Yes, fixed it thankyou! It was the any-uri setting on the role that was the problem.
Thanks! Paul On 29/04/07, Michael Blakeley <[EMAIL PROTECTED]> wrote:
Paul, Have you read our documentation on "Understanding and Using Security" (http://developer.marklogic.com/pubs/)? I'm asking because I suspect that you may be confused about URI Privileges vs document-level permissions. For example, there is no such thing as an "update privilege" in the MarkLogic Server security model. It's also misleading to talk about a "protected URI". All URIs are protected, unless the user has the "any-uri" Execute Privilege. The purpose of a URI Privilege is to unprotect a URI prefix for a particular role or user. I apologize for being so pedantic, but the terminology is important. General debugging tips: it is always useful to say which version of MarkLogic Server you are using. Also, each security item has a "Describe" tab in the admin server, which provides a nice summary of the item's configuration. Here's how I set up a similar model to what I believe you're after: we use this as an example in our training course. I've copied the text from the description tab for each item. * URI Privilege: priv-uri-public ** privilege name: priv-uri-public ** privilege action: /public/ * Role: writer ** Execute Privileges: none ** URI Privileges: priv-uri-public ** Permissions: writer (insert, update, read), reader (read) ** Collections: none * User: writer ** Roles: writer * Role: reader ** Execute Privileges: none ** URI Privileges: none ** Permissions: none ** Collections: none * User: reader ** Roles: reader With this configuration, "writer" may insert new documents under /public/, but nowhere else in the database. The "writer" may subsequently query, update, and overwrite those documents. The "reader" may only query those documents. -- Mike > Paul Preuveneers paul.preuveneers at gmail.com > Mon Apr 23 03:37:10 PDT 2007 > > I am trying to lock down a particular URI to a particular role/user and I > don't seem to be able to > get the URI Privileges functionality to work. > > I have the following idiom for users and roles: > > Role User > web-user my-web-user > content-manager my-content-manager > > The web-user role does not have document update privileges, whereas the > content-manager role does. > I connect to ML using my-web-user and only use content-manager when loading > data or for cq. > > I want to be able to let the web-user role only update a specific URI and > nowhere else, however even after creating > a URI privilege and assigning it to that role, I still cannot create > documents in that uri (or anywhere else!). The user > still seems to need document update privileges? But if I grant these I can > create docs in any URI. > I can also still create documents in the protected URI with the > content-manager user also, and I was hoping > this would not be allowed until I gave the privilege to this role also. > > So far, I can't see the URI Privileges having any kind of effect at all... > > What am I doing wrong? > > Thanks > > Paul _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
_______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
