Update
The update capability provides the authority to modify content in the document or delete the document. However, update does not provide the authority to read the document. Reading the document requires the read capability. Users with update capability, but not read capability, can call the xdmp:document-delete() and xdmp:document-insert() functions successfully. However, node update functions, such as xdmp:node-replace(), xdmp:node-delete(), and xdmp:node-insert-after(), cannot be called successfully. Node update functions require a node from the document as a parameter. If users cannot read the document, they cannot access the node in the document and supply it as a parameter.
There is a way to get around the issue with node update functions. The update capability provides the authority to change the permissions on a document. Therefore, you can use the xdmp:document-add-permissions() function to add a new permission to the document with read capability for a given role. Users with both read and update capabilities can call node update functions successfully.