Hi David, If you have so many docs you might want to apply permissions more granularly now, to prevent to have to change them in the future. A good approach is to have base 5 roles: one for read, one for insert, one for update, one for exec and one to assign default permissions. Use these five to create a 'writestuff' and 'readstuff' role as further described by Danny..
Kind regards, Geert > drs. G.P.H. (Geert) Josten Consultant Daidalos BV Hoekeindsehof 1-4 2665 JZ Bleiswijk T +31 (0)10 850 1200 F +31 (0)10 850 1199 mailto:[email protected] http://www.daidalos.nl/ KvK 27164984 P Please consider the environment before printing this mail. De informatie - verzonden in of met dit e-mailbericht - is afkomstig van Daidalos BV en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen, verzoeken wij u het te verwijderen. Aan dit bericht kunnen geen rechten worden ontleend. > From: [email protected] > [mailto:[email protected]] On Behalf Of > Lee, David > Sent: vrijdag 9 april 2010 22:01 > To: General Mark Logic Developer Discussion > Subject: RE: [MarkLogic Dev General] RE: Creating a "Simple" user > > OK, I will start from scratch (or nearly so because I have > 20GB of documents I dont want to reload ... ) I think I can > use xdmp:document-set-properties( ... ) > > > What happens if documents have no permissions (like mine do, > I just checked). > Can you make a non-admin user that can read them ? Or do > permissions *must* exist for any role but admin ? > > Also where would I look for errors ? I'm getting no errors in > the ErrorLog but no output either. > > Thanks ! > > -David > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Danny Sokolsky > Sent: Friday, April 09, 2010 2:35 PM > To: General Mark Logic Developer Discussion > Subject: [MarkLogic Dev General] RE: Creating a "Simple" user > > Hi David, > > If it was *simple*, it would not be secure :) > > Remember that users do not have permissions, document have > permissions, and permissions are tied to roles via a > capability (read, update, insert, or execute). > > Privileges protect code access (and URI privileges protect > creating documents in a URI space). > > So here is what I would recommend as a starting point: > > * create a role called "ReadsStuff" > * create a user called "ReadsStuff" and grant that user the > "ReadsStuff" role > * create a role called "WritesStuff" > * grant "WritesStuff" the "ReadsStuff" role > * grant "WriteStuff" the any-uri privilege (allowing the > creation of a URI in any space) as well as any execute > privileges needed (for example, xdmp:invoke, etc). If you > want to cheat here, just grant "WritesStuff" the admin role > (but if you do this, remember that it is an admin user and > can do anything) > * create a user called "WritesStuff" and grant that user the > "WritesStuff" role > * when you load documents, load them as the "WritesStuff" > user and give each document an update and insert permission > for "WritesStuff" and a read permission for "ReadsStuff". > For example, here is code to create a set of permissions to > do this (as an option to xdmp:document-insert or xdmp:document-load): > > ( xdmp:permission("ReadsStuff", "read"), > xdmp:permission("WritesStuff", "insert"), > xdmp:permission("WritesStuff", "update") ) ) > > * for extra credit, make the above permissions default > permissions for the WritesStuff user (then you do not need to > explicitly type them when you create documents as this user). > > Now the "ReadsStuff" user can read those documents, and the > "WritesStuff" user can both read and update the documents. > > You will probably also need to grant the "ReadsStuff" role > some other execute permissions, depending on how your code is > written. However if your code does not use any protected > functions, this will not be needed (for example, if the page > you were executing was simple fn:doc("/my-uri.xml") ) > > Sound simple? It actually is pretty simple, once you > understand a few key concepts.... Let us know how it goes. > > -Danny > > > > > From: [email protected] > [mailto:[email protected]] On Behalf Of > Lee, David > Sent: Friday, April 09, 2010 4:41 AM > To: General Mark Logic Developer Discussion > Subject: [MarkLogic Dev General] Creating a "Simple" user > > > I'm struggling on creating a user with the right roles and > permissions to run a simple app. > I read over the security and Admin documentation and still > dont get it. > I think my problem is that ML security is *too flexible* ! > (no I'm not asking to change that :) > > I was sorta hoping for a default builtin role that would allow > * Run any xquery script in the Modues DB for this App server > * Read only on all documents > * Dont allow "admin stuff" (like add users etc). > > Thats all, is that so hard ? > > I cant figure it out though ... There's just so many options, > custom roles with permissions ... I wont enumerate them its > hurting my brain just thinking about it. > > > > Could anyone suggest a *simple* way to just create a user > that can execute anything not admin-ish and read-only all documents ? > > I was able to create a user and use digest authentictaion but > so far have had to add the admin role or my web app doesnt > even show up. ( I get a 404 ) > > Nothing in the access or error logs to tell me what the reason was. > Thanks for any suggestions ... (besides RTFM .. I've done > that, unless there is a FM that says *simply* what to do). > > > > > > ---------------------------------------- > David A. Lee > Senior Principal Software Engineer > Epocrates, Inc. > [email protected] > 812-482-5224 > > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
