Map Service Roles to LDAP Roles

Before you begin

You need:

Peered Track

An Azure virtual network (VNet) with a bastion host
A peered DHS network
A Standard or Low Priority DHS with a Peered Network
To add an LDAP configuration to externally manage DHS users
To assign an LDAP configuration to a DHS

Public Track

A public DHS network
A Standard or Low Priority DHS with a Public Network
To add an LDAP configuration to externally manage DHS users
To assign an LDAP configuration to a DHS

About this task

This task maps service roles to LDAP roles with curl commands.

Important: For this task, you need the SERV-ADMIN portal role. See Portal Roles.

Important: Only users in your external LDAP server assigned the data-hub-security-admin service role can execute the curl commands that map service roles to LDAP roles. For details, see Service Roles.

Procedure

Go to the MarkLogic Data Hub Service home page.
Navigate to your DHS to authenticate users with your LDAP server.
- In the Service column, click the service name.
Tip: You can customize your dashboard with column sorting, column configuring, and services searching and filtering. See Customize DHS Dashboard.
In the Data Hub Service page, click What's next? to display the modal window containing the curl commands.

In the modal window, copy the curl commands to your clipboard.

               
  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-admin","role": ["data-hub-admin"],"external-names":[{"external-name":"ROLE_DN"}]}' \
     https://HOSTNAME:8003/manage/v2/roles/ 
     
  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-developer","role": ["data-hub-developer"],"external-names":[{"external-name":"ROLE_DN"}]}' \
     https://HOSTNAME:8003/manage/v2/roles/ 
     
  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-operator","role": ["data-hub-operator"],"external-names":[{"external-name":"ROLE_DN"}]}' \
     https://HOSTNAME:8003/manage/v2/roles/ 
     
  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-monitor","role": ["data-hub-monitor"],"external-names":[{"external-name":"ROLE_DN"}]}' \
     https://HOSTNAME:8003/manage/v2/roles/ 
     
  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-explorer-architect","role": ["data-hub-explorer-architect"],"external-names":[{"external-name":"ROLE_DN"}]}' \
     https://HOSTNAME:8003/manage/v2/roles/ 
     
  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
    -d '{"role-name": "custom-pii-reader","role": ["pii-reader"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8003/manage/v2/roles/ 
     
  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
    -d '{"role-name": "custom-odbcUser","role": ["odbcUser"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8003/manage/v2/roles/

See Service Roles for descriptions of each service role.

To edit the curl commands, paste to a text file.

In the text file, replace the following parameters per your configuration: USERNAME, PASSWORD, and ROLE_DN

Note: You can update role names ("role-name":) from custom-* to any name of your choosing.


Value	Replace With
USERNAME	The username of a user in the Security Admin DN. Remember: After you assign an LDAP configuration to a service, the Security Admin DN will be mapped to the data-hub-security-admin service role in the MarkLogic security database. For details about this service role, see Service Roles.
PASSWORD	The password for the preceding user in the Security Admin DN. Provide the password you defined for this user in your external LDAP server.
ROLE_DN	The DN in your external LDAP server to which you are mapping the service role. Example: `CN=DataHubDeveloper,OU=Users,OU=example,DC=example,DC=com`

Open a command-line window, and run the modified curl commands.

Example:

                
  curl -X POST --anyauth -u SecurityAdminUsername:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-developer","role": ["data-hub-developer"],"external-names":[{"external-name":"CN=DataHubDeveloper,OU=Users,OU=example,DC=example,DC=com"}]}' \
     https://abcdefghi.abcdefhgijk.z.marklogicsvc.com:8003/manage/v2/roles/

For more information about running the curl commands, see Access Private Endpoints and Access Public Endpoints.

What to do next

(Optional) If your DHS network is peered, you can configure SSH Tunneling:

Deploy your Data Hub project to a Data Hub Service.