Enabling Non-privileged Users to Create and Manage Users (Data Users)
The http://marklogic.com/xdmp/privileges/create-data-user allows non-admin users (with the manage role) to create and manage users.
data user: created by a data manage (non-admin) user
data role: created by a data manage (non-admin) user
data manage user for data users:
non-admin to create and manage users
can only manage (edit and delete) users own created or granted
might be the same data manage user to create data roles and data users
requires one role to include
create-data-userprivilege andmanagerole (or privilege)user self can be created by
adminor another data manage useroptional
grant-my-roleprivilege to grant roles or create another data manage usercan grant data users own created or granted to other data roles
created data users are attached to the roles (with
create-data-userprivilege) data manage user ownedtracked by an internal
data-user-edit-<USERID>privilege created for every data user
every data manage user granted (new or existed) with above roles can also manage these data users
to share responsibility for managing data users through a common data role
An optional privilege -
http://marklogic.com/xdmp/privileges/user-set-queries- is required to create data users with query-based access control (QBAC) queries. Thehttp://marklogic.com/xdmp/privileges/user-get-queriesprivilege is needed for reading the QBAC queries on the data users. For more information on QBAC, please see Query-Based Access Control.
For example:
Create a role (demo-data-user-role-one) and grant that role the create-data-user privilege.
curl -s --anyauth -u admin:admin -H "content-type:application/json" \
-X POST -d "{\"role-name\": \"demo-data-user-role-one\", \
\"description\": \
\"A role for demonstrating the create-data-user privilege\", \
\"privilege\": [ { \
\"privilege-name\": \"create-data-user\", \
\"action\": \
\"http://marklogic.com/xdmp/privileges/create-data-user\", \
\"kind\": \"execute\"}]}" \
http://localhost:8002/manage/v2/roles
Create another role (demo-data-user-role-two) and grant that role the create-data-user privilege.
curl -s --anyauth -u admin:admin -H "content-type:application/json" \
-X POST -d "{\"role-name\": \"demo-data-user-role-two\", \
\"description\": \
\"Second role for demonstrating the create-data-user privilege\", \
\"privilege\": [ { \
\"privilege-name\": \"create-data-user\", \
\"action\": \
\"http://marklogic.com/xdmp/privileges/create-data-user\", \
\"kind\": \"execute\"}]}" \
http://localhost:8002/manage/v2/roles
Create user demo-user-one, and grant two roles: the manage role, the new created demo-data-user-role-one role.
curl -s --anyauth -u admin:admin -H "content-type:application/json" \
-X POST -d "{\"user-name\": \"demo-user-one\", \
\"password\": \"password\", \
\"description\": \"A demo user one\", \
\"role\": [ \"demo-data-user-role-one\", \"manage\" ] }" \
http://localhost:8002/manage/v2/users
Also create another user demo-user-two and grant demo-data-user-role-two and manage role.
curl -s --anyauth -u admin:admin -H "content-type:application/json" \
-X POST -d "{\"user-name\": \"demo-user-two\", \"password\": \"password\", \
\"description\": \"A demo user two\", \
\"role\": [ \"demo-data-user-role-two\", \"manage\" ] }" \
http://localhost:8002/manage/v2/users
Now that user demo-user-one can create new users, demo-one-created-user:
curl -s --anyauth -u "demo-user-one:password" -H "content-type:application/json" \
-X POST -d "{\"user-name\": \" demo-one-created-user\", \
\"description\": \"user created by demo-user-one\" }" \
http://localhost:8002/manage/v2/users
And user demo-user-two can create new users, demo-two-created-user:
curl -s --anyauth -u "demo-user-two:password" -H "content-type:application/json" \
-X POST -d "{\"user-name\": \" demo-two-created-user\", \
\"description\": \"user created by demo-user-two\" }" \
http://localhost:8002/manage/v2/users
The user demo-one-created-user can be updated (and also deleted) by user demo-user-one who created this user:
curl -s --anyauth -u "demo-user-one:password" -H "content-type:application/json" \
-X PUT -d "{\"description\": \"demo-user-one updated this\"}" \
http://localhost:8002/manage/v2/users/demo-one-created-user/properties
And user demo-user-two can update demo-two-created-user:
curl -s --anyauth -u "demo-user-two:password" -H "content-type:application/json" \
-X PUT -d "{\"description\": \"demo-user-two updated this\"}" \
http://localhost:8002/manage/v2/users/demo-two-created-user/properties
But these users cannot update users they did not create.
curl -s --anyauth -u "demo-user-two:password" -H "content-type:application/json" \
-X PUT -d "{\"description\": \"demo-user-two updating demo-one-created-user\"}" \
http://localhost:8002/manage/v2/users/demo-one-created-user/properties
This request fails:
{
"errorResponse": {
"statusCode": "404",
"status": "Not Found",
"messageCode": "SEC-USERDNE",
"message": "SEC-USERDNE: (err:FOER0000) User does not exist: demo-one-created-user = %2"
}
}
All users created by demo-user-two are attached to demo-data-user-role-two role. They can be added to demo-user-one directly, so demo-user-one can edit them.
curl -s --anyauth -u "admin:admin" -H "content-type:application/json" \
-X PUT -d "{\"role\": [ \"demo-data-user-role-one\", \"demo-data-user-role-two\", \"manage\" ] }" \
http://localhost:8002/manage/v2/users/demo-user-one/properties
Now, user demo-user-two with role demo-data-user-role-two has the appropriate privilege to edit demo-one-created-user directly. So, demo-user-two can edit them, and the previous request will succeed.