sec.createRole( role-name as String, description as String?, role-names as String[], permissions as element(sec.permission)[], collections as String[], [compartment as String?], [external-names as String[]], [queries as Object] ) as (Number|String)
Creates a new role in the system database for the context
database.
If $role-name is not unique, an error is returned.
If one of the $role-names does not identify a role, an error
is returned.
If the current user is limited to granting only his/her roles,
and $role-names is not a subset of the current user's roles, then an
error is returned.
Returns the role-id.
http://marklogic.com/xdmp/privileges/create-role
or create-data-role
http://marklogic.com/xdmp/privileges/grant-all-roles
orhttp://marklogic.com/xdmp/privileges/grant-my-roles
http://marklogic.com/xdmp/privileges/role-set-queries
This function must be executed against the security database.
// execute this against the security database. declareUpdate(); const sec = require('/MarkLogic/security.xqy'); sec.createRole( "Temporary", "Temporary worker access", ["filesystem-access"], [], ["testDocument"]) // Creates a new role, named "Temporary," with the default collection, // named testDocument.
// execute this against the security database. declareUpdate(); const sec = require('/MarkLogic/security.xqy'); sec.createRole( "region-NA", "Can see NA documents.", [], [], [], "compartment-region", [], { "read":cts.elementQuery(xs.QName("metadata"), cts.elementWordQuery(xs.QName("region"), "region-NA")) } ) // Creates a new role, named "region-NA", and with compartment // "compartment-region". "region-NA" has role queries which allow any users with // this role to read documents that have "region-NA" in the metadata.