Query for Protected Paths on a Document
You can use this XQuery code as a model to customize. The code sample searches for the protected paths associated with foo.xml.
xquery version "1.0-ml"; import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy"; declare function local:get-role-name($p as element(sec:permission)) { element sec:permission { $p/*, sec:get-role-names($p/sec:role-id) } }; let $doc := xdmp:eval('fn:doc("foo.xml")', (), <options xmlns="xdmp:eval"><database>{xdmp:database("Documents")}</database></options>) for $p in fn:collection(sec:protected-paths-collection())/sec:protected-path let $path := xdmp:with-namespaces( for $ns in $p//sec:path-namespace return ($ns/sec:prefix/fn:string(.), $ns/sec:namespace-uri/fn:string(.)), xdmp:value("$doc" || $p/sec:path-expression/fn:string())) return if (fn:exists($path)) then element sec:protected-path { $p/* except $p/sec:permissions, element sec:permissions { $p/sec:permissions/sec:permission ! local:get-role-name(.) } } else ()
You will only be able to see the protected paths for elements that you as the user would have permission to see. For example, if you had role1 and the protected path was associated with role2, role1 would not be able to see those paths.
Related functionality is the all-query-rolesets-fragment-count element returned from xdmp:forest-counts(). This number tells the caller how many fragments are indexed with a certain query-rolesets. If the number is 0 (across all databases), then query-rolesets is no longer in use.