Loading TOC...

sec functions

The table below lists all the sec built-in functions (in this namespace: http://marklogic.com/xdmp/security).

The security function module is installed as the following file:

install_dir/Modules/MarkLogic/security.xqy

where install_dir is the directory in which MarkLogic Server is installed.

To use the security.xqy module in your own XQuery modules, include the following line in your XQuery prolog:

import module "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy"

The library uses the sec: namespace, predefined in the server.

NOTE:  When using these functions to administer security for an application, be sure to execute them against the security database configured for your application's database. Function calls in this library can only be executed against a a security database (for example, Security); the database named Security is automatically configured when MarkLogic Server is installed, and it is the default security database. To execute these functions against the security database, you can specify the database option in xdmp:eval or xdmp:invoke, or you can run it in an App Server that has your security database configured as its database.

200 functions
Function name Description
sec:add-query-rolesets This function adds query rolesets to the Security database.
sec:amp-add-roles Adds the roles ($role-names) to the list of roles granted to the amp ($namespace, $local-name, $document-uri).
sec:amp-doc-collections Returns a sequence of strings corresponding to the collection uri's that amps belong to.
sec:amp-doc-permissions Returns a sequence of permission elements that all newly created amp documents receive.
sec:amp-exists This function returns true if the specified amp exists in the security database.
sec:amp-get-roles Returns a sequence of role names for the roles directly assigned to the amp ($namespace, $local-name, $document-uri).
sec:amp-remove-roles Removes a role ($role-name) from the set of roles included by the amp ($namespace, $local-name, $document-uri).
sec:amp-set-roles Assigns the amp identified by $namespace, $local-name and $document-uri to have the roles identified by $roles-names.
sec:amps-change-modules-database This function changes all amps that refer to one modules database to refer to a different database.
sec:amps-collection Returns a string corresponding to the uri for the amps collection.
sec:check-admin Throws an error if the current user does not have the admin role.
sec:collection-add-permissions Add the permissions $permissions to the protected collection identified by $uri.
sec:collection-get-permissions Returns a sequence of permission elements corresponding to the current permissions granted to the protected collection identified by $uri.
sec:collection-remove-permissions Removes the permissions $permissions from the protected collection identified by $uri.
sec:collection-set-permissions Sets the permissions of a protected collection identified by $uri to $permissions.
sec:collections-collection Returns a string corresponding to the uri for the protected collections collection.
sec:compartment-get-roles This function returns a list of roles in the specified compartment.
sec:create-amp Creates a new amp in the system database for the context database.
sec:create-credential This function creates a new security credential with the specified values.
sec:create-external-security This function creates an external authentication configuration object and returns the id of the configuration.
sec:create-privilege Creates a new privilege and returns the new privilege-id.
sec:create-role Creates a new role in the system database for the context database.
sec:create-user Creates a new user in the system database for the context database.
sec:create-user-with-role Creates a new user in the system database for the context database.
sec:credential-get-certificate This function returns the certificate for a credential, if it exists.
sec:credential-get-description This function returns the description of the specified credential.
sec:credential-get-id This function returns the ID of the specified credential.
sec:credential-get-password This function returns the password for a credential, if it exists.
sec:credential-get-permissions This function returns the permissions for a credential.
sec:credential-get-private-key This function returns the private key for a credential, if it exists.
sec:credential-get-signing This function returns the signing flag for a credential.
sec:credential-get-targets This function returns the targets for a credential, if they exist.
sec:credential-get-username This function returns the username for a credential, if it exists.
sec:credential-set-certificate This function updates the certificate for the credential.
sec:credential-set-description This function updates the description for the specified credential.
sec:credential-set-name This function updates the name of a credential.
sec:credential-set-password This function updates the password for the specified credential.
sec:credential-set-permissions This function updates the permission for the specified credential.
sec:credential-set-signing This function updates the signing flag for the specified credential.
sec:credential-set-targets This function updates the targets for the specified credential.
sec:credential-set-username This function updates the username for the specified credential.
sec:credentials-get-aws Returns the Amazon Web Services access key, secret key, and session token (if one exists) used to access the Amazon Simple Storage Service.
sec:credentials-get-azure Returns the Azure storage account name and access key used to access Microsoft Azure Blob Storage.
sec:credentials-set-aws Sets the Amazon Web Services credentials.
sec:credentials-set-azure Sets the Azure storage account name and access key.
sec:external-security-clear-cache This function clears the login cache in the named external authorization configuration object.
sec:external-security-get-authentication This function returns the authentication protocol set in the named external authorization configuration object.
sec:external-security-get-authorization This function returns the authorization scheme set in the named external authorization configuration object.
sec:external-security-get-cache-timeout This function returns the login cache timeout (in seconds) set in the named external authorization configuration object.
sec:external-security-get-description This function returns the description set in the named external authorization configuration object.
sec:external-security-get-http-options This function returns the http options for the named SAML server configuration.
sec:external-security-get-ldap-attribute This function returns the LDAP attribute for user lookup set in the named external authorization configuration object.
sec:external-security-get-ldap-base This function returns the LDAP base for user lookup set in the named external authorization configuration object.
sec:external-security-get-ldap-bind-method This function returns the bind method set on the named external security object.
sec:external-security-get-ldap-certificate This function returns the LDAP client certificate set for the name external security configuration.
sec:external-security-get-ldap-default-user This function returns the default LDAP user name set in the named external authorization configuration object.
sec:external-security-get-ldap-member-attribute This function returns the member attribute for the specified LDAP server.
sec:external-security-get-ldap-memberof-attribute This function returns the memberof attribute for the specified LDAP server.
sec:external-security-get-ldap-nested-lookup This function returns a boolean value specifying whether ldap nested group lookups are enabled.
sec:external-security-get-ldap-private-key This function returns the private key set for the name external security configuration.
sec:external-security-get-ldap-remove-domain This function returns the ldap-remove-domain setting for the named external security configuration.
sec:external-security-get-ldap-server-uri This function returns the LDAP server uri set in the named external authorization configuration object.
sec:external-security-get-ldap-start-tls This function returns the ldap-start-tls setting for the named external security configuration.
sec:external-security-get-saml-attribute-names This function returns the SAML attribute names set for the named external security configuration.
sec:external-security-get-saml-destination This function returns the saml destination in the external security configuration.
sec:external-security-get-saml-entity-id This function returns the SAML entity id set for the named external security configuration.
sec:external-security-get-saml-idp-certificate-authority This function returns the saml idp certificate authority in the external security configuration.
sec:external-security-get-saml-issuer This function returns the saml issuer in the external security configuration.
sec:external-security-get-saml-privilege-attribute-name This function returns the SAML privilege attribute name set for the named external security configuration.
sec:external-security-get-saml-sp-certificate This function returns the saml Service Provider certificate in the external security configuration.
sec:external-security-set-authentication This function sets the authentication protocol for the named external authorization configuration object.
sec:external-security-set-authorization This function sets the authentication scheme for the named external authorization configuration object.
sec:external-security-set-cache-timeout This function sets the login cache timeout for the named external authorization configuration object.
sec:external-security-set-description This function sets the description for the named external authorization configuration object.
sec:external-security-set-http-options This function sets the http options for the named SAML server configuration.
sec:external-security-set-ldap-attribute This function sets the LDAP attribute for user lookup for the named external authorization configuration object.
sec:external-security-set-ldap-base This function sets the LDAP base for user lookup for the named external authorization configuration object.
sec:external-security-set-ldap-bind-method This function sets the bind method on the named external security object.
sec:external-security-set-ldap-certificate This function sets the LDAP certificate and private key for the named external security configuration.
sec:external-security-set-ldap-default-user This function sets the default user name for the named external authorization configuration object.
sec:external-security-set-ldap-member-attribute This function sets the member LDAP attribute for group lookup.
sec:external-security-set-ldap-memberof-attribute This function sets the memberof LDAP attribute for group lookup.
sec:external-security-set-ldap-nested-lookup This function sets the nested-lookup boolean.
sec:external-security-set-ldap-password This function sets the default user password for the named external authorization configuration object.
sec:external-security-set-ldap-remove-domain This function updates the ldap-remove-domain setting in the external security configuration.
sec:external-security-set-ldap-server-uri This function sets the LDAP server uri for the named external authorization configuration object.
sec:external-security-set-ldap-start-tls This function updates the ldap-start-tls setting in the external security configuration.
sec:external-security-set-name This function sets the name of the external authorization configuration object.
sec:external-security-set-saml-attribute-names This function sets one or more SAML attribute named used by other security objects to identify the named SAML configuration.
sec:external-security-set-saml-destination This function updates the saml destination in the external security configuration.
sec:external-security-set-saml-entity-id \ This function sets the SAML entity ID used by other security objects to identify the named SAML configuration.
sec:external-security-set-saml-idp-certificate-authority This function updates the saml idp certificate authority in the external security configuration.
sec:external-security-set-saml-issuer This function updates the saml issuer in the external security configuration.
sec:external-security-set-saml-privilege-attribute-name This function sets the SAML privilege attribute name in the SAML configuration.
sec:external-security-set-saml-sp-certificate This function updates the saml sp certificate and private key in the external security configuration.
sec:get-amp Returns an sec:amp element corresponding to an amp identified by ($namespace, $local-name, $document-uri).
sec:get-collection Gets the security document corresponding to a protected collection with uri equal to $uri.
sec:get-compartments This function returns a list of all of the compartments.
sec:get-credential Gets a credential.
sec:get-credential-by-id This function returns the specified PEM encoded X509 certificate.
sec:get-credential-ids This function returns a list of all of the credential IDs in the security database.
sec:get-credential-names This function returns a list of all of the credential names in the security database.
sec:get-distinct-permissions Returns a sequence of permission elements made up of a concatenation of $output-perms and the distinct permission elements of $input-perms.
sec:get-privilege Returns a sec:privilege element corresponding to a privilege identified by ($action,$kind).
sec:get-role-ids Returns a sequence of unique sec:role-id elements that corresponds to the sequence of role names $role-names.
sec:get-role-names Returns sequence of unique sec:role-name's that corresponds to the sequence of role IDs $role-ids.
sec:get-saml-entity This function returns the named SAML entity.
sec:get-saml-entity-ids This function returns the SAML entity ids stored in the Security database.
sec:get-user-names Returns sequence of unique sec:user-names that corresponds to the sequence of user IDs $user-ids.
sec:ldap-server This function configures an LDAP server for use by the sec:create-external-security function.
sec:path-add-permissions This function adds permissions for a protected path.
sec:path-get-permissions This function gets a list of permissions for the path named.
sec:path-remove-permissions This function removes permissions for a protected path.
sec:path-set-permissions This function sets the permissions for a protected path.
sec:priv-doc-collections Returns a sequence of strings corresponding to the collection uri's that privileges belong to.
sec:priv-doc-permissions Returns a sequence of permission elements that all newly created privilege documents receive.
sec:privilege-add-roles Adds the roles ($role-names) to the list of roles assigned to the privilege ($action,$kind).
sec:privilege-exists This function returns true if the specified privilege exists.
sec:privilege-get-roles Returns a sequence of role names for the roles assigned to the privilege ($action,$kind).
sec:privilege-remove-roles Removes roles ($role-names) from the roles assigned to the privilege ($action,$kind).
sec:privilege-set-name Changes the sec:privilege-name of a sec:privilege to $new-privilege-name.
sec:privilege-set-roles Assigns the privilege ($action,$kind) to have the roles identified by $role-names.
sec:privileges-collection Returns a string corresponding to the uri for the privileges collection.
sec:protect-collection Protects a collection $uri with the given permissions ($permissions).
sec:protect-path This function protects the path specified, restricting the ability to view content based on the user's permissions.
sec:protected-path-doc-permissions Returns a sequence of permission elements that all newly created protected-path documents receive.
sec:protected-paths-collection This function returns the collection of protected paths.
sec:query-roleset This function creates a query roleset that can be passed into a function used to add or remove rolesets.
sec:query-rolesets This is a helper function to return a query-rolesets element from a list of query-roleset elements.
sec:query-rolesets-collection This function returns the collection of query rolesets.
sec:query-rolesets-doc-permissions Returns a sequence of permission elements that all newly created query-rolesets documents receive.
sec:query-rolesets-id This function returns the ID of a query-rolesets.
sec:remove-amp Removes the amp ($namespace, $local-name, $document-uri, $database) and returns empty-sequence().
sec:remove-credential This function removes the specified credential.
sec:remove-credential-by-id This function removes the specified credential.
sec:remove-external-security This function deletes the named external authentication configuration object.
sec:remove-path This function removes protection from the specified protected path and removes the path from the Security database.
sec:remove-privilege Removes the privilege identified by ($action,$kind).
sec:remove-query-rolesets This function removes query rolesets from the Security database.
sec:remove-role Removes the role ($role-name).
sec:remove-role-from-amps Removes references to the role ($role-name) from all amps.
sec:remove-role-from-privileges Removes references to the role ($role-name) from all privileges.
sec:remove-role-from-roles Removes references to the role ($role-name) from all other roles.
sec:remove-role-from-users Removes references to the role ($role-name) from all users.
sec:remove-user Removes the user with name $user-name.
sec:resecure-credentials This function re-encrypts credentials, if necessary.
sec:role-add-roles Adds new roles ($new-roles) to the role specified by $role-name.
sec:role-doc-collections Returns a sequence of strings corresponding to the collection uri's that roles belong to.
sec:role-doc-permissions Returns a sequence of permission elements that all newly created role documents receive.
sec:role-exists This function returns true if the specified role exists in the security database.
sec:role-get-compartment This function returns the compartment for the specified role.
sec:role-get-default-collections Returns a sequence of strings corresponding to the uri's of the role's default collections.
sec:role-get-default-permissions Returns a sequence of permission elements corresponding to the role's default permissions.
sec:role-get-description Returns the description for the specified role.
sec:role-get-external-names This function returns the external LDAP group names assigned to the named role.
sec:role-get-roles Returns a sequence of role names for the roles directly assigned to the given role ($role-name).
sec:role-privileges Returns a set of privilege elements corresponding to all privileges that a role has.
sec:role-remove-roles Removes the roles ($role-names) from the set of roles included by the role ($role-name).
sec:role-set-default-collections Sets the default collections of a role with name $role-name to $collections.
sec:role-set-default-permissions Sets the default permissions for a role with name $role-name.
sec:role-set-description Changes the description of the role identified by $role-name to $description.
sec:role-set-external-names This function sets a role to be matched to one or more external LDAP distinguished names.
sec:role-set-name Changes the sec:role-name of a role from $role-name to $new-role-name.
sec:role-set-roles Assigns roles (named $role-names) to be the set of included roles for the role ($role-name).
sec:roles-collection Returns a string corresponding to the uri for the roles collection.
sec:saml-entity-delete This function deletes the named SAML entity.
sec:saml-entity-insert This function inserts a SAML entity into the Security database.
sec:saml-server This function configures an SAML server for use by the sec:create-external-security function.
sec:security-collection Returns a string corresponding to the uri for the Security collection.
sec:security-installed Returns fn:true() if security has been installed on the current database.
sec:security-namespace Returns a string corresponding to the uri of the security namespace.
sec:security-path-namespace This function creates a protected namespace.
sec:security-version Returns the current version of the security database.
sec:set-realm Changes the realm of this security database to $realm.
sec:uid-for-name Returns the uids for the named user or () if no such user exists.
sec:unprotect-collection Removes the protection of a collection $uri.
sec:unprotect-path This function removes protection from the specified protected path, without removing the path itself from the Security database.
sec:uri-credential-target This function generates a sec:credential-target element, for use with sec:create-credential.
sec:user-add-roles Adds the roles ($role-names) to the list of roles granted to the user ($user-name).
sec:user-doc-collections Returns a sequence of strings corresponding to the collection uri's that users belong to.
sec:user-doc-permissions Returns a sequence of permission elements that all newly created user documents receive.
sec:user-exists This function returns true if the specified user exists in the security database.
sec:user-get-default-collections Returns a sequence of strings corresponding to the uri's of the user's default collections.
sec:user-get-default-permissions Returns a sequence of permission elements corresponding to the user's default permissions.
sec:user-get-description Returns the user's description.
sec:user-get-external-names This function returns the external LDAP group names assigned to the named user.
sec:user-get-password-extra This function returns the extra information for the specified user.
sec:user-get-roles Returns a sequence of role names for the roles directly assigned to the user ($user-name).
sec:user-privileges Returns a set of privilege elements corresponding to all privileges that a user has.
sec:user-remove-roles Removes the roles ($role-names) from the list of roles granted to the user ($user-name).
sec:user-set-default-collections Sets the default collections of a user with name $user-name to $collections.
sec:user-set-default-permissions Sets the default permissions for a user with name $user-name.
sec:user-set-description Changes the description of the user identified by $user-name to $description.
sec:user-set-external-names This function sets the external names for the named user.
sec:user-set-name Changes the name of the user from $user-name to $new-user-name.
sec:user-set-password Changes the password for the user identified by $user-name to $password.
sec:user-set-password-extra This function sets extra information for the specified user.
sec:user-set-roles Assigns the user with name $user-name to have the roles identified by $role-names.
sec:users-collection Returns a string corresponding to the uri for the users collection.
sec:validate-permissions This function throws the SEC_NOPERMCAP exception if a permission has no capability specified and it throws the SEC-NOPERMROLEID exception if there is no role specified in the permission.