Users and Roles

MarkLogic Data Hub provides default roles and users in your project:

You can set the user credentials in the appropriate gradle*.properties file or you can specify them at the command line when running the Gradle task. To learn how, see Set Security Credentials Using Gradle

Granular Roles

These roles allow for more granular permission management and for easier migration from an on-premise installation to DHS. These roles require MarkLogic Server 10.0-3 or later.

Role Name Role Description
data-hub-operator
  • Permits an assigned user:
    • To run a Data Hub application.
    • To run flows.
    • To monitor flows through the JOBS database.
Important: By default, new documents inherit the permissions of the user account that runs the step. For greater security, this role is configured without default permissions to avoid unintended inheritance. However, MarkLogic Server requires each new document to have at least one update permission. Therefore, you must explicitly set the step's Target Permissions to specify at least one update permission to assign to new documents created by the step.
data-hub-developer
  • Permits an assigned user:
    • To do everything that the data-hub-operator role can.
    • To do everything that the MarkLogic Server manage-user role can, including read access to the MarkLogic Management API and monitoring tools.
    • To deploy the following resources:
      • User modules and artifacts (entities, flows, mappings, and step definitions)
      • Alert configurations, rules, and actions
      • Database indexes on the STAGING, FINAL, and JOBS databases
      • Scheduled tasks
      • Schemas
      • Temporal axes, collections, and Last Stable Query Time (LSQT)
      • Triggers
      • Protected paths and query rolesets
data-hub-admin
  • Permits an assigned user:
    • To do everything that the data-hub-developer role can.
    • To clear the STAGING, FINAL, and JOBS databases.
data-hub-security-admin
  • Permits an assigned user:
    • To create and configure custom Data Hub roles and privileges with the following restrictions:
      • A custom role cannot inherit from any other role.
      • A custom role can only inherit privileges granted to the user creating the role.
      • A custom execute privilege must be assigned an action starting with http://datahub.marklogic.com/custom/.
    • To assign roles to users.
data-hub-monitor
  • Permits an assigned user:
Note: User accounts are not automatically generated for these roles. The MarkLogic Server admin must assign new or existing user accounts to the appropriate roles.

Classic Roles

The following roles are still valid; however, the granular roles are preferred.

Role Name Role Description Auto-Generated User When used
data-hub-admin-role
  • Permits an assigned user:
    • To install, uninstall, and upgrade MarkLogic Data Hub.
    • To create Data Hub roles based on existing ones.
    • To assign roles to users.
    • To manage MarkLogic Server resources and perform tasks related to databases, indexes, and configuration of the MarkLogic Server.
  • Must be assigned as part of the first deployment (i.e., bootstrapping role).
  • Does not have administrative access to the entire MarkLogic server.
Tip: Switch to the data-hub-admin and data-hub-security-admin roles for more granular permissions.
 data-hub-admin-user During setup and maintenance
flow-developer-role
  • Permits an assigned user:
    • To create and update flows and modules.
    • To deploy flows, modules, and security configurations (including PII).
    • To configure the indexes and Template Driven Extraction (TDE) settings.
Tip: Switch to the data-hub-developer role for more granular permissions.

(Same role as in Data Hub Service.)

 flow-developer During development
flow-operator-role
  • Permits an assigned user:
    • To run flows.
    • To monitor activity in the job logs.
Tip: Switch to the data-hub-monitor and data-hub-operator roles for more granular permissions.

(Same role as in Data Hub Service.)

 flow-operator In a production environment