can use are liste
 Privilege|God|Admin|DBA|User|Guest|Allowed nGQL|
 |-|-|-|-|-|-|-|
 |Read space|Y|Y|Y|Y|Y|`USE`, `DESCRIBE SPACE`|
-|Write space|Y|||||`CREATE SPACE`, `DROP SPACE`, `CREATE SNAPSHOT`, `DROP SNAPSHOT`, `BALANCE`, `ADMIN`, `CONFIG`, `INGEST`, `DOWNLOAD`|
+|Write space|Y|||||`CREATE SPACE`, `DROP SPACE`, `CREATE SNAPSHOT`, `DROP SNAPSHOT`, `BALANCE DATA`, `BALANCE DATA STOP`, `BALANCE DATA REMOVE`, `BALANCE LEADER`, `ADMIN`, `CONFIG`, `INGEST`, `DOWNLOAD`, `SUBMIT JOB COMPACT`, `SUBMIT JOB FLUSH`, `SUBMIT JOB STATS`, `STOP JOB`, `RECOVER JOB`, `BUILD TAG INDEX`, `BUILD EDGE INDEX`|
 |Read schema|Y|Y|Y|Y|Y|`DESCRIBE TAG`, `DESCRIBE EDGE`, `DESCRIBE TAG INDEX`, `DESCRIBE EDGE INDEX`|
 |Write schema|Y|Y|Y|||`CREATE TAG`, `ALTER TAG`, `CREATE EDGE`, `ALTER EDGE`, `DROP TAG`, `DROP EDGE`, `CREATE TAG INDEX`, `CREATE EDGE INDEX`, `DROP TAG INDEX`, `DROP EDGE INDEX`|
 |Write user|Y|||||`CREATE USER`, `DROP USER`, `ALTER USER`|
 |Write role|Y|Y||||`GRANT`, `REVOKE`|
 |Read data|Y|Y|Y|Y|Y|`GO`, `SET`, `PIPE`, `MATCH`, `ASSIGNMENT`, `LOOKUP`, `YIELD`, `ORDER BY`, `FETCH VERTICES`, `Find`, `FETCH EDGES`, `FIND PATH`, `LIMIT`, `GROUP BY`, `RETURN`|
-|Write data|Y|Y|Y|Y||`BUILD TAG INDEX`, `BUILD EDGE INDEX`, `INSERT VERTEX`, `UPDATE VERTEX`, `INSERT EDGE`, `UPDATE EDGE`, `DELETE VERTEX`, `DELETE EDGES`|
+|Write data|Y|Y|Y|Y||`INSERT VERTEX`, `UPDATE VERTEX`, `INSERT EDGE`, `UPDATE EDGE`, `DELETE VERTEX`, `DELETE EDGES`, `DELETE TAG`|
 |Show operations|Y|Y|Y|Y|Y|`SHOW`, `CHANGE PASSWORD`|
 
 !!! note

diff --git a/docs-2.0/7.data-security/3.manage-snapshot.md b/docs-2.0/7.data-security/3.manage-snapshot.md
@@ -98,6 +98,8 @@ nebula> SHOW SNAPSHOTS;
 
 3. [Restart Nebula Graph](../2.quick-start/5.start-stop-service.md).
 
+<!--
 ## Another way to backup and restore data
 
 You can also use Backup&Restore to backup and restore Nebula Graph data. (TODO: coding)
+-->