Hi Richard, It is usually easiest to build up a few layers of roles. Most flexibility is gained when you create separate read and update roles for each group of documents to which you want to control access separately. You can then use role inheritance to give a user or usergroup-specific role access to particular groups of documents. You could also create one that has access to all.
To save on cross-products of roles, I’d also advice looking into compartment security. That allows restricting access to combinations of roles, bit like AND (compartments) versus OR (default behavior).. Cheers, Geert From: <[email protected]<mailto:[email protected]>> on behalf of Shmennen <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, MarkLogic Developer Discussion <[email protected]<mailto:[email protected]>> Date: Tuesday, November 7, 2017 at 9:57 PM To: Rob Szkutak <[email protected]<mailto:[email protected]>>, MarkLogic Developer Discussion <[email protected]<mailto:[email protected]>> Subject: Re: [MarkLogic Dev General] Document access based on field value Thanks, it looks good! Btw, another question, may be not related: is there any way to assign some capabilities (e.g. insert, update, execute) to an user who can access all docs, no matter what roles and privileges they have in db? E.g. some power user to have access (read/write) to all docs, independent of users they were inserted, but to not be admin. Regards Richard W. On Tue, Nov 7, 2017 at 19:20, Rob Szkutak <[email protected]<mailto:[email protected]>> wrote: Hello, One solution to implement this is to use amplified functions (amps). The basic idea is this: * Restrict the document so that the user cannot read or update it. * Create a function which the user must use to read or update the document. * Amplify the function so that the user can read or modify the document only within your function. * Have your function perform the validation check and either perform the desired document operation or return the appropriate invalid document response to the user. Another solution is that every time a document is inserted or updated, you could perform a check if the document is valid or not and assign the appropriate role to it when the document is placed into the database. Something like : let $valid := true or false return xdmp:document-insert("uri", $document, if($valid) then xdmp:permission("user can read") else xdmp:permission("user cannot read")) If required you may also combine these two techniques. Hope this is helpful. Best, Rob Rob Szkutak Senior Consultant MarkLogic Corporation www.marklogic.com<http://www.marklogic.com> ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Shmennen <[email protected]<mailto:[email protected]>> Sent: Tuesday, November 7, 2017 10:54:40 AM To: MarkLogic Developer Discussion Subject: [MarkLogic Dev General] Document access based on field value Hello All, Is there any possibility to get access to a document (suppose an XML or JSON) from database only if the value of a tag has a specific values? E.g. user1 can read/modify document if only check tag has value "VALID". <data> <amount>999</amout> <check>VALID</check> </data> - Richard
_______________________________________________ General mailing list [email protected] Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
