Understanding Granular Privileges
The MarkLogic Server security model includes execute privileges. Execute privileges are identified with URIs and can be assigned to roles. For detail on execute privileges, see Protecting XQuery and JavaScript Functions with Privileges.
For example, the following privilege allows a user to restart any forest:
http://marklogic.com/xdmp/privileges/xdmp-forest-restart
Granular privileges allow more fine-grained approach to execute privileges. When assigning privileges to roles, you may not only specify a privilege to perform a specific action but also identify a specific resource to which this privilege applies.
For example, you may allow a user to restart a specific forest by assigning one of the following privileges to this user’s role:
http://marklogic.com/xdmp/privileges/xdmp-forest-restart/forest/forest-ID
http://marklogic.com/xdmp/privileges/xdmp-forest-restart/database/database-ID
where forest-ID
is the forest identifier and database-ID
is the identifier of the database using the forest.
You can create an appropriate fine-grained privilege, assign it to some role, and assign that role to a user. Then the user will be able to restart the specified forest, or forests in the specified database.