Loading TOC...

sec:create-role

sec:create-role(
   $role-name as xs:string,
   $description as xs:string?,
   $role-names as xs:string*,
   $permissions as element(sec:permission)*,
   $collections as xs:string*,
   [$compartment as xs:string?],
   [$external-names as xs:string*],
   [$queries as map:map]
) as xs:unsignedLong

Summary

Creates a new role in the system database for the context database.

If $role-name is not unique, an error is returned.

If one of the $role-names does not identify a role, an error is returned.

If the current user is limited to granting only his/her roles, and $role-names is not a subset of the current user's roles, then an error is returned.

Returns the role-id.

Parameters
$role-name The name of the role to be created.
$description A description of the role to be created.
$role-names A sequence of role names to which the role is assigned.
$permissions The default permissions for the role.
$collections The default collections for the role.
$compartment The compartment to assign to the role.
$external-names The external names for the role. Or an empty sequence, if no external names are used.
$queries A map from capabilities (read, update, node-update, and execute) to cts queries of the role.

Required Privileges

http://marklogic.com/xdmp/privileges/create-role or create-data-role
and for role assignment:
http://marklogic.com/xdmp/privileges/grant-all-roles or
http://marklogic.com/xdmp/privileges/grant-my-roles
and, for creating roles with queries:
http://marklogic.com/xdmp/privileges/role-set-queries

Usage Notes

This function must be executed against the security database.

Example


(: execute this against the security database. :)
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at 
    "/MarkLogic/security.xqy";

sec:create-role(
    "Temporary",
    "Temporary worker access",
    ("filesystem-access"),
    (),
    ("testDocument"))
   
(: Creates a new role, named "Temporary," with the default collection, 
   named testDocument. :)  
  

Example


(: execute this against the security database. :)
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at 
  "/MarkLogic/security.xqy";

sec:create-role(
  "region-NA", 
  "Can see NA documents.",
  (), (), (), "compartment-region", (), 
  map:map()=>map:with(
    "read", 
    cts:element-query(xs:QName("metadata"), 
      cts:element-word-query(xs:QName("region"), "NA")))
  ) 

(: Creates a new role, named "region-NA", and with compartment 
   "compartment-region". "region-NA" has role queries which allow any users with 
   this role to read documents that have "region-NA" in the metadata. :)   
  

Stack Overflow iconStack Overflow: Get the most useful answers to questions from the MarkLogic community, or ask your own question.