Helper Functions for Query Rolesets
In order to search for query rolesets, you find out which query rolesets are configured for protected paths for a document already in the database. You can also discover if query rolesets are required for proper querying of a document being loaded into the database. Element level security includes two built-ins that can be used to discover existing protected paths in documents. The xdmp:database-node-query-rolesets()
built-in is used for querying documents already in the database, while xdmp:node-query-rolesets()
is used to query for protected paths in documents that are being loaded into the database. Given a node, these functions will return a list of the query rolesets for any protected paths, as long as the user of the built-ins has sufficient privileges and permissions. Usually, these function are called by an admin user.
For xdmp:database-node-query-rolesets()
, the built-in returns a sequence of query rolesets that are required for proper querying of any given database nodes where element level security is in place on a document already in the database.
xquery version "1.0-ml"; import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy"; (: run this against the Security database :) let $qry := 'xdmp:database-node-query-rolesets(fn:doc("/example.xml"), ("all"))' let $qry-rolesets := xdmp:eval($qry, (),<options xmlns="xdmp:eval"> <database>{xdmp:database(YOUR_DB_NAME)}</database> </options>) return sec:add-query-rolesets($qry-rolesets) => <query-rolesets xml:lang="zxx" xmlns="http://marklogic.com/xdmp/security"> <query-roleset> <role-id>12006351629398052509 </role-id> </query-roleset> </query-rolesets>
To find the name of this role ID, use this query in the Query Console:
xquery version "1.0-ml"; import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy"; sec:get-role-names((12006351629398052509)) => <sec:role-name xmlns:sec="http://marklogic.com/xdmp/security">els-role-2</sec:role- name>
The unconfigured
option for xdmp:database-node-query-rolesets()
will return only those query rolesets that are not configured, meaning these query rolesets are not in the Security database yet (you have not configured them yet). The all
option returns all query rolesets, even if they are already configured.
You can find existing or yet-to-be-configured query rolesets for documents being loaded into the database using xdmp:node-query-rolesets()
. This built-in returns a sequence of query rolesets that are required for proper querying with element level security if the node is inserted into the database with the given document-insert options. This built-in also comes with the unconfigured
option and the all
option, and works the same as the xdmp:database-node-query-rolesets()
built-in.
A typical workflow would call this function and add each query rolesets through the sec:add-query-rolesets()
function before inserting the document into the database, so that the document can be correctly queried with element level security as soon as the document is inserted.
xdmp:node-query-rolesets( "/example.xml", <foo>aaa</foo>, <options xmlns="xdmp:document-insert"> <permissions> {xdmp:permission("role1","read"),xdmp:permission("role2","read")} </permissions> </options>)
To run this built-in you need to have the security role privileges.