Securing MarkLogic Server

Using the Admin Interface, add the protected paths and query rolesets to the Security database. If no query rolesets are configured, a query will only match documents by the terms that are visible to everyone.

To start, check for any existing protected paths using this query in the Query Console:

(: run this query against the Security database :)

fn:collection("http://marklogic.com/xdmp/protected-paths")

This will return an empty sequence if there are no protected paths. If there are protected paths, information about those protected paths will be displayed, including the path ID, the path expression, the permissions, and roles associated with that path.

Using the Admin Interface, add protected paths with permissions for els-user-2. To add the protected path from the Admin Interface:

For examples using namespaces and prefixes as part of a protected path, see Namespaces as Part of a Protected Path.

Repeat this for two additional protected paths, “test” and “/root/reg[fn:matches(@expr, 'is')]”.

The three protected paths with read permissions for els-role-2 are these:

Alternatively, you can add these protected paths with the Query Console. Use this code to add these protected paths with permissions for els-user-2 to the Security database:

(: add protected paths -> run against the Security database :)

xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" 
  at "/MarkLogic/security.xqy";

sec:protect-path("/root/bar[@baz=1]", (), (xdmp:permission("els-role-2", "read"))),
sec:protect-path("test", (), (xdmp:permission("els-role-2", "read"))),
sec:protect-path("/root/reg[fn:matches(@expr, 'is')]", (), (xdmp:permission("els-role-2", "read")))

=> Returns three numbers representing the protected paths

Now add query rolesets for these documents. In the Query Console, run this code to add query rolesets for els-user-2:

(: run this against the Security database :)

xquery version "1.0-ml";
import module namespace sec = "http://marklogic.com/xdmp/security" 
  at "/MarkLogic/security.xqy";

let $qry := 'xdmp:database-node-query-rolesets(fn:doc(), ("all"))'
let $qry-rolesets := 
xdmp:eval($qry, (),<options xmlns="xdmp:eval">
                   <database>{xdmp:database('Documents')}</database>
                 </options>)

return
sec:add-query-rolesets($qry-rolesets)

In most cases you will want to use the helper functions (xdmp:database-node-query-rolesets and xdmp:node-query-rolesets) to create query rolesets. The helper function automatically created the query rolesets based on the protected paths you have set. See Helper Functions for Query Rolesets for more information. To understand more about query rolesets, see Query Rolesets.

You can also add query rolesets manually with XQuery in the Query Console if you only have a few query rolesets to add. Run this code against the Security database:

(: add query rolesets => run against the Security database :)

xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" 
  at "/MarkLogic/security.xqy";

let $roleset := sec:query-roleset("els-role-2")
return
sec:add-query-rolesets(sec:query-rolesets($roleset))
=>
Returns a unique ID representing the added query rolesets

Check for query rolesets in the Security database using the Query Console:

(: run this query against the Security database :)

fn:collection("http://marklogic.com/xdmp/query-rolesets")
=>
Returns details about query rolesets in the Security database.

There is also a collection for protected paths in the Security database:

(: run this query against the Security database :)

fn:collection("http://marklogic.com/xdmp/protected-paths")
=>
Returns details about protected paths in the Security database.

The els-role-2 can now see the elements in these paths, but the els-user-1 cannot: