Skip to main content

Securing MarkLogic Server

Configure Granular Privileges via the Admin Interface

To create a new granular privilege via the Admin Interface, follow steps for creating an execute privilege described at Creating an Execute Privilege in Administrating MarkLogic Server.

For example, to create a granular privilege that grants a user an ability to administer a specific aspect (for example, backup) of a set of resources (for example, forests), perform the following steps:

  1. Use the Admin Interface to create an execute privilege named admin-forest-backup.

  2. Assign the action URI http://marklogic.com/xdmp/privileges/admin/forest/backup to the privilege.

  3. Assign the privilege to the desired role or roles. You may want to create a specific role for this privilege depending on your security requirements.

The following screenshot depicts the New Execute Privilege page with these parameters:

Admin Interface Screenshot illustrating the partially filled-in New Execute Privilege page

Note

You cannot create a granular privilege that grants a user the ability to administer a specific resource (such as a forest with the specified identifier) in the manner described here because resource identifiers are not exposed in the Admin Interface. To create a granular privilege of this type (for example, http://marklogic.com/xdmp/privileges/admin/forest/forest-ID), you need to use the functions of the XQuery API security module, as described in the following section Configure Granular Privileges via the XQuery API Security Module.