MarkLogic 12 EA 1 Product Documentation
sec:create-privilege

sec:create-privilege(
   $privilege-name as xs:string,
   $action as xs:string,
   $kind as xs:string,
   $role-names as xs:string*
) as xs:unsignedLong

Summary

Creates a new privilege and returns the new privilege-id.

For execute privileges, the privilege is initially nothing more than a name. Use the xdmp:security-assert() function in your code to associate the privilege with a protected operation.

For URI privileges, the $action parameter identifies the base URI to be protected. Users must have this privilege to access any of the documents or code under the specified URI.

If $action is not unique, an error is returned.

If $kind is not one of ("execute", "uri") then en error is returned.

If one of the $role-names names a role that does not exist, an error is returned.

If the current user is limited to granting only his/her roles, and $role-names is not a subset of the current user's roles, then an error is returned.

Parameters
privilege-name The name of the privilege to create (unique within security database).
action Action protected by this privilege. For an Execute Privilege, this is usually a URI describing an activity. For a URI Privilege, this is a base URI used to filter database activities with certain document URIs.
kind Either "execute" or "uri".
role-names The names of the roles which can perform this action.

Required Privileges

http://marklogic.com/xdmp/privileges/create-privilege
and for role assignment:
http://marklogic.com/xdmp/privileges/grant-all-roles or
http://marklogic.com/xdmp/privileges/grant-my-roles

Usage Notes

This function must be executed against the security database.

Example


(: execute this against the security database :)
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at 
    "/MarkLogic/security.xqy";
   
sec:create-privilege("mypriv", 
                     "http://marklogic.com/xdmp/privileges/mypriv", 
                     "execute", 
                     "Developer")

(: Creates an execute privilege, named "mypriv," and assigns it to the
   "Developer" role. :)
Powered by MarkLogic Server | Terms of Use | Privacy Policy