Hi Brent, Provinding access to a Security database, means that they can mock about anyway they like, giving themselves admin rights as well. Once you have admin rights, you can do anything everywhere, throughout the whole cluster. I don't think that is what you want. Or at least the risk for something like this to happen is to large I would say..
I think you would be better off with a custom webapp interface of your own, providing only the necessary functionality, backed by a user that has just enough Amps to do what it needs, and only through functions you provide yourself. No direct access to the security API for instance.. HTH! Kind regards, Geert > Drs. G.P.H. Josten Consultant http://www.daidalos.nl/ Daidalos BV Source of Innovation Hoekeindsehof 1-4 2665 JZ Bleiswijk Tel.: +31 (0) 10 850 1200 Fax: +31 (0) 10 850 1199 http://www.daidalos.nl/ KvK 27164984 De informatie - verzonden in of met dit emailbericht - is afkomstig van Daidalos BV en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen, verzoeken wij u het te verwijderen. Aan dit bericht kunnen geen rechten worden ontleend. > From: [email protected] > [mailto:[email protected]] On Behalf Of > Hartwig, Brent (CL Tech Sv) > Sent: vrijdag 29 januari 2010 21:51 > To: General Mark Logic Developer Discussion > Subject: [MarkLogic Dev General] Multiple Security Databases > > Hello, > > > > In our MarkLogic 4.1-3 instance, we host various app servers > and databases for multiple applications. We do so in a > manner where each application is only able to access their > data. For most of these, we create one ML user that serves > as the application user. We were recently asked to support > multiple roles and users for a single application, at which > point we began researching how an application could > self-administer their HTTP app server's security without > gaining control over another application's data or configuration. > > > > Hence the idea to provide a second security database, > dedicated to an application. > > > > I am interested in this group's experience and thoughts, including: > > > > 1. If there is a preferred alternative > 2. If one should start with a new database or modify a > copy of the first > 3. If there are concerns with temporarily rewiring the > admin console to initially reconfigure a copy of the first database > > > > I found a multiple security database warning > <http://markmail.org/message/yrtchp7iuva3zxxj?q=%22create%22+% > 22security+database%22+list:com%2Emarklogic%2Edeveloper%2Egene > ral> posted by the highly revered Michael Blakeley a year > ago. We do not presently use XQSync and all of our shared > environments have the same OS. Nonetheless, I'd like to > confirm if multiple security databases would preclude us from > using XQSync. > > > > Many thanks for your thoughts and time. > > > > -Brent > > _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
