sec:create-role( $role-name as xs:string, $description as xs:string?, $role-names as xs:string*, $permissions as element(sec:permission)*, $collections as xs:string*, [$compartment as xs:string?], [$external-names as xs:string*], [$queries as map:map] ) as xs:unsignedLong
Creates a new role in the system database for the context
database.
If $role-name is not unique, an error is returned.
If one of the $role-names does not identify a role, an error
is returned.
If the current user is limited to granting only his/her roles,
and $role-names is not a subset of the current user's roles, then an
error is returned.
Returns the role-id.
http://marklogic.com/xdmp/privileges/create-role
or create-data-role
http://marklogic.com/xdmp/privileges/grant-all-roles
orhttp://marklogic.com/xdmp/privileges/grant-my-roles
http://marklogic.com/xdmp/privileges/role-set-queries
This function must be executed against the security database.
(: execute this against the security database. :) xquery version "1.0-ml"; import module namespace sec="http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy"; sec:create-role( "Temporary", "Temporary worker access", ("filesystem-access"), (), ("testDocument")) (: Creates a new role, named "Temporary," with the default collection, named testDocument. :)
(: execute this against the security database. :) xquery version "1.0-ml"; import module namespace sec="http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy"; sec:create-role( "region-NA", "Can see NA documents.", (), (), (), "compartment-region", (), map:map()=>map:with( "read", cts:element-query(xs:QName("metadata"), cts:element-word-query(xs:QName("region"), "NA"))) ) (: Creates a new role, named "region-NA", and with compartment "compartment-region". "region-NA" has role queries which allow any users with this role to read documents that have "region-NA" in the metadata. :)
Stack Overflow: Get the most useful answers to questions from the MarkLogic community, or ask your own question.