View Document Permissions in MarkLogic

DZone 's Guide to

View Document Permissions in MarkLogic

MarkLogic has a small quirk that prevents you from seeing role names when viewing document permissions. We have a look at how to fix this!

· Database Zone ·
Free Resource

MarkLogic is uber secure. So secure it doesn’t let you see role names when viewing document permissions. This tip shows you how to resolve this foible…

Using xdmp:document-get-permissions($uri) you can fetch a document’s permissions–this lists the role IDs and actions (read, update, execute) that this role has.

Role IDs are unsignedLong’s though–not the human role name. Using the sec:get-role-names() call you can get the role name–but this must be a call against the security database–not the content or other database.

You can get around this though by invoking the sec function against the security database using xdmp:invoke-function. Below is the code:

xquery version "1.0-ml";
declare namespace l = "local";
import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";
declare private function l:getperm($roleid) {
   function() {
 <options xmlns="xdmp:eval">
for $perm in xdmp:document-get-permissions("http://marklogic.com/cpf/domains/18444233322793156516.xml")
 (l:getperm(xs:unsignedLong($perm/sec:role-id)) || "=" || xs:string($perm/sec:capability))

Using the above method you can write XQuery (or indeed server-side JavaScript) that is executed in the context of another database. Much better and more secure than eval()-ing code... and not prone to XQuery-injection attacks.

The above code returns things like this:


Much nicer to read!

In the above example, I’m looking at Domain document privileges (I shan't bore you with why), but you could look at a normal content document, or indeed anything stored within MarkLogic.

big data, database, marklogic, nosql, tip

Published at DZone with permission of Adam Fowler , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}