Skip to main content

Securing MarkLogic Server

Enabling Non-privileged Users to Assign Roles

The create-user-privilege privilege enables otherwise non-privileged users to create and manage user-defined privileges.

If a user has a role with this privilege set, they do not need the grant-my-privileges privilege to assign specific privileges.

The general form of this granular privilege is:

http://marklogic.com/xdmp/privileges/admin/create-user-privilege/DOMAIN/PRIVILEGE-PATH/

Note that the PRIVILEGE-PATH can contain more than one slash (“/”) and must end with a slash.

For example, given a user with a role that has the following privilege:

http://marklogic.com/xdmp/privileges/admin/create-user-privilege/acme.com/publishing/

This user can manage the following execute or URI privileges:

  • http://acme.com/publishing/

  • http://acme.com/publishing/updates/

  • http://acme.com/publishing/updates/weekly/

This user can also create roles that use these privileges, as long as the role name is unique to the entire system, including someone else’s set of roles.

As another example, if you only want this user to be able to publish weekly updates, you would assign them a role with the following privilege:

http://marklogic.com/xdmp/privileges/admin/create-user-privilege/acme.com/publishing/updates/weekly