Paul,Have you read our documentation on "Understanding and Using Security" (http://developer.marklogic.com/pubs/)? I'm asking because I suspect that you may be confused about URI Privileges vs document-level permissions. For example, there is no such thing as an "update privilege" in the MarkLogic Server security model.
It's also misleading to talk about a "protected URI". All URIs are protected, unless the user has the "any-uri" Execute Privilege. The purpose of a URI Privilege is to unprotect a URI prefix for a particular role or user.
I apologize for being so pedantic, but the terminology is important.General debugging tips: it is always useful to say which version of MarkLogic Server you are using. Also, each security item has a "Describe" tab in the admin server, which provides a nice summary of the item's configuration.
Here's how I set up a similar model to what I believe you're after: we use this as an example in our training course. I've copied the text from the description tab for each item.
* URI Privilege: priv-uri-public ** privilege name: priv-uri-public ** privilege action: /public/ * Role: writer ** Execute Privileges: none ** URI Privileges: priv-uri-public ** Permissions: writer (insert, update, read), reader (read) ** Collections: none * User: writer ** Roles: writer * Role: reader ** Execute Privileges: none ** URI Privileges: none ** Permissions: none ** Collections: none * User: reader ** Roles: readerWith this configuration, "writer" may insert new documents under /public/, but nowhere else in the database. The "writer" may subsequently query, update, and overwrite those documents. The "reader" may only query those documents.
-- Mike
Paul Preuveneers paul.preuveneers at gmail.com Mon Apr 23 03:37:10 PDT 2007 I am trying to lock down a particular URI to a particular role/user and I don't seem to be able to get the URI Privileges functionality to work. I have the following idiom for users and roles: Role User web-user my-web-user content-manager my-content-manager The web-user role does not have document update privileges, whereas the content-manager role does. I connect to ML using my-web-user and only use content-manager when loading data or for cq. I want to be able to let the web-user role only update a specific URI and nowhere else, however even after creating a URI privilege and assigning it to that role, I still cannot create documents in that uri (or anywhere else!). The user still seems to need document update privileges? But if I grant these I can create docs in any URI. I can also still create documents in the protected URI with the content-manager user also, and I was hoping this would not be allowed until I gave the privilege to this role also. So far, I can't see the URI Privileges having any kind of effect at all... What am I doing wrong? Thanks Paul
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
