Custom Roles and Privileges

In addition to the predefined Data Hub roles, you also need to create and deploy custom roles that give you access to your databases in MarkLogic Server.

A custom role can:

Inherit its privileges from predefined roles. Learn more: Users and Roles
Use predefined MarkLogic privileges. Learn more: Pre-defined Execute Privileges
Use your own custom privileges.
You can generate custom roles and privileges in two ways:
- Create directly in MarkLogic Server
- Create and deploy using Gradle

For a list of roles that a custom role can inherit:

Look for roles marked as inheritable in Users and Roles.
Run the Gradle task hubPrintInheritableRoles.
./gradlew hubPrintInheritableRoles -igradlew.bat hubPrintInheritableRoles -i

Note: Creating custom roles and privileges in Data Hub requires the data-hub-security-admin role or any role that inherits it.

Create Directly in MarkLogic Server

You can create custom privileges directly in MarkLogic Server using the Admin Interface.

You can create custom roles directly in MarkLogic Server:

Create and Deploy Using Gradle

You can manually create your custom roles and privileges in your development environment and later deploy them to your production environment using Gradle.

(Optional) Create your custom privileges.
The custom privilege definition is a JSON file that contains the privilege name, the kind of privilege (typically execute), and the action URI.
```
   {
    "privilege-name": "my-custom-privilege-name",
    "kind": "execute",
    "action": "the-URI-of-the-custom-privilege"
  }
```
Note: Store your custom privilege JSON files in the your-project-root/src/main/ml-config/security/privileges directory.

Alternatively, you can define your custom privilege within the privilege array of your custom role definition.
Create your custom roles with the predefined MarkLogic Server privileges or your custom privileges.
The custom role definition is a JSON file that contains the role name, an optional description, and an array of privileges. Example ():
For a list of MarkLogic Server privileges, see Appendix B: Pre-defined Execute Privileges of MarkLogic Server Administrator's Guide

Note: Store your custom role JSON files in the your-project-root/src/main/ml-config/security/roles directory.
To deploy the new custom roles and privileges to your production environment (whether on-premises or in DHS), run the Gradle task hubDeployAsSecurityAdmin.
./gradlew hubDeployAsSecurityAdmin -PenvironmentName=dhs -igradlew.bat hubDeployAsSecurityAdmin -PenvironmentName=dhs -i
See an example that shows how to deploy a custom role to DHS.