Using Execute Privileges
The basic steps for using execute privileges are:
Create the privilege.
Assign the privilege to a role.
Write code to test for the privilege.
You create privileges and assign them to roles using the Admin Interface.
To test for a privilege, use xdmp:security-assert() (XQuery) or xdmp.securityAssert() (JavaScript). This function tests to determine if the user running the code has the specified privilege. If the user possesses the privilege, then the code continues to execute. If the user does not possess the privilege, then the server throws an exception, which the application can catch and handle.
For example, to create an execute privilege to control the access to an XQuery function called display-salary, use the following steps:
Use the Admin Interface to create an execute privilege named
allow-display-salary.Assign any URI (for example,
http://my/privs/allow-display-salary) to the execute privilege.Assign a role to the privilege. You may want to create a specific role for this privilege depending on your security requirements.
Finally, in your
display-salary()XQuery function, include anxdmp.securityAssert()call to test for theallow-display-salaryexecute privilege as follows:
xquery version "1.0-ml";
declare function display-salary (
$employee-id as xs:unsignedLong)
as xs:decimal
{
xdmp:security-assert("http://my/privs/allow-display-salary", "execute"),
...
} ;