Skip to main content

Securing MarkLogic Server

Protecting the Execution of XQuery Modules

One simple way to restrict access to your MarkLogic Server application is to limit the users that have permission to run the application. If you load your Xquery code into a modules database, you can use an execute permission on the XQuery document itself to control who can run it. Then, a user must possess execute permissions to run the module. To set up a module to do this, perform the following steps:

  1. Using the Admin Interface, specify a modules database in the configuration for the app server (HTTP or WebDAV) that controls the execution of your XQuery module.

  2. Load the XQuery module into the modules database using a URI with an .xqy extension like my_module.xqy.

  3. Set execute permissions on the XQuery document for a given role. For example, if you want users with the run_application role to be able to execute an XQuery module with the URI http://modules/my_module.xqy, run a query similar to the following:

    xdmp:document-set-permissions("http://modules/my_module.xqy",
      xdmp:permission("run_application", "execute") )

  4. Create the run_application role.

  5. Assign the run_application role to the users who can run this application.

Now only users with the run_application role can execute this document.

Note

Because your application could also contain amped functions, this technique can help restrict access to applications that use amps.

In this section: