Configuring Element Level Security
Configuring element level security includes setting up protected paths and creating query rolesets, then adding them to the Security database. This section covers the steps you will need to follow to configure element level security. As an overview, you will need to do the following:
Set up roles.
Create users and assign roles.
Add or update documents with permissions for users.
Add protected paths for elements in documents, by inserting the protected paths into the Security database.
Add the query rolesets to the Security database.
Configuring the query rolesets is a task for the administrator. There are two helper functions to help configure query rolesets. The helper function xdmp:database-node-query-rolesets() is used for querying documents already in your database to discover existing query rolesets, while xdmp:node-query-rolesets() is used to query for protected paths in documents as they are being loaded into the database. See APIs for Element Level Security for more information. You can configure element level security using the Admin Interface, using XQuery, or by using REST.
Note
The number of protected paths that you set on a single element may impact performance. One or two protected paths on an element will have no discernible impact (less than 5% in our testing), 10 or so protected paths may have some impact (around 10%) but setting 100 or so protected paths on a single element will cause severe and noticeable impact on performance.