The table below lists all the
sec built-in
functions (in this namespace:
http://marklogic.com/xdmp/security
).
The security function module is installed as the following file:
install_dir/Modules/MarkLogic/security.xqy
where install_dir
is the directory in which
MarkLogic Server is installed.
To use the security.xqy module in your own XQuery modules, include the following line in your XQuery prolog:
import module "http://marklogic.com/xdmp/security" at
"/MarkLogic/security.xqy"
The library uses the sec:
namespace, predefined in the
server.
NOTE: When using these functions to administer
security for an application, be sure to execute them against the security
database configured for your application's database. Function calls
in this library can only be executed against a a security
database (for example, Security); the database named
Security is automatically configured when MarkLogic Server
is installed, and it is the default security database. To execute
these functions against the security database,
you can specify the database
option in xdmp:eval
or xdmp:invoke
, or you can run it in an App Server that
has your security database configured as its database.
Function name | Description |
---|---|
sec:add-query-rolesets | This function adds query rolesets to the Security database. |
sec:amp-add-roles | Adds the roles ($role-names) to the list of roles granted to the amp ($namespace, $local-name, $document-uri). |
sec:amp-doc-collections | Returns a sequence of strings corresponding to the collection uri's that amps belong to. |
sec:amp-doc-permissions | Returns a sequence of permission elements that all newly created amp documents receive. |
sec:amp-exists | This function returns true if the specified amp exists in the security database. |
sec:amp-get-roles | Returns a sequence of role names for the roles directly assigned to the amp ($namespace, $local-name, $document-uri). |
sec:amp-remove-roles | Removes a role ($role-name) from the set of roles included by the amp ($namespace, $local-name, $document-uri). |
sec:amp-set-roles | Assigns the amp identified by $namespace, $local-name and $document-uri to have the roles identified by $roles-names. |
sec:amps-change-modules-database | This function changes all amps that refer to one modules database to refer to a different database. |
sec:amps-collection | Returns a string corresponding to the uri for the amps collection. |
sec:check-admin | Throws an error if the current user does not have the admin-ui privilege. |
sec:collection-add-permissions | Add the permissions $permissions to the protected collection identified by $uri. |
sec:collection-get-permissions | Returns a sequence of permission elements corresponding to the current permissions granted to the protected collection identified by $uri. |
sec:collection-remove-permissions | Removes the permissions $permissions from the protected collection identified by $uri. |
sec:collection-set-permissions | Sets the permissions of a protected collection identified by $uri to $permissions. |
sec:collections-collection | Returns a string corresponding to the uri for the protected collections collection. |
sec:compartment-get-roles | This function returns a list of roles in the specified compartment. |
sec:create-amp | Creates a new amp in the system database for the context database. |
sec:create-credential | This function creates a new security credential with the specified values. |
sec:create-external-security | This function creates an external authentication configuration object and returns the id of the configuration. |
sec:create-privilege | Creates a new privilege and returns the new privilege-id. |
sec:create-role | Creates a new role in the system database for the context database. |
sec:create-user | Creates a new user in the system database for the context database. |
sec:create-user-with-role | Creates a new user in the system database for the context database. |
sec:credential-get-certificate | This function returns the certificate for a credential, if it exists. |
sec:credential-get-description | This function returns the description of the specified credential. |
sec:credential-get-id | This function returns the ID of the specified credential. |
sec:credential-get-password | This function returns the encrypted password for a credential, if it exists. |
sec:credential-get-permissions | This function returns the permissions for a credential. |
sec:credential-get-private-key | This function returns the private key for a credential, if it exists. |
sec:credential-get-signing | This function returns the signing flag for a credential. |
sec:credential-get-targets | This function returns the targets for a credential, if they exist. |
sec:credential-get-username | This function returns the username for a credential, if it exists. |
sec:credential-set-certificate | This function updates the certificate for the credential. |
sec:credential-set-description | This function updates the description for the specified credential. |
sec:credential-set-name | This function updates the name of a credential. |
sec:credential-set-password | This function updates the password for the specified credential. |
sec:credential-set-permissions | This function updates the permission for the specified credential. |
sec:credential-set-signing | This function updates the signing flag for the specified credential. |
sec:credential-set-targets | This function updates the targets for the specified credential. |
sec:credential-set-username | This function updates the username for the specified credential. |
sec:credentials-get-aws | Returns the Amazon Web Services access key, secret key, and session token (if one exists) used to access the Amazon Simple Storage Service. |
sec:credentials-get-azure | Returns the Azure storage account name and access key used to access Microsoft Azure Blob Storage. |
sec:credentials-set-aws | Sets the Amazon Web Services credentials. |
sec:credentials-set-azure | Sets the Azure storage account name and access key. |
sec:external-security-add-oauth-jwt-secrets | This function adds the list of JWT key-ID/key pairs into the given external security object. |
sec:external-security-clear-cache | This function clears the login cache in the named external authorization configuration object. |
sec:external-security-get-authentication | This function returns the authentication protocol set in the named external authorization configuration object. |
sec:external-security-get-authorization | This function returns the authorization scheme set in the named external authorization configuration object. |
sec:external-security-get-cache-timeout | This function returns the login cache timeout (in seconds) set in the named external authorization configuration object. |
sec:external-security-get-description | This function returns the description set in the named external authorization configuration object. |
sec:external-security-get-http-options | This function returns the http options for the named SAML server configuration. |
sec:external-security-get-ldap-attribute | This function returns the LDAP attribute for user lookup set in the named external authorization configuration object. |
sec:external-security-get-ldap-base | This function returns the LDAP base for user lookup set in the named external authorization configuration object. |
sec:external-security-get-ldap-bind-method | This function returns the bind method set on the named external security object. |
sec:external-security-get-ldap-certificate | This function returns the LDAP client certificate set for the name external security configuration. |
sec:external-security-get-ldap-default-user | This function returns the default LDAP user name set in the named external authorization configuration object. |
sec:external-security-get-ldap-member-attribute | This function returns the member attribute for the specified LDAP server. |
sec:external-security-get-ldap-memberof-attribute | This function returns the memberof attribute for the specified LDAP server. |
sec:external-security-get-ldap-negative-cache-timeout | This function returns the ldap-negative-cache-timeout setting for the named external security configuration. |
sec:external-security-get-ldap-nested-lookup | This function returns a boolean value specifying whether ldap nested group lookups are enabled. |
sec:external-security-get-ldap-private-key | This function returns the private key set for the name external security configuration. |
sec:external-security-get-ldap-remove-domain | This function returns the ldap-remove-domain setting for the named external security configuration. |
sec:external-security-get-ldap-server-uri | This function returns the LDAP server uri set in the named external authorization configuration object. |
sec:external-security-get-ldap-start-tls | This function returns the ldap-start-tls setting for the named external security configuration. |
sec:external-security-get-oauth-client-id | This function returns the OAuth client id for the named external security configuration. |
sec:external-security-get-oauth-flow-type | This function returns the OAuth flow type for the named external security configuration. |
sec:external-security-get-oauth-jwks-uri | This function returns the OAuth JWKS URI for the named external security configuration. |
sec:external-security-get-oauth-jwt-alg | This function returns the OAuth JWT algorithm for the named external security configuration. |
sec:external-security-get-oauth-jwt-issuer-uri | This function returns the OAuth JWT Issuer URI for the named external security configuration. |
sec:external-security-get-oauth-jwt-secrets | This function returns the OAuth JWT key-IDs for the named external security configuration. |
sec:external-security-get-oauth-privilege-attribute | This function returns the OAuth privilege attribute for the named external security configuration. |
sec:external-security-get-oauth-role-attribute | This function returns the OAuth role attribute for the named external security configuration. |
sec:external-security-get-oauth-token-type | This function returns the OAuth token type for the named external security configuration. |
sec:external-security-get-oauth-username-attribute | This function returns the OAuth username attribute for the named external security configuration. |
sec:external-security-get-oauth-vendor | This function returns the OAuth-server vendor for the named external security configuration. |
sec:external-security-get-saml-assertion-host | This function returns the SAML assertion host for the named external security configuration. |
sec:external-security-get-saml-attribute-names | This function returns the SAML attribute names set for the named external security configuration. |
sec:external-security-get-saml-destination | This function returns the saml destination in the external security configuration. |
sec:external-security-get-saml-entity-id | This function returns the SAML entity id set for the named external security configuration. |
sec:external-security-get-saml-idp-certificate-authority | This function returns the saml idp certificate authority in the external security configuration. |
sec:external-security-get-saml-issuer | This function returns the saml issuer in the external security configuration. |
sec:external-security-get-saml-privilege-attribute-name | This function returns the SAML privilege attribute name set for the named external security configuration. |
sec:external-security-get-saml-sp-certificate | This function returns the saml Service Provider certificate in the external security configuration. |
sec:external-security-remove-oauth-jwt-secrets | This function removes the specified JWT secrets based on their key-ID. |
sec:external-security-set-authentication | This function sets the authentication protocol for the named external authorization configuration object. |
sec:external-security-set-authorization | This function sets the authentication scheme for the named external authorization configuration object. |
sec:external-security-set-cache-timeout | This function sets the login cache timeout for the named external authorization configuration object. |
sec:external-security-set-description | This function sets the description for the named external authorization configuration object. |
sec:external-security-set-http-options | This function sets the http options for the named SAML server configuration. |
sec:external-security-set-ldap-attribute | This function sets the LDAP attribute for user lookup for the named external authorization configuration object. |
sec:external-security-set-ldap-base | This function sets the LDAP base for user lookup for the named external authorization configuration object. |
sec:external-security-set-ldap-bind-method | This function sets the bind method on the named external security object. |
sec:external-security-set-ldap-certificate | This function sets the LDAP certificate and private key for the named external security configuration. |
sec:external-security-set-ldap-default-user | This function sets the default user name for the named external authorization configuration object. |
sec:external-security-set-ldap-member-attribute | This function sets the member LDAP attribute for group lookup. |
sec:external-security-set-ldap-memberof-attribute | This function sets the memberof LDAP attribute for group lookup. |
sec:external-security-set-ldap-negative-cache-timeout | This function updates the ldap-negative-cache-timeout setting in the external security configuration. |
sec:external-security-set-ldap-nested-lookup | This function sets the nested-lookup boolean. |
sec:external-security-set-ldap-password | This function sets the default user password for the named external authorization configuration object. |
sec:external-security-set-ldap-remove-domain | This function updates the ldap-remove-domain setting in the external security configuration. |
sec:external-security-set-ldap-server-uri | This function sets the LDAP server uri for the named external authorization configuration object. |
sec:external-security-set-ldap-start-tls | This function updates the ldap-start-tls setting in the external security configuration. |
sec:external-security-set-name | This function sets the name of the external authorization configuration object. |
sec:external-security-set-oauth-client-id | This function updates the OAuth client-id for the given external security object. |
sec:external-security-set-oauth-flow-type | This function updates the OAuth flow type for the given external security object. |
sec:external-security-set-oauth-jwks-uri | This function updates the OAuth JWKS URI for the given external security object. |
sec:external-security-set-oauth-jwt-alg | This function updates the OAuth JWT signature algorithm for the given external security object. |
sec:external-security-set-oauth-jwt-secrets | This function sets the OAuth JWT secrets for the given external security object. |
sec:external-security-set-oauth-privilege-attribute | This function updates the OAuth privilege attribute for the given external security object. |
sec:external-security-set-oauth-role-attribute | This function updates the OAuth role attribute for the given external security object. |
sec:external-security-set-oauth-token-type | This function updates the OAuth token type for the given external security object. |
sec:external-security-set-oauth-username-attribute | This function updates the OAuth username attribute for the given external security object. |
sec:external-security-set-oauth-vendor | This function updates the OAuth vendor for the given external security object. |
sec:external-security-set-saml-assertion-host | This function sets the SAML assertion host in the SAML configuration. |
sec:external-security-set-saml-attribute-names | This function sets one or more SAML attribute named used by other security objects to identify the named SAML configuration. |
sec:external-security-set-saml-destination | This function updates the saml destination in the external security configuration. |
sec:external-security-set-saml-entity-id | \ This function sets the SAML entity ID used by other security objects to identify the named SAML configuration. |
sec:external-security-set-saml-idp-certificate-authority | This function updates the saml idp certificate authority in the external security configuration. |
sec:external-security-set-saml-issuer | This function updates the saml issuer in the external security configuration. |
sec:external-security-set-saml-privilege-attribute-name | This function sets the SAML privilege attribute name in the SAML configuration. |
sec:external-security-set-saml-sp-certificate | This function updates the saml sp certificate and private key in the external security configuration. |
sec:external-security-update-oauth-jwt-secrets | This function updates the JWT secrets for the inputted JWT key-IDs in the given external security object. |
sec:get-amp | Returns an sec:amp element corresponding to an amp identified by ($namespace, $local-name, $document-uri). |
sec:get-collection | Gets the security document corresponding to a protected collection with uri equal to $uri. |
sec:get-compartments | This function returns a list of all of the compartments. |
sec:get-credential | Gets a credential. |
sec:get-credential-by-id | This function returns the specified PEM encoded X509 certificate. |
sec:get-credential-ids | This function returns a list of all of the credential IDs in the security database. |
sec:get-credential-names | This function returns a list of all of the credential names in the security database. |
sec:get-distinct-permissions | Returns a sequence of permission elements made up of a concatenation of $output-perms and the distinct permission elements of $input-perms. |
sec:get-privilege | Returns a sec:privilege element corresponding to a privilege identified by ($action,$kind). |
sec:get-role-ids | Returns a sequence of unique sec:role-id elements that corresponds to the sequence of role names $role-names. |
sec:get-role-names | Returns sequence of unique sec:role-name's that corresponds to the sequence of role IDs $role-ids. |
sec:get-saml-entity | This function returns the named SAML entity. |
sec:get-saml-entity-ids | This function returns the SAML entity ids stored in the Security database. |
sec:get-user-names | Returns sequence of unique sec:user-names that corresponds to the sequence of user IDs $user-ids. |
sec:ldap-server | This function configures an LDAP server for use by the sec:create-external-security function. |
sec:oauth-server | This function configures an OAuth server for use by the sec:create-external-security function. |
sec:path-add-permissions | This function adds permissions for a protected path. |
sec:path-get-permissions | This function gets a list of permissions for the path named. |
sec:path-remove-permissions | This function removes permissions for a protected path. |
sec:path-set-permissions | This function sets the permissions for a protected path. |
sec:priv-doc-collections | Returns a sequence of strings corresponding to the collection uri's that privileges belong to. |
sec:priv-doc-permissions | Returns a sequence of permission elements that all newly created privilege documents receive. |
sec:privilege-add-roles | Adds the roles ($role-names) to the list of roles assigned to the privilege ($action,$kind). |
sec:privilege-exists | This function returns true if the specified privilege exists. |
sec:privilege-get-roles | Returns a sequence of role names for the roles assigned to the privilege ($action,$kind). |
sec:privilege-remove-roles | Removes roles ($role-names) from the roles assigned to the privilege ($action,$kind). |
sec:privilege-set-name | Changes the sec:privilege-name of a sec:privilege to $new-privilege-name. |
sec:privilege-set-roles | Assigns the privilege ($action,$kind) to have the roles identified by $role-names. |
sec:privileges-collection | Returns a string corresponding to the uri for the privileges collection. |
sec:protect-collection | Protects a collection $uri with the given permissions ($permissions). |
sec:protect-path | This function protects the path specified, restricting the ability to view content based on the user's permissions. |
sec:protected-path-doc-permissions | Returns a sequence of permission elements that all newly created protected-path documents receive. |
sec:protected-paths-collection | This function returns the collection of protected paths. |
sec:query-roleset | This function creates a query roleset that can be passed into a function used to add or remove rolesets. |
sec:query-rolesets | This is a helper function to return a query-rolesets element from a list of query-roleset elements. |
sec:query-rolesets-collection | This function returns the collection of query rolesets. |
sec:query-rolesets-doc-permissions | Returns a sequence of permission elements that all newly created query-rolesets documents receive. |
sec:query-rolesets-id | This function returns the ID of a query-rolesets. |
sec:remove-amp | Removes the amp ($namespace, $local-name, $document-uri, $database) and returns empty-sequence(). |
sec:remove-credential | This function removes the specified credential. |
sec:remove-credential-by-id | This function removes the specified credential. |
sec:remove-external-security | This function deletes the named external authentication configuration object. |
sec:remove-path | This function removes protection from the specified protected path and removes the path from the Security database. |
sec:remove-privilege | Removes the privilege identified by ($action,$kind). |
sec:remove-query-rolesets | This function removes query rolesets from the Security database. |
sec:remove-role | Removes the role ($role-name). |
sec:remove-role-from-amps | Removes references to the role ($role-name) from all amps. |
sec:remove-role-from-privileges | Removes references to the role ($role-name) from all privileges. |
sec:remove-role-from-roles | Removes references to the role ($role-name) from all other roles. |
sec:remove-role-from-users | Removes references to the role ($role-name) from all users. |
sec:remove-user | Removes the user with name $user-name. |
sec:resecure-credentials | This function re-encrypts credentials, if necessary. |
sec:role-add-roles | Adds new roles ($new-roles) to the role specified by $role-name. |
sec:role-doc-collections | Returns a sequence of strings corresponding to the collection uri's that roles belong to. |
sec:role-doc-permissions | Returns a sequence of permission elements that all newly created role documents receive. |
sec:role-exists | This function returns true if the specified role exists in the security database. |
sec:role-get-compartment | This function returns the compartment for the specified role. |
sec:role-get-default-collections | Returns a sequence of strings corresponding to the uri's of the role's default collections. |
sec:role-get-default-permissions | Returns a sequence of permission elements corresponding to the role's default permissions. |
sec:role-get-description | Returns the description for the specified role. |
sec:role-get-external-names | This function returns the external LDAP group names assigned to the named role. |
sec:role-get-queries | Returns the queries for the specified role. |
sec:role-get-roles | Returns a sequence of role names for the roles directly assigned to the given role ($role-name). |
sec:role-privileges | Returns a set of privilege elements corresponding to all privileges that a role has. |
sec:role-remove-roles | Removes the roles ($role-names) from the set of roles included by the role ($role-name). |
sec:role-set-default-collections | Sets the default collections of a role with name $role-name to $collections. |
sec:role-set-default-permissions | Sets the default permissions for a role with name $role-name. |
sec:role-set-description | Changes the description of the role identified by $role-name to $description. |
sec:role-set-external-names | This function sets a role to be matched to one or more external LDAP distinguished names. |
sec:role-set-name | Changes the sec:role-name of a role from $role-name to $new-role-name. |
sec:role-set-queries | Sets the queries of a role with name $role-name to $queries. |
sec:role-set-query | Sets the $capability query of a role with $role-name to $query. |
sec:role-set-roles | Assigns roles (named $role-names) to be the set of included roles for the role ($role-name). |
sec:roles-collection | Returns a string corresponding to the uri for the roles collection. |
sec:saml-entity-delete | This function deletes the named SAML entity. |
sec:saml-entity-insert | This function inserts a SAML entity into the Security database. |
sec:saml-server | This function configures an SAML server for use by the sec:create-external-security function. |
sec:security-collection | Returns a string corresponding to the uri for the Security collection. |
sec:security-installed | Returns fn:true() if security has been installed on the current database. |
sec:security-namespace | Returns a string corresponding to the uri of the security namespace. |
sec:security-path-namespace | This function creates a protected namespace. |
sec:security-version | Returns the current version of the security database. |
sec:set-realm | Changes the realm of this security database to $realm. |
sec:uid-for-name | Returns the uids for the named user or () if no such user exists. |
sec:unprotect-collection | Removes the protection of a collection $uri. |
sec:unprotect-path | This function removes protection from the specified protected path, without removing the path itself from the Security database. |
sec:uri-credential-target | This function generates a sec:credential-target element, for use with sec:create-credential. |
sec:user-add-roles | Adds the roles ($role-names) to the list of roles granted to the user ($user-name). |
sec:user-doc-collections | Returns a sequence of strings corresponding to the collection uri's that users belong to. |
sec:user-doc-permissions | Returns a sequence of permission elements that all newly created user documents receive. |
sec:user-exists | This function returns true if the specified user exists in the security database. |
sec:user-get-default-collections | Returns a sequence of strings corresponding to the uri's of the user's default collections. |
sec:user-get-default-permissions | Returns a sequence of permission elements corresponding to the user's default permissions. |
sec:user-get-description | Returns the user's description. |
sec:user-get-external-names | This function returns the external LDAP group names assigned to the named user. |
sec:user-get-password-extra | This function returns the extra information for the specified user. |
sec:user-get-queries | Returns the queries for the specified user. |
sec:user-get-roles | Returns a sequence of role names for the roles directly assigned to the user ($user-name). |
sec:user-privileges | Returns a set of privilege elements corresponding to all privileges that a user has. |
sec:user-remove-roles | Removes the roles ($role-names) from the list of roles granted to the user ($user-name). |
sec:user-set-default-collections | Sets the default collections of a user with name $user-name to $collections. |
sec:user-set-default-permissions | Sets the default permissions for a user with name $user-name. |
sec:user-set-description | Changes the description of the user identified by $user-name to $description. |
sec:user-set-external-names | This function sets the external names for the named user. |
sec:user-set-name | Changes the name of the user from $user-name to $new-user-name. |
sec:user-set-password | Changes the password for the user identified by $user-name to $password. |
sec:user-set-password-extra | This function sets extra information for the specified user. |
sec:user-set-queries | Sets the queries of a user with name $user-name to $queries. |
sec:user-set-query | Sets the $capability query of a user with $user-name to $query. |
sec:user-set-roles | Assigns the user with name $user-name to have the roles identified by $role-names. |
sec:users-collection | Returns a string corresponding to the uri for the users collection. |
sec:validate-permissions | This function throws the SEC_NOPERMCAP exception if a permission has no capability specified and it throws the SEC-NOPERMROLEID exception if there is no role specified in the permission. |