Loading TOC...

MarkLogic Server 11.0 Product Documentation
sec functions

The table below lists all the sec built-in functions (in this namespace: http://marklogic.com/xdmp/security).

The security function module is installed as the following file:

install_dir/Modules/MarkLogic/security.xqy

where install_dir is the directory in which MarkLogic Server is installed.

To use the security.xqy module in your own XQuery modules, include the following line in your XQuery prolog:

import module "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy"

The library uses the sec: namespace, predefined in the server.

NOTE:  When using these functions to administer security for an application, be sure to execute them against the security database configured for your application's database. Function calls in this library can only be executed against a a security database (for example, Security); the database named Security is automatically configured when MarkLogic Server is installed, and it is the default security database. To execute these functions against the security database, you can specify the database option in xdmp:eval or xdmp:invoke, or you can run it in an App Server that has your security database configured as its database.

235 functions
Function name Description
sec.addQueryRolesets This function adds query rolesets to the Security database.
sec.ampAddRoles Adds the roles ($role-names) to the list of roles granted to the amp ($namespace, $local-name, $document-uri).
sec.ampDocCollections Returns a sequence of strings corresponding to the collection uri's that amps belong to.
sec.ampDocPermissions Returns a sequence of permission elements that all newly created amp documents receive.
sec.ampExists This function returns true if the specified amp exists in the security database.
sec.ampGetRoles Returns a sequence of role names for the roles directly assigned to the amp ($namespace, $local-name, $document-uri).
sec.ampRemoveRoles Removes a role ($role-name) from the set of roles included by the amp ($namespace, $local-name, $document-uri).
sec.ampsChangeModulesDatabase This function changes all amps that refer to one modules database to refer to a different database.
sec.ampsCollection Returns a string corresponding to the uri for the amps collection.
sec.ampSetRoles Assigns the amp identified by $namespace, $local-name and $document-uri to have the roles identified by $roles-names.
sec.checkAdmin Throws an error if the current user does not have the admin-ui privilege.
sec.collectionAddPermissions Add the permissions $permissions to the protected collection identified by $uri.
sec.collectionGetPermissions Returns a sequence of permission elements corresponding to the current permissions granted to the protected collection identified by $uri.
sec.collectionRemovePermissions Removes the permissions $permissions from the protected collection identified by $uri.
sec.collectionsCollection Returns a string corresponding to the uri for the protected collections collection.
sec.collectionSetPermissions Sets the permissions of a protected collection identified by $uri to $permissions.
sec.compartmentGetRoles This function returns a list of roles in the specified compartment.
sec.createAmp Creates a new amp in the system database for the context database.
sec.createCredential This function creates a new security credential with the specified values.
sec.createExternalSecurity This function creates an external authentication configuration object and returns the id of the configuration.
sec.createPrivilege Creates a new privilege and returns the new privilege-id.
sec.createRole Creates a new role in the system database for the context database.
sec.createUser Creates a new user in the system database for the context database.
sec.createUserWithRole Creates a new user in the system database for the context database.
sec.credentialGetCertificate This function returns the certificate for a credential, if it exists.
sec.credentialGetDescription This function returns the description of the specified credential.
sec.credentialGetId This function returns the ID of the specified credential.
sec.credentialGetPassword This function returns the encrypted password for a credential, if it exists.
sec.credentialGetPermissions This function returns the permissions for a credential.
sec.credentialGetPrivateKey This function returns the private key for a credential, if it exists.
sec.credentialGetSigning This function returns the signing flag for a credential.
sec.credentialGetTargets This function returns the targets for a credential, if they exist.
sec.credentialGetUsername This function returns the username for a credential, if it exists.
sec.credentialSetCertificate This function updates the certificate for the credential.
sec.credentialSetDescription This function updates the description for the specified credential.
sec.credentialSetName This function updates the name of a credential.
sec.credentialSetPassword This function updates the password for the specified credential.
sec.credentialSetPermissions This function updates the permission for the specified credential.
sec.credentialSetSigning This function updates the signing flag for the specified credential.
sec.credentialSetTargets This function updates the targets for the specified credential.
sec.credentialSetUsername This function updates the username for the specified credential.
sec.credentialsGetAws Returns the Amazon Web Services access key, secret key, and session token (if one exists) used to access the Amazon Simple Storage Service.
sec.credentialsGetAzure Returns the Azure storage account name and access key used to access Microsoft Azure Blob Storage.
sec.credentialsSetAws Sets the Amazon Web Services credentials.
sec.credentialsSetAzure Sets the Azure storage account name and access key.
sec.externalSecurityAddOauthJwtSecrets This function adds the list of JWT key-ID/key pairs into the given external security object.
sec.externalSecurityClearCache This function clears the login cache in the named external authorization configuration object.
sec.externalSecurityGetAuthentication This function returns the authentication protocol set in the named external authorization configuration object.
sec.externalSecurityGetAuthorization This function returns the authorization scheme set in the named external authorization configuration object.
sec.externalSecurityGetCacheTimeout This function returns the login cache timeout (in seconds) set in the named external authorization configuration object.
sec.externalSecurityGetDescription This function returns the description set in the named external authorization configuration object.
sec.externalSecurityGetHttpOptions This function returns the http options for the named SAML server configuration.
sec.externalSecurityGetLdapAttribute This function returns the LDAP attribute for user lookup set in the named external authorization configuration object.
sec.externalSecurityGetLdapBase This function returns the LDAP base for user lookup set in the named external authorization configuration object.
sec.externalSecurityGetLdapBindMethod This function returns the bind method set on the named external security object.
sec.externalSecurityGetLdapCertificate This function returns the LDAP client certificate set for the name external security configuration.
sec.externalSecurityGetLdapDefaultUser This function returns the default LDAP user name set in the named external authorization configuration object.
sec.externalSecurityGetLdapMemberAttribute This function returns the member attribute for the specified LDAP server.
sec.externalSecurityGetLdapMemberofAttribute This function returns the memberof attribute for the specified LDAP server.
sec.externalSecurityGetLdapNegativeCacheTimeout This function returns the ldap-negative-cache-timeout setting for the named external security configuration.
sec.externalSecurityGetLdapNestedLookup This function returns a boolean value specifying whether ldap nested group lookups are enabled.
sec.externalSecurityGetLdapPrivateKey This function returns the private key set for the name external security configuration.
sec.externalSecurityGetLdapRemoveDomain This function returns the ldap-remove-domain setting for the named external security configuration.
sec.externalSecurityGetLdapServerUri This function returns the LDAP server uri set in the named external authorization configuration object.
sec.externalSecurityGetLdapStartTls This function returns the ldap-start-tls setting for the named external security configuration.
sec.externalSecurityGetOauthClientId This function returns the OAuth client id for the named external security configuration.
sec.externalSecurityGetOauthFlowType This function returns the OAuth flow type for the named external security configuration.
sec.externalSecurityGetOauthJwksUri This function returns the OAuth JWKS URI for the named external security configuration.
sec.externalSecurityGetOauthJwtAlg This function returns the OAuth JWT algorithm for the named external security configuration.
sec.externalSecurityGetOauthJwtIssuerUri This function returns the OAuth JWT Issuer URI for the named external security configuration.
sec.externalSecurityGetOauthJwtSecrets This function returns the OAuth JWT key-IDs for the named external security configuration.
sec.externalSecurityGetOauthPrivilegeAttribute This function returns the OAuth privilege attribute for the named external security configuration.
sec.externalSecurityGetOauthRoleAttribute This function returns the OAuth role attribute for the named external security configuration.
sec.externalSecurityGetOauthTokenType This function returns the OAuth token type for the named external security configuration.
sec.externalSecurityGetOauthUsernameAttribute This function returns the OAuth username attribute for the named external security configuration.
sec.externalSecurityGetOauthVendor This function returns the OAuth-server vendor for the named external security configuration.
sec.externalSecurityGetSamlAssertionHost This function returns the SAML assertion host for the named external security configuration.
sec.externalSecurityGetSamlAttributeNames This function returns the SAML attribute names set for the named external security configuration.
sec.externalSecurityGetSamlDestination This function returns the saml destination in the external security configuration.
sec.externalSecurityGetSamlEntityId This function returns the SAML entity id set for the named external security configuration.
sec.externalSecurityGetSamlIdpCertificateAuthority This function returns the saml idp certificate authority in the external security configuration.
sec.externalSecurityGetSamlIssuer This function returns the saml issuer in the external security configuration.
sec.externalSecurityGetSamlPrivilegeAttributeName This function returns the SAML privilege attribute name set for the named external security configuration.
sec.externalSecurityGetSamlSpCertificate This function returns the saml Service Provider certificate in the external security configuration.
sec.externalSecurityRemoveOauthJwtSecrets This function removes the specified JWT secrets based on their key-ID.
sec.externalSecuritySetAuthentication This function sets the authentication protocol for the named external authorization configuration object.
sec.externalSecuritySetAuthorization This function sets the authentication scheme for the named external authorization configuration object.
sec.externalSecuritySetCacheTimeout This function sets the login cache timeout for the named external authorization configuration object.
sec.externalSecuritySetDescription This function sets the description for the named external authorization configuration object.
sec.externalSecuritySetHttpOptions This function sets the http options for the named SAML server configuration.
sec.externalSecuritySetLdapAttribute This function sets the LDAP attribute for user lookup for the named external authorization configuration object.
sec.externalSecuritySetLdapBase This function sets the LDAP base for user lookup for the named external authorization configuration object.
sec.externalSecuritySetLdapBindMethod This function sets the bind method on the named external security object.
sec.externalSecuritySetLdapCertificate This function sets the LDAP certificate and private key for the named external security configuration.
sec.externalSecuritySetLdapDefaultUser This function sets the default user name for the named external authorization configuration object.
sec.externalSecuritySetLdapMemberAttribute This function sets the member LDAP attribute for group lookup.
sec.externalSecuritySetLdapMemberofAttribute This function sets the memberof LDAP attribute for group lookup.
sec.externalSecuritySetLdapNegativeCacheTimeout This function updates the ldap-negative-cache-timeout setting in the external security configuration.
sec.externalSecuritySetLdapNestedLookup This function sets the nested-lookup boolean.
sec.externalSecuritySetLdapPassword This function sets the default user password for the named external authorization configuration object.
sec.externalSecuritySetLdapRemoveDomain This function updates the ldap-remove-domain setting in the external security configuration.
sec.externalSecuritySetLdapServerUri This function sets the LDAP server uri for the named external authorization configuration object.
sec.externalSecuritySetLdapStartTls This function updates the ldap-start-tls setting in the external security configuration.
sec.externalSecuritySetName This function sets the name of the external authorization configuration object.
sec.externalSecuritySetOauthClientId This function updates the OAuth client-id for the given external security object.
sec.externalSecuritySetOauthFlowType This function updates the OAuth flow type for the given external security object.
sec.externalSecuritySetOauthJwksUri This function updates the OAuth JWKS URI for the given external security object.
sec.externalSecuritySetOauthJwtAlg This function updates the OAuth JWT signature algorithm for the given external security object.
sec.externalSecuritySetOauthJwtSecrets This function sets the OAuth JWT secrets for the given external security object.
sec.externalSecuritySetOauthPrivilegeAttribute This function updates the OAuth privilege attribute for the given external security object.
sec.externalSecuritySetOauthRoleAttribute This function updates the OAuth role attribute for the given external security object.
sec.externalSecuritySetOauthTokenType This function updates the OAuth token type for the given external security object.
sec.externalSecuritySetOauthUsernameAttribute This function updates the OAuth username attribute for the given external security object.
sec.externalSecuritySetOauthVendor This function updates the OAuth vendor for the given external security object.
sec.externalSecuritySetSamlAssertionHost This function sets the SAML assertion host in the SAML configuration.
sec.externalSecuritySetSamlAttributeNames This function sets one or more SAML attribute named used by other security objects to identify the named SAML configuration.
sec.externalSecuritySetSamlDestination This function updates the saml destination in the external security configuration.
sec.externalSecuritySetSamlEntityId \ This function sets the SAML entity ID used by other security objects to identify the named SAML configuration.
sec.externalSecuritySetSamlIdpCertificateAuthority This function updates the saml idp certificate authority in the external security configuration.
sec.externalSecuritySetSamlIssuer This function updates the saml issuer in the external security configuration.
sec.externalSecuritySetSamlPrivilegeAttributeName This function sets the SAML privilege attribute name in the SAML configuration.
sec.externalSecuritySetSamlSpCertificate This function updates the saml sp certificate and private key in the external security configuration.
sec.externalSecurityUpdateOauthJwtSecrets This function updates the JWT secrets for the inputted JWT key-IDs in the given external security object.
sec.getAmp Returns an sec:amp element corresponding to an amp identified by ($namespace, $local-name, $document-uri).
sec.getCollection Gets the security document corresponding to a protected collection with uri equal to $uri.
sec.getCompartments This function returns a list of all of the compartments.
sec.getCredential Gets a credential.
sec.getCredentialById This function returns the specified PEM encoded X509 certificate.
sec.getCredentialIds This function returns a list of all of the credential IDs in the security database.
sec.getCredentialNames This function returns a list of all of the credential names in the security database.
sec.getDistinctPermissions Returns a sequence of permission elements made up of a concatenation of $output-perms and the distinct permission elements of $input-perms.
sec.getPrivilege Returns a sec:privilege element corresponding to a privilege identified by ($action,$kind).
sec.getRoleIds Returns a sequence of unique sec:role-id elements that corresponds to the sequence of role names $role-names.
sec.getRoleNames Returns sequence of unique sec:role-name's that corresponds to the sequence of role IDs $role-ids.
sec.getSamlEntity This function returns the named SAML entity.
sec.getSamlEntityIds This function returns the SAML entity ids stored in the Security database.
sec.getUserNames Returns sequence of unique sec:user-names that corresponds to the sequence of user IDs $user-ids.
sec.ldapServer This function configures an LDAP server for use by the sec:create-external-security function.
sec.oauthServer This function configures an OAuth server for use by the sec:create-external-security function.
sec.pathAddPermissions This function adds permissions for a protected path.
sec.pathGetPermissions This function gets a list of permissions for the path named.
sec.pathRemovePermissions This function removes permissions for a protected path.
sec.pathSetPermissions This function sets the permissions for a protected path.
sec.privDocCollections Returns a sequence of strings corresponding to the collection uri's that privileges belong to.
sec.privDocPermissions Returns a sequence of permission elements that all newly created privilege documents receive.
sec.privilegeAddRoles Adds the roles ($role-names) to the list of roles assigned to the privilege ($action,$kind).
sec.privilegeExists This function returns true if the specified privilege exists.
sec.privilegeGetRoles Returns a sequence of role names for the roles assigned to the privilege ($action,$kind).
sec.privilegeRemoveRoles Removes roles ($role-names) from the roles assigned to the privilege ($action,$kind).
sec.privilegesCollection Returns a string corresponding to the uri for the privileges collection.
sec.privilegeSetName Changes the sec:privilege-name of a sec:privilege to $new-privilege-name.
sec.privilegeSetRoles Assigns the privilege ($action,$kind) to have the roles identified by $role-names.
sec.protectCollection Protects a collection $uri with the given permissions ($permissions).
sec.protectedPathDocPermissions Returns a sequence of permission elements that all newly created protected-path documents receive.
sec.protectedPathsCollection This function returns the collection of protected paths.
sec.protectPath This function protects the path specified, restricting the ability to view content based on the user's permissions.
sec.queryRoleset This function creates a query roleset that can be passed into a function used to add or remove rolesets.
sec.queryRolesets This is a helper function to return a query-rolesets element from a list of query-roleset elements.
sec.queryRolesetsCollection This function returns the collection of query rolesets.
sec.queryRolesetsDocPermissions Returns a sequence of permission elements that all newly created query-rolesets documents receive.
sec.queryRolesetsId This function returns the ID of a query-rolesets.
sec.removeAmp Removes the amp ($namespace, $local-name, $document-uri, $database) and returns empty-sequence().
sec.removeCredential This function removes the specified credential.
sec.removeCredentialById This function removes the specified credential.
sec.removeExternalSecurity This function deletes the named external authentication configuration object.
sec.removePath This function removes protection from the specified protected path and removes the path from the Security database.
sec.removePrivilege Removes the privilege identified by ($action,$kind).
sec.removeQueryRolesets This function removes query rolesets from the Security database.
sec.removeRole Removes the role ($role-name).
sec.removeRoleFromAmps Removes references to the role ($role-name) from all amps.
sec.removeRoleFromPrivileges Removes references to the role ($role-name) from all privileges.
sec.removeRoleFromRoles Removes references to the role ($role-name) from all other roles.
sec.removeRoleFromUsers Removes references to the role ($role-name) from all users.
sec.removeUser Removes the user with name $user-name.
sec.resecureCredentials This function re-encrypts credentials, if necessary.
sec.roleAddRoles Adds new roles ($new-roles) to the role specified by $role-name.
sec.roleDocCollections Returns a sequence of strings corresponding to the collection uri's that roles belong to.
sec.roleDocPermissions Returns a sequence of permission elements that all newly created role documents receive.
sec.roleExists This function returns true if the specified role exists in the security database.
sec.roleGetCompartment This function returns the compartment for the specified role.
sec.roleGetDefaultCollections Returns a sequence of strings corresponding to the uri's of the role's default collections.
sec.roleGetDefaultPermissions Returns a sequence of permission elements corresponding to the role's default permissions.
sec.roleGetDescription Returns the description for the specified role.
sec.roleGetExternalNames This function returns the external LDAP group names assigned to the named role.
sec.roleGetQueries Returns the queries for the specified role.
sec.roleGetRoles Returns a sequence of role names for the roles directly assigned to the given role ($role-name).
sec.rolePrivileges Returns a set of privilege elements corresponding to all privileges that a role has.
sec.roleRemoveRoles Removes the roles ($role-names) from the set of roles included by the role ($role-name).
sec.rolesCollection Returns a string corresponding to the uri for the roles collection.
sec.roleSetDefaultCollections Sets the default collections of a role with name $role-name to $collections.
sec.roleSetDefaultPermissions Sets the default permissions for a role with name $role-name.
sec.roleSetDescription Changes the description of the role identified by $role-name to $description.
sec.roleSetExternalNames This function sets a role to be matched to one or more external LDAP distinguished names.
sec.roleSetName Changes the sec:role-name of a role from $role-name to $new-role-name.
sec.roleSetQueries Sets the queries of a role with name $role-name to $queries.
sec.roleSetQuery Sets the $capability query of a role with $role-name to $query.
sec.roleSetRoles Assigns roles (named $role-names) to be the set of included roles for the role ($role-name).
sec.samlEntityDelete This function deletes the named SAML entity.
sec.samlEntityInsert This function inserts a SAML entity into the Security database.
sec.samlServer This function configures an SAML server for use by the sec:create-external-security function.
sec.securityCollection Returns a string corresponding to the uri for the Security collection.
sec.securityInstalled Returns fn:true() if security has been installed on the current database.
sec.securityNamespace Returns a string corresponding to the uri of the security namespace.
sec.securityPathNamespace This function creates a protected namespace.
sec.securityVersion Returns the current version of the security database.
sec.setRealm Changes the realm of this security database to $realm.
sec.uidForName Returns the uids for the named user or () if no such user exists.
sec.unprotectCollection Removes the protection of a collection $uri.
sec.unprotectPath This function removes protection from the specified protected path, without removing the path itself from the Security database.
sec.uriCredentialTarget This function generates a sec:credential-target element, for use with sec:create-credential.
sec.userAddRoles Adds the roles ($role-names) to the list of roles granted to the user ($user-name).
sec.userDocCollections Returns a sequence of strings corresponding to the collection uri's that users belong to.
sec.userDocPermissions Returns a sequence of permission elements that all newly created user documents receive.
sec.userExists This function returns true if the specified user exists in the security database.
sec.userGetDefaultCollections Returns a sequence of strings corresponding to the uri's of the user's default collections.
sec.userGetDefaultPermissions Returns a sequence of permission elements corresponding to the user's default permissions.
sec.userGetDescription Returns the user's description.
sec.userGetExternalNames This function returns the external LDAP group names assigned to the named user.
sec.userGetPasswordExtra This function returns the extra information for the specified user.
sec.userGetQueries Returns the queries for the specified user.
sec.userGetRoles Returns a sequence of role names for the roles directly assigned to the user ($user-name).
sec.userPrivileges Returns a set of privilege elements corresponding to all privileges that a user has.
sec.userRemoveRoles Removes the roles ($role-names) from the list of roles granted to the user ($user-name).
sec.usersCollection Returns a string corresponding to the uri for the users collection.
sec.userSetDefaultCollections Sets the default collections of a user with name $user-name to $collections.
sec.userSetDefaultPermissions Sets the default permissions for a user with name $user-name.
sec.userSetDescription Changes the description of the user identified by $user-name to $description.
sec.userSetExternalNames This function sets the external names for the named user.
sec.userSetName Changes the name of the user from $user-name to $new-user-name.
sec.userSetPassword Changes the password for the user identified by $user-name to $password.
sec.userSetPasswordExtra This function sets extra information for the specified user.
sec.userSetQueries Sets the queries of a user with name $user-name to $queries.
sec.userSetQuery Sets the $capability query of a user with $user-name to $query.
sec.userSetRoles Assigns the user with name $user-name to have the roles identified by $role-names.
sec.validatePermissions This function throws the SEC_NOPERMCAP exception if a permission has no capability specified and it throws the SEC-NOPERMROLEID exception if there is no role specified in the permission.