Securing MarkLogic Server

MarkLogic Server has a special role named admin. The admin role has full authority to do everything in MarkLogic Server, regardless of the permissions or privileges set. In general, the admin role is only for administrative activities and should not be used to load data and run applications. Use extreme caution when assigning users the admin role, because it gives them the authority to perform any activity in MarkLogic Server, included adding or deleting users, adding or deleting documents, changing passwords, and so on.

Users with the admin-ui-user role may view the Admin Interface but do not have access to data or the ability to make administrative changes. For more information, see The admin-ui-user role in Administrating MarkLogic Server.

MarkLogic Server also has a built-in role named security. Users who are part of the security role have execute privileges to perform security-related tasks on the system using the functions in the security.xqy Library Module. Use extreme caution when assigning users the security role, because it gives the user the ability to utilize or assign the admin role.

The security role does not have access to the Admin Interface. To access the Admin Interface, a user must have the admin role or the admin-ui-user role. The security role provides the privileges to execute functions in the security.xqy module, which has functions to perform actions such as creating users and creating roles. For details on managing security objects programmatically, see Creating and Configuring Roles and Users and User Maintenance Operations in the Scripting Administrative Tasks Guide.