Execute Privileges
The actions that a user can perform in the server are determined by the set of privileges that they possess. Privileges are connected to users with roles. An Execute Privilege grants authorization to perform a protected action. An execute privilege specifies a protected action, and the roles that can perform the action. Roles that inherit from the specified roles can also perform the protected action. The protected action is represented as a URI.
Once an execute privilege is created, it is enforced in XQuery programs through the use of xdmp:security-assert(<protected-action-uri>, "execute") in the code. That is, xdmp:security-assert(<protected-action-uri>, "execute") can be added at the entrance to function or a section of code that has been protected. If the system is executing as a user without the appropriate roles as specified by the execute privilege, an exception is thrown. Otherwise, system satisfies the security-assert condition and proceeds to execute the protected code.