Powered by Zoomin Software. For more details please contactZoomin

Content Processing Framework

Filters

Clear All Filters
Product
Format
Clear All Filters
Current publication

Security Considerations With Content Processing

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Feedback
Print
HomeContent Processing FrameworkSecurity Considerations With Content ProcessingCurrent page
Table of Contents

Security Considerations With Content Processing

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Feedback
Print
  • Last Updated:February 19, 2025
  • 2 minute read
    • MarkLogic Server
    • Version 11.0
    • Documentation

This chapter describes security considerations to be aware of when using the MarkLogic Server Content Processing Framework, and includes the following sections:

Security Requirements for Users Who Create or Modify Documents

When a document is loaded into a database, the user who loads the document must possess the appropriate privileges to create and/or modify the document. This is true in any application, including a content processing application.

For example, if a content processing application has users who add documents to a database via a WebDAV client, then the user who accesses the WebDAV client must be granted a role with the necessary permissions and privileges to create documents in the context defined by the WebDAV configuration. For details on roles, permissions, and privileges, see Security Guide.

Security Requirements When Modules Perform Privileged Operations

Any modules that are invoked by content processing applications will evaluate as the user who made the change to the document. If that user does not have the privilege to perform the operations in the invoked XQuery module, the module transaction will fail.

Certain MarkLogic Server operations require privileges to execute. For example, xdmp:email, xdmp:eval, xdmp:eval-in, xdmp:invoke, and xdmp:invoke-in all require that users possess their corresponding execute privileges. Therefore, if your modules perform any privileged operations, you either need to deal with the privileges in the XQuery code (with an amp, for example), grant your users a role with the required privileges, or handle the exceptions for unprivileged users in your XQuery code. The pipeline-execution role, predefined in the server, is used (with an amp) to allow users to run the xdmp:eval and xdmp:invoke functions in certain contexts in the content processing code.

Security Roles for Managing Content Processing

MarkLogic Server includes the following pre-defined roles for managing content processing applications:

  • pipeline-execution

    Used in the XQuery code to allow any user (who can write a document to the domain) to execute code in the pipeline.

  • pipeline-management

    Required to create, modify, or delete pipelines.

  • domain-management

    Required to create, modify, or delete domains.

On This Topic
LikeDislike
TitleResults for “How to create a CRG?”Also Available inAlert