Chapter 3. Document Security
MarkLogic provides a robust, role-based security model. Most of the functions expect to work with the IDs of roles or users, but names are much easier for humans to process. These recipes provide easier insight into who can see what.
List User Permissions on a Document
Problem
You want a list of a particular user’s permissions on a document.
Solution
Applies to MarkLogic versions 7 and higher
The xdmp:document-get-permissions() function will get all permissions, but you can narrow this down after identifying the user’s roles:
let$roles:=xdmp:user-roles("some-user")returnxdmp:document-get-permissions("/content/some-doc.json")[sec:role-id=$roles]/sec:capability/fn:string()
The result will be a sequence of permission strings from among read, update, insert, and execute.
Discussion
Permissions are assigned to a document by role. Users are also assigned roles, and through them gain access to documents.
The first step of this recipe is to gather the roles that the specified user has. The xdmp:user-roles() function returns both the roles that the user has been directly granted and any inherited roles.
With the roles in hand, we can retrieve all the permissions on the target document, then use some XPath to retrieve just the ones we are interested in.
Note that the sec namespace is available by default—you do not need to declare it.
Get Permissions with Role Names
Problem
Get the permissions on a document, decorated with the names of the ...
Get MarkLogic Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
