What is QBAC?
Prior to the addition of this feature, a secure data access query is formed solely based on permissions from the effective user roles. QBAC augments this security query with more general CTS queries to provide more flexible data access rules. These queries are associated with roles and users and are added to the security queries to constrain and check access permissions. This allows you to define access policies based on document contents or metadata, and to change those policies without re-processing the document permissions, and without having to write triggers or code to monitor when document contents change.
There are two types of QBAC queries: queries on roles and queries on users. Queries on roles are definitional: a document that passes the role query is treated as having the corresponding permission for that role, so a user with that role may also see the document. Queries on users are restrictive: the user may only see the documents that pass the query. When the server checks queries, the queries on uncompartmented roles are ORed, and the queries on users are ANDed. So, queries on roles expand the scope what is authorized for that role, while queries on users restrict the scope of what is authorized.
Secure data access at the fundamental level in MarkLogic Server is constrained by a security query. Unsecured data access is used only for the admin user or for certain internal lookups or fetches. All user-facing APIs that access data stored in the database are secured in this fashion, whether using a cts:search, a lexicon call such as cts:values, a SQL or SPARQL query that accesses triples, an update operation such as xdmp:node-replace, or the execution of a module.
As a result, QBAC can integrate with all the existing MarkLogic Server security features, such as Compartment Security, Element Level Security (ELS), triples and protected collections. For example, when a path is protected by ELS, QBAC will not leak information about the contents. However, extra care should be taken when setting up security model combining both queries and other security features.
Note
Users with QBAC document access are not able to read document properties. This is a design limitation. Users with QBAC document access do not have properties access by default, unless the QBAC query explicitly matches document properties through a CTS query. However, QBAC access to document properties gives access to the document itself by default.