Security Guide — Chapter 17
Designing Security Policies
This chapter describes the general steps to follow when using security in an application. Because of the flexibility of the MarkLogic Server security model, there are different ways to implement similar security policies. These steps are simple guidelines; the actual steps you take depends on the security policies you need to implement. The following sections are included:
Research Your Security Requirements
As a first step in planning your security policies, try to have answers for the following types of questions:
- What documents do you want to protect?
- What code do you want to control the execution of?
- Are there any natural categories you can define based on business function (for example, marketing, sales, engineering)?
- What is the level of risk posed by your users? Are your applications used only by trusted, internal people or are they open to a wider audience?
- How sensitive is the data you are protecting?
This list is not necessarily comprehensive, but is a good way to start thinking about your security policy.
Plan Roles and Privileges
Depending on your security requirements and the structure of your enterprise or organization, plan the roles and privileges that make the most sense.
- Determine the level of granularity with which you need to protect objects in the database.
- Determine how you want to group privileges together in roles.
- Create needed URI and execute privileges.
- Create roles.
- Create users.
- Assign users to roles.
- Set default permissions for users, either indirectly through roles or directly through the users.
- Protect code with xdmp:security-assert functions, where needed.
- Load your documents with the appropriate permissions. If needed, change the permissions of existing documents using the
xdmp:document-add-permissions,xdmp:document-set-permissions, andxdmp:document-remove-permissionsfunctions. - Assign access privileges to HTTP, WebDAV, ODBC, and XDBC servers as needed.