Thanks Danny. I was hoping to get a discussion around this because I am not sure it is as simple as I first thought. I had not considered using amped functions to do it.
Of course this was just a three person example. The real use case involves Sue needing to have the ability to share read access to several other users on documents where she only has read access. At this point I have minimal exposure to the way MarkLogic handles document level security and trying to relate this to the documentation in the Search Guide on Collections security. So, I think this needs good planning before jumping into implementation. A specific question is; do I understand correctly that a document can be in many collections and that collection access must be granted before document access is checked? --Tim On Mon, Jul 28, 2014 at 7:31 PM, Danny Sokolsky < [email protected]> wrote: > Hi Tim, > > > > I am not sure I have thought this through completely, nor can I think of > the exact steps to do this, but here is my instinct on how I would attempt > to solve this: > > > > I would try to create amped functions that allow Sue to share (read only) > Tom’s document (that Sue has read permission for). I think the function > could amp to a role paired with a read permission on the document, thus > allowing Tom to read the document. > > > > Like I said, I am not totally sure how I would write such a function, but > it seems possible (though tricky). See if that scratches an itch. > > > > Maybe someone else has a better idea. > > > > -Danny > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Timothy W. Cook > *Sent:* Monday, July 28, 2014 7:19 AM > *To:* MarkLogic Developer Discussion > *Subject:* [MarkLogic Dev General] Security Design > > > > I am in the early design stages of a (hopefully) large application and > would like to see if I understand the operations of collections correctly. > > > > You can think of this in a similar context to a social media app. > > I have attached a simple diagram to aid the text. > > > > Imagine that Joe, Sue and Tom are users and each have a collection (marked > 'P' )where only they have read/write access to documents they load. > > Joe and Tom have collections that they would like to use to share (read > only) with various other users, one being Sue. This seems rather straight > forward. > > However, the use case also calls for Sue being able to share (read only) > Tom's documents with Joe and Joe's documents with Tom; as she sees fit > without the intervention of Tom or Joe. > > > > Could someone expand on this to describe how this might be setup? Do I > need separate roles that are tied to each collection, for each of these > exchanges? > > > > Thanks, > > Tim > > > > > -- > > > ============================================ > Timothy Cook > LinkedIn Profile:http://www.linkedin.com/in/timothywaynecook > > MLHIM http://www.mlhim.org > > > > _______________________________________________ > General mailing list > [email protected] > http://developer.marklogic.com/mailman/listinfo/general > > -- ============================================ Timothy Cook LinkedIn Profile:http://www.linkedin.com/in/timothywaynecook MLHIM http://www.mlhim.org
_______________________________________________ General mailing list [email protected] http://developer.marklogic.com/mailman/listinfo/general
