Skip to main content

Securing MarkLogic Server

Interactions with Compartment Security

You can add an extra level of protection to any content concealed by protected paths by using compartment security in conjunction with element level security. Compartment security adds a finer granularity of protection for content because a user must have the appropriate role and belong to the appropriate compartment to view the concealed content. For more about compartment security see Compartment Security.

A compartment is a name associated with a role. The compartment name is used as an additional check when determining a user’s authority to access, modify, or create documents. If compartment security is not used, permissions are checked using OR semantics. For example, if a document has read permissions for role1 and read permissions for role2, without compartment security, a user who has either role1 or role2 can read that document.

If any permission on a document has a compartment, then the user must have that compartment in order to access any of the capabilities, even if the capability is not the one with the compartment. Access to a document requires a permission in each compartment for which there is a permission on the document, regardless of the capability of the permission. So, if there is read permission for role compartment1, there must also be an update permission for some role in compartment1 (but not necessarily the same role).

If compartment security is used, then the permissions are checked using AND semantics for each compartment. If the document has compartment permissions for both compartment1 and compartment2, a role must be associated with both compartments to view the document. If two roles have different compartments associated with them (for example compartment1 and compartment2) , a user must have role1 and role2 access the document.

This is in addition to checking the OR semantics for each non-compartmented role, as well as a non-compartmented role that has a corresponding permission on the document. If compartment security is used along with element level security, a user must have both the appropriate compartment security and the appropriate role to view protected content.

Because element level security follows the same role-based authorization model, compartment security checks are be done in the same way at the element level. The only difference is that when calculating “compartments needed” at the element level, only those permissions with the capability being requested (for example “read”) are checked.

Here is an example using these three roles:

  • role0 (with no compartment)

  • role1 (with compartment1)

  • role2 (with compartment2)

These permissions have been set on the document:

(role0, read), (role1, read), and (role2, update)

With these permissions set on the document, a user with both role1 and role0 cannot perform a read operation. This is because one of the permissions mentions role2, even though it is not for read. In fact, with these permissions at the document level, no one (except for admin) would be able to read the document.

If the above permissions are set for an element, a user with both role1 and role0 will be able to read the element, because element level security checks read, update, and insert permissions separately, based on the operation requested.

Note

Permission checks at the document and element levels are performed independently.