Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

View Document Permissions in MarkLogic

DZone's Guide to

View Document Permissions in MarkLogic

MarkLogic has a small quirk that prevents you from seeing role names when viewing document permissions. We have a look at how to fix this!

· Database Zone
Free Resource

Learn how to create flexible schemas in a relational database using SQL for JSON.

MarkLogic is uber secure. So secure it doesn’t let you see role names when viewing document permissions. This tip shows you how to resolve this foible…

Using xdmp:document-get-permissions($uri) you can fetch a document’s permissions–this lists the role IDs and actions (read, update, execute) that this role has.

Role IDs are unsignedLong’s though–not the human role name. Using the sec:get-role-names() call you can get the role name–but this must be a call against the security database–not the content or other database.

You can get around this though by invoking the sec function against the security database using xdmp:invoke-function. Below is the code:

xquery version "1.0-ml";
declare namespace l = "local";
import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";
declare private function l:getperm($roleid) {
xdmp:invoke-function(
   function() {
sec:get-role-names($roleid)
   },
 <options xmlns="xdmp:eval">
   <database>{xdmp:security-database()}</database>
   <transaction-mode>update-auto-commit</transaction-mode>
   <isolation>different-transaction</isolation>
 </options>
 )
};
for $perm in xdmp:document-get-permissions("http://marklogic.com/cpf/domains/18444233322793156516.xml")
return
 (l:getperm(xs:unsignedLong($perm/sec:role-id)) || "=" || xs:string($perm/sec:capability))

Using the above method you can write XQuery (or indeed server-side JavaScript) that is executed in the context of another database. Much better and more secure than eval()-ing code... and not prone to XQuery-injection attacks.

The above code returns things like this:

domain-management=read

Much nicer to read!

In the above example, I’m looking at Domain document privileges (I shan't bore you with why), but you could look at a normal content document, or indeed anything stored within MarkLogic.

Create flexible schemas using dynamic columns for semi-structured data. Learn how.

Topics:
nosql ,marklogic ,big data ,database ,tip

Published at DZone with permission of Adam Fowler, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}