Parent/Child Relationships in Query Rolesets
You might have a document where one user has permissions for an element that is the child of a parent element, for which that user does not have permissions. For example, there might be a simple document like this:
<root> <content>Contents of document <top-secret>Only role with "top-secret" can read this <secret>Only role with "secret" can read this</secret> </top-secret> Unclassified content </content> </root>
This document might have these protected paths:
sec:protect-path("secret", (), (xdmp:permission("els-role-2", "read"))),
sec:protect-path("top-secret", (), (xdmp:permission("els-role-1", "read")))
A user with permissions on only the protected path for “secret” can’t see “secret” content unless the user also had permissions for the protected path for “top-secret” because the “secret” node is a child of the “top-secret” parent node.