Loading TOC...
Administrator's Guide (PDF)

MarkLogic 10 Product Documentation
Administrator's Guide
— Chapter 35

Appendix C: Pre-defined Roles

The following roles are pre-defined in every installation of MarkLogic Server. To give a user execute privileges listed for each pre-defined role, you may add the execute privileges individually to an existing role for the user, or add the pre-defined role to the user's set of roles.

The following are the pre-built roles in MarkLogic Server:

admin

The admin role is given all privileges and permissions to perform any action in the system. There are no default permissions associated with the admin role. Users with the admin role are considered authorized administrators; they are trusted personnel and are assumed to be non-hostile, appropriately trained, and follow proper administrative procedures.

admin-builtins

The admin-builtins role has the execute privileges to call the admin built-in functions. The execute privileges given to the admin-builtins role are:

Name Action URI
cancel-any-request http://marklogic.com/xdmp/privileges/cancel-any-request
cancel-my-request http://marklogic.com/xdmp/privileges/cancel-my-request
count-builtins http://marklogic.com/xdmp/privileges/counts
xdmp:address-bindable http://marklogic.com/xdmp/privileges/xdmp-address-bindable
xdmp:amp-roles http://marklogic.com/xdmp/privileges/xdmp-amp-roles
xdmp:castable-as http://marklogic.com/xdmp/privileges/xdmp-castable-as
xdmp:compressed-tree-cache-size http://marklogic.com/xdmp/privileges/xdmp-compressed-tree-cache-size
xdmp:compressed-tree-cache-partitions http://marklogic.com/xdmp/privileges/xdmp-compressed-tree-cache-partitions
xdmp:default-in-memory-limit http://marklogic.com/xdmp/privileges/xdmp-default-in-memory-limit
xdmp:default-in-memory-list-size http://marklogic.com/xdmp/privileges/xdmp-default-in-memory-list-size
xdmp:default-in-memory-range-index-size http://marklogic.com/xdmp/privileges/xdmp-default-in-memory-range-index-size
xdmp:in-memory-tree-size http://marklogic.com/xdmp/privileges/xdmp-in-memory-tree-size
xdmp:delete-cluster-config-file http://marklogic.com/xdmp/privileges/xdmp-delete-cluster-config-file
xdmp:delete-host-config-file http://marklogic.com/xdmp/privileges/xdmp-delete-host-config-file
xdmp:directory http://marklogic.com/xdmp/privileges/xdmp-directory
xdmp:disable-event http://marklogic.com/xdmp/privileges/xdmp-disable-event
xdmp:email http://marklogic.com/xdmp/privileges/xdmp-email
xdmp:email-address http://marklogic.com/xdmp/privileges/xdmp-email-address
xdmp:enable-event http://marklogic.com/xdmp/privileges/xdmp-enable-event
xdmp:expanded-tree-cache-size http://marklogic.com/xdmp/privileges/xdmp-expanded-tree-cache-size
xdmp:expanded-tree-cache-partitions http://marklogic.com/xdmp/privileges/xdmp-expanded-tree-cache-partitions
xdmp:forest-backup http://marklogic.com/xdmp/privileges/xdmp-forest-backup
xdmp:forest-clear http://marklogic.com/xdmp/privileges/xdmp-forest-clear
xdmp:forest-delete http://marklogic.com/xdmp/privileges/xdmp-forest-delete
xdmp:forest-restore http://marklogic.com/xdmp/privileges/xdmp-forest-restore
xdmp:forest-status http://marklogic.com/xdmp/privileges/xdmp-forest-status
xdmp:forest-keys http://marklogic.com/xdmp/privileges/xdmp-forest-keys
xdmp:get-hot-updates http://marklogic.com/xdmp/privileges/xdmp-get-hot-updates
xdmp:host-name http://marklogic.com/xdmp/privileges/xdmp-hostname
xdmp:license-accepted http://marklogic.com/xdmp/privileges/xdmp-license-accepted
xdmp:list-cache-size http://marklogic.com/xdmp/privileges/xdmp-list-cache-size
xdmp:list-cache-partitions http://marklogic.com/xdmp/privileges/xdmp-list-cache-partitions
xdmp:pre-release-expires http://marklogic.com/xdmp/privileges/xdmp-pre-release-expires
xdmp:read-cluster-config-file http://marklogic.com/xdmp/privileges/xdmp-read-cluster-config-file
xdmp:read-host-config-file http://marklogic.com/xdmp/privileges/xdmp-read-host-config-file
xdmp:restart http://marklogic.com/xdmp/privileges/xdmp-restart
xdmp:server-backup http://marklogic.com/xdmp/privileges/xdmp-server-backup
xdmp:server-import-qualities http://marklogic.com/xdmp/privileges/xdmp-server-import-qualities
xdmp:server-restore http://marklogic.com/xdmp/privileges/xdmp-server-restore
xdmp:set-hot-updates http://marklogic.com/xdmp/privileges/xdmp-set-hot-updates
xdmp:shutdown http://marklogic.com/xdmp/privileges/xdmp-shutdown
xdmp:smtp-relay http://marklogic.com/xdmp/privileges/xdmp-smtp-relay
xdmp:user-last-login http://marklogic.com/xdmp/privileges/xdmp-user-last-login
xdmp:username http://marklogic.com/xdmp/privileges/xdmp-username
xdmp:write-cluster-config-file http://marklogic.com/xdmp/privileges/xdmp-write-cluster-config-file
xdmp:write-host-config-file http://marklogic.com/xdmp/privileges/xdmp-write-host-config-file

There are no default permissions associated with the admin-builtins role.

admin-configuration-delete

The admin-configuration-delete role enables administrator users to delete configuration information.

admin-configuration-read

The admin-configuration-read role enables administrator users to read configuration information.

admin-configuration-write

The admin-configuration-write role enables administrator users to write configuration information.

admin-default

The admin-default role enables administrator users to evaluate administration default expressions.

admin-default-internal

The admin-default-internal role enables administrator users to invoke administration default expressions.

admin-module-internal

The admin-module-read-internal role is used internally by the Admin Library Module. Do not assign this role to any user. For details, see Scripting Administrative Tasks in MarkLogic Server in the Scripting Administrative Tasks Guide.

admin-module-read-internal

The admin-module-read-internal role is used internally by the Admin Library Module for reading. Do not assign this role to any user. For details, see Scripting Administrative Tasks in MarkLogic Server in the Scripting Administrative Tasks Guide.

admin-module-read-invoke

The admin-module-read-internal role is used internally by the Admin Library Module for invoking functions with granular privileges. Do not assign this role to any user. For details, see Scripting Administrative Tasks in MarkLogic Server in the Scripting Administrative Tasks Guide.

admin-transform

The admin-transform role enables administrator users to evaluate transformations within the Admin API.

admin-ui-user

The admin-ui-user role enables users to have a read-only view of the Admin UI, without providing access to data, to security configuration, or write access to server configuration.

alert-admin

The alert-admin role is used for administrators of an alerting application. For details, see the Creating Alerting Applications chapter of the Search Developer's Guide.

alert-execution

The alert-execution role is used internally by the Alerting API to amp privileges in a protected way. Do not give this role to any individual users. For details, see the Creating Alerting Applications chapter of the Search Developer's Guide.

alert-internal

The alert-internal role is used internally by the Alerting API to amp privileges in a protected way. You should not give this role to any individual users. For details, see the Creating Alerting Applications chapter of the Search Developer's Guide.

alert-user

The alert-user role is used by users of an alerting application. For details, see the Creating Alerting Applications chapter of the Search Developer's Guide.

app-builder

The app-builder role provides the privileges needed to run Application Builder. Application Builder is no longer a part of MarkLogic. This role exists only for backward compatibility.

app-builder-internal

Application Builder is no longer a part of MarkLogic. This role exists only for backward compatibility.

app-user

The app-user role is a minimally privileged role that is needed to run any application that Application Builder generates. Application Builder is no longer a part of MarkLogic. This role exists only for backward compatibility.

application-plugin-registrar

The application-plugin-registrar role is used in the plugin API, and has the following execute privileges:

Name Action URI
plugin-server-fields http://marklogic.com/xdmp/privileges/plugin-server-fields
plugin-register http://marklogic.com/xdmp/privileges/plugin-register
xdmp:filesystem-directory http://marklogic.com/xdmp/privileges/xdmp-filesystem-directory
xdmp:get-server-field http://marklogic.com/xdmp/privileges/xdmp-get-server-field
xdmp:get-server-field-names http://marklogic.com/xdmp/privileges/xdmp-get-server-field-names
xdmp:invoke-modules-change-file http://marklogic.com/xdmp/privileges/xdmp-invoke-modules-change-file
xdmp:set-server-field http://marklogic.com/xdmp/privileges/xdmp-set-server-field
xdmp:set-server-field-privilege http://marklogic.com/xdmp/privileges/xdmp-set-server-field-privilege

appservices-internal

The appservices-internal role is used by Application Services to amp certain functions that Application Services performs. You should not explicitly grant the appservices-internal role to any user; it is only for internal use by Application Services.

cpf-restart

The cpf-restart role is used by CPF to control access to the CPF restart trigger. The CPF restart user should have the cpf-restart role, as well as all of the permissions and privileges that normal users have on the documents.

custom-dictionary-admin

The custom-dictionary-admin role is to perform adminstative functions (for writing dictionaries in the configuration) in the custom dictionary API.

custom-dictionary-user

The custom-dictionary-user role is to perform user functions (for reading dictionaries in the configuration) in the custom dictionary API.

custom-language-admin-read

The custom-language-admin-read role enables a user to read custom language configuration. That is, to use functions such as clang:language-config-read.

custom-language-admin-write

The custom-language-admin-write role enables a user to modify custom language configuration. That is, to use functions such as clang:language-config-write and clang-language-config-delete. These operations change the cluster configuration file and cause a cluster-wide restart when used.

dls-admin

The dls-admin role is designed to give administrators of Library Services applications all of the privileges that are needed to use the Library Services API. It has the needed privileges to perform operations such as inserting retention policies and breaking checkouts, so only trusted users (users who are assumed to be non-hostile, appropriately trained, and follow proper administrative procedures) should be granted the dls-admin role. Assign the dls-admin role to administrators of your Library Services application.

For details, see the Library Services Applications chapter in the Application Developer's Guide.

dls-internal

The dls-internal role is a role that is used internally by the Library Services API, but you should not explicitly grant it to any user or role. This role is used to amp special privileges within the context of certain functions of the Library Services API. Assigning this role to users would give them privileges on the system that you typically do not want them to have; do not assign this role to any users.

For details, see the Library Services Applications chapter in the Application Developer's Guide.

dls-user

The dls-user role is a minimally privileged role. It is used in the Library Services API to allow regular users of the Library Services application (as opposed to dls-admin users) to be able to execute code in the Library Services API. It allows users, with document update permission, to manage, checkout, and checkin managed documents.

The dls-user role only has privileges that are needed to run the Library Services API; it does not provide execute privileges to any functions outside the scope of the Library Services API. The Library Services API uses the dls-user role as a mechanism to amp more privileged operations in a controlled way. It is therefore reasonably safe to assign this role to any user whom you trust to use your Library Services application. Assign the dls-user role to all users of your Library Services application.

For details, see the Library Services Applications chapter in the Application Developer's Guide.

domain-management

The domain-management role has the privileges to create and modify content processing domains. The domain-management role has no execute privileges associated with it, but it has the following default permissions:

Role Capability
domain-management Read
domain-management Update

filesystem-access

The filesystem-access role has the privileges to access the file system. The execute privileges given to the filesystem-access role are:

Name Action URI
xdmp:document-get http://marklogic.com/xdmp/privileges/xdmp-document-get
xdmp:document-load http://marklogic.com/xdmp/privileges/xdmp-document-load
xdmp:get http://marklogic.com/xdmp/privileges/xdmp-get
xdmp:load http://marklogic.com/xdmp/privileges/xdmp-load
xdmp:save http://marklogic.com/xdmp/privileges/xdmp-save

There are no default permissions associated with the filesystem-access role.

flexrep-admin

The flexrep-admin role is required to configure replication.

flexrep-internal

The flexrep-internal role is used by Flexible Replication to amp certain functions that Flexible Replication performs. You should not explicitly grant the flexrep-internal role to any user; it is only for internal use by Flexible Replication.

flexrep-user

The flexrep-user role user is required to access the Replica App Server when configured for push replication and the Master App Server when configured for pull replication. The replication user must be given the flexrep-user role and have the privileges necessary to update the domain content.

hadoop-internal

The hadoop-internal role is for internal use only. Do not assign this role to any users. This role is used to amp special privileges within the context of certain functions of the Hadoop MapReduce Connector. Assigning this role to users would give them privileges on the system that you typically do not want them to have.

hadoop-user-all

The hadoop-user-all role combines the privileges of hadoop-user-read and hadoop-user-write.

hadoop-user-read

The hadoop-user-read role allows use of MarkLogic Server as an input source for a MapReduce job. This role does not grant any other privileges, so the mapreduce.marklogic.input.user may still require additional privileges to read content from the target database. The hadoop-user-read role has the following execute privileges:

Name Action URI
hadoop-user-read http://marklogic.com/xdmp/privileges/hadoop-user-read
xdbc:eval http://marklogic.com/xdmp/privileges/xdbc-eval
xdbc:eval-in http://marklogic.com/xdmp/privileges/xdbc-eval-in
xdmp:value http://marklogic.com/xdmp/privileges/xdmp-value
xdmp:with-namespaces http://marklogic.com/xdmp/privileges/xdmp-with-namespace

hadoop-user-write

The hadoop-user-write role allows use of MarkLogic Server as an output destination for a MapReduce job. This role does not grant any other privileges, so the mapreduce.marklogic.output.user may still require additional privileges to insert or update content in the target database. The hadoop-user-write role has the following execute privileges:

Name Action URI
any-uri http://marklogic.com/xdmp/privileges/any-uri
hadoop-user-write http://marklogic.com/xdmp/privileges/hadoop-user-write
unprotected-collections http://marklogic.com/xdmp/privileges/unprotected-collections
xdbc:eval http://marklogic.com/xdmp/privileges/xdbc-eval
xdbc:insert-in http://marklogic.com/xdmp/privileges/xdbc-insert-in
xdmp:with-namespaces http://marklogic.com/xdmp/privileges/xdmp-with-namespace

infostudio-admin-internal

Information Studio is no longer a part of MarkLogic. This role exists only for backward compatibility.

The infostudio-admin-user role provides the privileges needed to handle CPF restart and resume unfinished Information Studio tasks in the event of an unexpected shutdown and restart of MarkLogic Server. When MarkLogic Server is restarted, long-running collectors resume loading documents in the database. In this situation, the original user that started the collector is unknown, so the purpose of the infostudio-admin user is to resume control of the collector.

infostudio-internal

Information Studio is no longer a part of MarkLogic. This role exists only for backward compatibility.

The infostudio-user role is used by Information Studio to amp certain functions that Information Studio performs. You should not explicitly grant the infostudio-internal role to any user; it is only for internal use by Information Studio.

infostudio-user

Information Studio is no longer a part of MarkLogic. This role exists only for backward compatibility.

The infostudio-user role is a minimally privileged role that is needed to use Information Studio. You must grant this role to all users who are allowed to access Information Studio.

The infostudio-user role has the following execute privileges:

  • infostudio (http://marklogic.com/xdmp/privileges/infostudio)
  • unprotected-collections

manage

The manage role has the execute privilege http://marklogic.com/xdmp/privileges/manage to run the Management API. For example, non-admin users can use manage role plus create-data-role or create-data-user granular privileges to manage roles and create data users.

Name Action URI
manage http://marklogic.com/xdmp/privileges/manage

There are no default permissions associated with the manage role.

manage-admin

The manage-admin role has the privileges related to accessing the management API and the tiered storage API for operations that change the configuration. The execute privileges given to the manage-admin role are:

Name Action URI
manage http://marklogic.com/xdmp/privileges/manage
manage-admin http://marklogic.com/xdmp/privileges/manage-admin
ts:database-create-sub-database http://marklogic.com/xdmp/privileges/database-create-sub-database
ts:database-create-super-database http://marklogic.com/xdmp/privileges/database-create-super-database
ts:database-delete-sub-database http://marklogic.com/xdmp/privileges/database-delete-sub-database
ts:database-delete-sub-database http://marklogic.com/xdmp/privileges/database-delete-super-database
ts:database-partitions http://marklogic.com/xdmp/privileges/database-partitions
ts:forest-combine http://marklogic.com/xdmp/privileges/forest-combine
ts:forest-migrate http://marklogic.com/xdmp/privileges/forest-migrate
ts:partition-create http://marklogic.com/xdmp/privileges/partition-create
ts:partition-delete http://marklogic.com/xdmp/privileges/partition-delete
ts:partition-forests http://marklogic.com/xdmp/privileges/partition-forests
ts:partition-migrate http://marklogic.com/xdmp/privileges/partition-migrate
ts:partition-resize http://marklogic.com/xdmp/privileges/partition-resize
ts:partition-set-availability http://marklogic.com/xdmp/privileges/partition-set-availability
ts:partition-set-updates-allowed http://marklogic.com/xdmp/privileges/partition-set-updates-allowed
ts:partition-transfer http://marklogic.com/xdmp/privileges/partition-transfer

There are no default permissions associated with the manage-admin role.

manage-admin-internal

The manage-admin-internal role is used to amp certain functions used by the Configuration Manager and the Management API. You should not explicitly grant the manage-admin-internal role to any user; it is only for internal use.

manage-internal

The manage-internal role is used to amp certain functions used by the Configuration Manager. You should not explicitly grant the manage-internal role to any user; it is only for internal use.

manage-user

The manage-user role has the privileges related to accessing the Configuration Manager. The execute privileges given to the manage-user role are:

Name Action URI
manage http://marklogic.com/xdmp/privileges/manage

There are no default permissions associated with the manage-user role.

merge

The merge role has the privileges related to forest merging. The execute privileges given to the merge role are:

Name Action URI
xdmp:merge http://marklogic.com/xdmp/privileges/xdmp-merge
xdmp:merging http://marklogic.com/xdmp/privileges/xdmp-merging

There are no default permissions associated with the merge role.

network-access

The network-access role has the privileges to run the xdmp:http-* functions (xdmp:http-get, xdmp:http-post, and so on). The execute privileges given to the network-access role are:

Name Action URI
xdmp:http-get http://marklogic.com/xdmp/privileges/xdmp-http-get
xdmp:http-head http://marklogic.com/xdmp/privileges/xdmp-http-head
xdmp:http-options http://marklogic.com/xdmp/privileges/xdmp-http-options
xdmp:http-delete http://marklogic.com/xdmp/privileges/xdmp-http-delete
xdmp:http-post http://marklogic.com/xdmp/privileges/xdmp-http-post
xdmp:http-put http://marklogic.com/xdmp/privileges/xdmp-http-put

pipeline-execution

The pipeline-execution role is used in the XQuery code to allow any user (who can write a document to the domain) to execute code in the pipeline.

For details, see the Content Processing Framework Guide guide.

pipeline-management

The pipeline-management role has the privileges to create and modify content processing pipelines. The pipeline-management role has no execute privileges associated with it, but it has the following default permissions:

Role Capability
pipeline-management Read
pipeline-management Update

pki

The pki role has the privileges to use the PKI Library functions. For details, see Configuring SSL on App Servers in the Security Guide.

plugin-internal

The plugin-user role is used to amp certain functions associated with plugins. You should not explicitly grant the plugin-internal role to any user; it is only for internal use by the plugin API.

qconsole-internal

The qconsole-internal role is used by Query Console to amp certain functions that Query Console performs. You should not explicitly grant the qconsole-internal role to any user; it is only for internal use by Query Console.

qconsole-user

The qconsole-user role is a minimally privileged role that is needed to use Query Console. You must grant this role to all users who are allowed to use Query Console.

The qconsole-user role has the following execute privileges:

  • qconsole (http://marklogic.com/xdmp/privileges/qconsole)

rest-admin

The rest-admin role has the rest-writer and manage-user roles and allows those granted the role full access to read and write via the REST API.

rest-admin-internal

The rest-admin-internal role is used internally by the REST Library. You should not explicitly grant it to any user or role.

rest-extension-user

The rest-extension-user role enables access to resource service extension methods. .

rest-internal

The rest-internal role is used internally by the REST Library. You should not explicitly grant it to any user or role.

rest-reader

The rest-reader role enables read operations through the MarkLogic REST API, such as retrieving documents and metadata.

rest-writer-internal

The rest-reader-internal role is used internally by the REST Library. You should not explicitly grant it to any user or role.

rest-writer

The rest-writer role enables write operations through the MarkLogic REST API, such as creating documents, metadata, or configuration information.

rest-reader-internal

The rest-writer-internal role is used internally by the REST Library. You should not explicitly grant it to any user or role.

search-internal

The search-internal role is a role that is used internally by the search API. You should not explicitly grant it to any user or role.

security

The security role has the privileges needed to perform security functions. The execute privileges given to the security role are:

Name Action URI
amp-add-roles http://marklogic.com/xdmp/privileges/amp-add-roles
amp-get-roles http://marklogic.com/xdmp/privileges/amp-get-roles
amp-remove-roles http://marklogic.com/xdmp/privileges/amp-remove-roles
amp-set-roles http://marklogic.com/xdmp/privileges/amp-set-roles
any-collection http://marklogic.com/xdmp/privileges/any-collection
any-uri http://marklogic.com/xdmp/privileges/any-uri
collection-add-permissions http://marklogic.com/xdmp/privileges/collection-add-permissions
collection-get-permissions http://marklogic.com/xdmp/privileges/collection-get-permissions
collection-remove-permissions http://marklogic.com/xdmp/privileges/collection-remove-permissions
collection-set-permissions http://marklogic.com/xdmp/privileges/collection-set-permissions
create-amp http://marklogic.com/xdmp/privileges/create-amp
create-privilege http://marklogic.com/xdmp/privileges/create-privilege
create-role http://marklogic.com/xdmp/privileges/create-role
create-user http://marklogic.com/xdmp/privileges/create-user
get-amp http://marklogic.com/xdmp/privileges/get-amp
get-privilege http://marklogic.com/xdmp/privileges/get-privilege
get-role-ids http://marklogic.com/xdmp/privileges/get-role-ids
grant-all-roles http://marklogic.com/xdmp/privileges/grant-all-roles
grant-my-roles http://marklogic.com/xdmp/privileges/grant-my-roles
permission http://marklogic.com/xdmp/privileges/permission
privilege-add-roles http://marklogic.com/xdmp/privileges/privilege-add-roles
privilege-get-roles http://marklogic.com/xdmp/privileges/privilege-get-roles
privilege-remove-roles http://marklogic.com/xdmp/privileges/privilege-remove-roles
privilege-set-name http://marklogic.com/xdmp/privileges/privilege-set-name
privilege-set-roles http://marklogic.com/xdmp/privileges/privilege-set-roles
protect-collection http://marklogic.com/xdmp/privileges/protect-collection
remove-amp http://marklogic.com/xdmp/privileges/remove-amp
remove-privilege http://marklogic.com/xdmp/privileges/remove-privilege
remove-role http://marklogic.com/xdmp/privileges/remove-role
remove-role-from-amps http://marklogic.com/xdmp/privileges/remove-role-from-amps
remove-role-from-privileges http://marklogic.com/xdmp/privileges/remove-role-from-privileges
remove-role-from-roles http://marklogic.com/xdmp/privileges/remove-role-from-roles
remove-role-from-users http://marklogic.com/xdmp/privileges/remove-role-from-users
remove-user http://marklogic.com/xdmp/privileges/remove-user
role-add-roles http://marklogic.com/xdmp/privileges/role-add-roles
role-get-default-collections http://marklogic.com/xdmp/privileges/role-get-default-collections
role-get-default-permissions http://marklogic.com/xdmp/privileges/role-get-default-permissions
role-get-roles http://marklogic.com/xdmp/privileges/role-get-roles
role-privileges http://marklogic.com/xdmp/privileges/role-privileges
role-remove-roles http://marklogic.com/xdmp/privileges/role-remove-roles
role-set-default-collections http://marklogic.com/xdmp/privileges/role-set-default-collections
role-set-default-permissions http://marklogic.com/xdmp/privileges/role-set-default-permissions
role-set-description http://marklogic.com/xdmp/privileges/role-set-description
role-set-name http://marklogic.com/xdmp/privileges/role-set-name
role-set-roles http://marklogic.com/xdmp/privileges/role-set-roles
unprotect-collection http://marklogic.com/xdmp/privileges/unprotect-collection
user-add-roles http://marklogic.com/xdmp/privileges/user-add-roles
user-get-default-collections http://marklogic.com/xdmp/privileges/user-gt-default-collections
user-get-default-permissions http://marklogic.com/xdmp/privileges/user-get-default-permissions
user-get-description http://marklogic.com/xdmp/privileges/user-get-description
user-get-roles http://marklogic.com/xdmp/privileges/user-get-roles
user-privileges http://marklogic.com/xdmp/privileges/user-privileges
user-remove-roles http://marklogic.com/xdmp/privileges/user-remove-roles
user-set-default-collections http://marklogic.com/xdmp/privileges/user-set-default-collections
user-set-default-permissions http://marklogic.com/xdmp/privileges/user-set-default-permissions
user-set-description http://marklogic.com/xdmp/privileges/user-set-description
user-set-name http://marklogic.com/xdmp/privileges/user-set-name
user-set-password http://marklogic.com/xdmp/privileges/user-set-password
user-set-roles http://marklogic.com/xdmp/privileges/user-set-roles
xdmp:amp-roles http://marklogic.com/xdmp/privileges/xdmp:amp-roles
xdmp:privilege-roles http://marklogic.com/xdmp/privileges/xdmp:privilege-roles
xdmp:role-roles http://marklogic.com/xdmp/privileges/xdmp:role-roles
xdmp:user-roles http://marklogic.com/xdmp/privileges/xdmp:user-roles

Default permissions for the security role are:

Role Capability
security Read
security Insert
security Update

tde-admin

The tde-admin role has the privileges to administer extraction templates.

tde-view

The tde-view role has the privileges to view extraction templates.

temporal-admin

The temporal-admin role has the privileges to create and modify temporal data.

temporal-internal

The temporal-internal role is an internal role. Do not assign this role to any user.

trigger-management

The trigger-management role has the privileges to create and modify triggers. The trigger-management role has no execute privileges associated with it. This role has the following default permissions:

Role Capability
trigger-management Read
trigger-management Update

view-admin

The view-admin role enables a user to view MarkLogic Server administration.

view-admin-internal

The view-admin-internal role is used internally by the MarkLogic Server. Do not explicitly grant it to any user or role.

welcome-internal

The welcome-internal role is a role that used to be used internally by the MarkLogic Server Welcome Page (now removed). Do not explicitly grant it to any user or role.

xa

The xa user role allows creation and management of one's own XA transaction branches

in MarkLogic Server. The xa role is required to participate in XA transactions. For details, see Participating in XA Transactions in the XCC Developer's Guide. The xa role has the following execute privileges:

Name Action URI
complete-my-transaction http://marklogic.com/xdmp/privileges/complete-my-transactions
forget-my-xa-transactions http://marklogic.com/xdmp/privileges/forget-my-xa-transactions
prepare-my-xa-transactions http://marklogic.com/xdmp/privileges/prepare-my-xa-transactions
status-builtins http://marklogic.com/xdmp/privileges/status-builtins
xdmp:set-current-transaction http://marklogic.com/xdmp/privileges/set-current-transaction
xdmp:transaction-create http://marklogic.com/xdmp/privileges/xdmp-transaction-create
xdmp:transaction-create-xid http://marklogic.com/xdmp/privileges/xdmp-transaction-create-xid

xa-admin

The xa-admin role allows creation and manage of any user's XA transaction branches in

MarkLogic Server. The xa-admin role is intended primarily for Administrators who need to complete or forget XA transactions. The xa-admin role has the following execute privileges:

Name Action URI
complete-any-transactions http://marklogic.com/xdmp/privileges/complete-any-transactions
complete-my-transaction http://marklogic.com/xdmp/privileges/complete-my-transactions
forget-any-xa-transactions http://marklogic.com/xdmp/privileges/forget-any-xa-transactions
forget-my-xa-transactions http://marklogic.com/xdmp/privileges/forget-my-xa-transactions
prepare-any-xa-transactions http://marklogic.com/xdmp/privileges/prepare-any-xa-transactions
prepare-my-xa-transactions http://marklogic.com/xdmp/privileges/prepare-my-xa-transactions
status-builtins http://marklogic.com/xdmp/privileges/status-builtins
xdmp:set-current-transaction http://marklogic.com/xdmp/privileges/set-current-transaction
xdmp:transaction-create http://marklogic.com/xdmp/privileges/xdmp-transaction-create
xdmp:transaction-create-xid http://marklogic.com/xdmp/privileges/xdmp-transaction-create-xid

xinclude

The xinclude role provides the privileges to run the XInclude code used in the XInclude CPF application. For details, see Reusing Content With Modular Document Applications in the Application Developer's Guide.

« Previous chapter