Enable PII Manually


  1. Edit your entity model definition to mark properties as PII.
    1. In your favorite text editor, open your entity model definition.
    2. Under the definitions node, search for the key named pii.
    3. Add the name of the property to be marked as PII. This property must be defined under the properties node.

      For example, the following model snippet defines a Customer entity that contains an address property designated as PII:

         { "info": { ... },
          "definitions": {
            "Customer": {
              "pii" : ["address"],
              "properties": {
                "address": {
                  "datatype": "string",
                  "collation": "http://marklogic.com/collation/codepoint"
  2. Run the Gradle tasks mlLoadModules and hubGeneratePii to generate the PII security configuration files.
    ./gradlew mlLoadModules hubGeneratePii -igradlew.bat mlLoadModules hubGeneratePii -i
    • mlLoadModules (or mlDeploy) - Deploys the model to the FINAL database. Run this task if the latest version of your model is not yet deployed to your FINAL database.
    • hubGeneratePii - Generates the PII security configuration files from an entity model stored in your FINAL database and saves them to your project.
The PII security configuration files are saved in the following locations in your project:
  • Protected paths are stored in PROJECT_DIR/src/main/ml-config/security/protected-paths/.
  • Query rolesets are stored in PROJECT_DIR/src/main/ml-config/security/query-rolesets/.
  1. Deploy the generated PII security configuration files to your FINAL database.
    1. Edit gradle.properties, and set mlSecurityUsername and mlSecurityPassword to your MarkLogic Server credentials.
      Important: Your MarkLogic Server account must be assigned both manage-admin and security roles.
    2. Run the Gradle task mlDeploySecurity (or mlDeploy).
      ./gradlew mlDeploySecurity -igradlew.bat mlDeploySecurity -i


After the configuration files are deployed,
  • Only users with the pii-reader role will be able to view PII properties in harmonized documents that they are allowed to view.
  • When the document is displayed to users who do not have the "pii-reader" role, PII properties are omitted entirely (i.e., neither property names nor values are visible).