Changes to Security Module APIs
The following security APIs are updated to allow for queries to be added to users and roles, sec:create-user() and sec:create-role():
sec:create-user( $user-name as xs:string, $description as xs:string?, $password as xs:string, $role-names as xs:string* $permissions as element(sec:permission)*, $collections as xs:string*, [$external-names as xs:string*], [$queries as map:map] ) as xs:unsignedLong sec:create-role( $role-name as xs:string, $description as xs:string?, $role-names as xs:string*, $permissions as element(sec:permission)*, $collections as xs:string*, [$compartment as xs:string?], [$external-names as xs:string*], [$queries as map:map] ) as xs:unsignedLong
Queries are a mapping from capabilities to CTS queries.
Capabilities associated through permissions are read, insert, update, node-update, and execute. For more information about Document Permissions, see Capabilities Associated through Permissions. Please note that, in terms of QBAC queries, operations that need a node-update capability will use the node-update query, and those that need update capability will use update query to reduce complexity. The node-update capability does not serve as a subset of the update capability.
These new APIs are added to support QBAC:
sec:role-get-queries($role-name as xs:string) as map:map
The sec:role-get-queries() function requires the privilege http://marklogic.com/xdmp/privileges/role-get-queries.
sec:role-set-queries( $role-name as xs:string, $queries as map:map ) as empty-sequence()
The sec:role-set-queries() functions requires the privilege http://marklogic.com/xdmp/privileges/role-set-queries.
sec:role-set-query( $role-name as xs:string, $capability as xs:string, $query as cts:query? ) as empty-sequence()
The sec:role-set-query() function requires the privilege http://marklogic.com/xdmp/privileges/role-set-queries.
sec:user-get-queries($user-name as xs:string) as map:map
The sec:user-get-queries() requires the privilege http://marklogic.com/xdmp/privileges/user-get-queries.
sec:user-set-queries( $user-name as xs:string, $queries as map:map ) as empty-sequence()
The sec:user-set-queries() function requires the privilege http://marklogic.com/xdmp/privileges/user-set-queries.
sec:user-set-query( $user-name as xs:string, $capability as xs:string, $query as cts:query? ) as empty-sequence()
The sec:user-set-query() function requires the privilege http://marklogic.com/xdmp/privileges/user-set-queries.