Examples of Creating and Assigning Granular Privileges
The following are examples of creating and assigning granular privileges via the XQuery API. They must be run against the Security database.
Example 1: Assign a privilege to perform index operations on any database to role1
Suppose you previously created http://marklogic.com/xdmp/privileges/admin/database/index privilege via the Admin Interface, as described in the previous section, Configure Granular Privileges via the Admin Interface. Assign this privilege to role1 as follows:
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";
sec:privilege-set-roles(
"http://marklogic.com/xdmp/privileges/admin/database/index",
"execute",
("admin","role1")
)
Example 2: Create a privilege to perform any operations on database db1 for role2
Create a privilege to perform any operations on database db1 for role2 as follows (note the use of function xdmp:database("db1") to convert from the database name to the database identifier):
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";
sec:create-privilege(
"admin-database-db1",
fn:concat("http://marklogic.com/xdmp/privileges/admin/database/",
xdmp:database("db1")),
"execute",
"role2"
)
Example 3: Create a privilege to perform index operations on database db1 for role3
Create a privilege to perform index operations on database db1 for role3 as follows (note the use of function xdmp:database("db1") to convert from the database name to the database identifier):
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";
sec:create-privilege(
"admin-index-database-db1",
fn:concat("http://marklogic.com/xdmp/privileges/admin/database/index/", xdmp:database("db1")),
"execute",
"role3"
)