Tim,
If a user inherits default permissions from multiple roles, documents
written by that user will default to the union of all the permissions on
the inherited roles. Here's the relevant section from the security
guide, and you can also prove this to yourself fairly easily:
http://developer.marklogic.com/pubs/4.0/books/security.pdf
When a document is created, it is initialized with a set of permissions.
If permissions are not explicitly set (as a parameter to xdmp:load or
xdmp:document-insert, for example), then the permissions are set to the
default permissions. The default permissions are determined based on
the roles assigned (both assigned explicitly and inherited from roles
assigned to other roles) to the user who creates the document and on any
default permissions assigned directly to the user.
If users will be creating documents in a database, it is very important
to set up default permissions for roles to which that user is assigned.
Without default permissions, it is easy to create documents that no
users (except those who are part of the admin role) can read, update, or
delete.
When using default permissions, it's important to understand that
xdmp:document-insert() will *not* merge those defaults with anything
supplied in parameter 3 - including the empty sequence. Similarly, XCC
content inserts will use the default permissions if no permissions are
set on the content object, but any permissions set on the content object
will override the defaults.
Node-level updates, on the other hand, will not affect document-level
information - so permissions will remain unchanged.
thanks,
-- Mike
On 2009-02-10 08:48, Tim Meagher wrote:
Hi Folks,
I am a little confused about how to add role and user-based permissions by
default to documents and directories. I'm using an XCC application to
insert documents and to create the directories in which they are inserted. I
would like to apply defaults so that I do not have to explicitly add the
desired user and role permissions.
At first I was under the impression that any subdirectories created within
an existing parent directory URI that had a set of permissions associated
with it, and, any documents subsequently inserted or updated within the
parent directory URI would fully inherit the permissions of the parent
directory URI. Now I'm not sure that is the case. I would appreciate any
clarification on this.
I recently determined that I can set the default permissions for document
creation by adding them to the user that inserts the documents, but I would
like some clarification about this as well. Given UserA who has default
document creation permissions for roles RoleA and RoleB, then if UserA
creates a document, does that mean that the document will by default have
access to it created for RoleA and RoleB or just for the permissions
associated with those roles (and if so, for whom)?
What about updates to a document? Do the original permissions automatically
get applied to the updated document and if so, why?
Thanks for the help!
Tim Meagher
_______________________________________________
General mailing list
[email protected]
http://xqzone.com/mailman/listinfo/general
_______________________________________________
General mailing list
[email protected]
http://xqzone.com/mailman/listinfo/general
