Algorithm That Determines Which Query Rolesets to Use
In MarkLogic Server 9.0-1, if the path permissions on a node are “weaker” (as defined in Document Level Security and Indexing) than the document level permissions or its parent node’s permissions, the path level permissions will be ignored as far as query rolesets definition is concerned.
Note
A child node will still inherit its parent’s query rolesets.
In MarkLogic Server 9.0-2, the set of query rolesets for a given node (after inheritance from ancestors) will be “compacted” based on the “weaker” permissions defined in Document Level Security and Indexing. If a query roleset in the set is “weaker” than any other query rolesets in the set, that “weaker” roleset will be “removed”.
For example:
Roles: role-1, role-2, role-3
Document:
<foo>Hello<bar>World</bar>,</foo>
with ((role-1, read), (role-2, read), (role-3, read))
Protected Paths:
//foo (role-1, read), (role-2, read) //bar (role-1, read)
In MarkLogic Server 9.0-1, the query rolesets for the “bar” node is ((role-1, role-2), (role-1)), but in 9.0-2 it is simplified (“compacted”) to ((role-1)).
Note
If any query roleset in the above set is “weaker” than the document level permissions, it will be omitted too.
Here is another example:
Roles: role-1, role-2, role-3
Document:
<foo><bar>Hello</bar></foo>
with (role-1, read)
Protected Paths:
/foo/bar (role-1, read), (role-2, read) //bar (role-3, read)
In 9.0-1, the query rolesets for the “bar” node is ((role-1, role-2), (role-3)), but in 9.0-2 it is simplified (“compacted”) to ((role-3)) because (role-1, role-2) is “weaker” than the document level permissions.