How to check user permissions in marklogic

Question

how to construct xquery to get users roles and permissions (read,update,insert..)? I have users' roles. unable to to get user's permissions.

for $u in /sec:user
    let $n := string($u/sec:user-name)
 order by $n
 return
      <user>
            <name>{ $n }</name>
           { sec:get-role-names($u/sec:role-ids/sec:role-id)
             !<role>{ string(.) }</role> }
      </user>

Answer 1

One more aspect to the answer, to add to @rjrudin and @grtjn's answers. In MarkLogic, a user may have default permissions, which will be applied to new documents if permissions are not specified. You can get these permissions from sec:user-get-default-permissions. However, the common approach is to look at permissions on a document basis, rather than a user basis.

Answer 2

While rjrudin's answer helps you find roles attached to a user, it won't say anything about permissions attached to the roles. It can't however, as permissions are controlled per document.

You'd need a document or a database uri as starting point. You feed the uri into a function like xdmp:document-get-permissions. That will return which roles have which permission on that specific uri. Intersect that with roles attached to the user of interest, and you will know whether the user can access or update the document or not.

HTH!

Answer 3

Try this (and note that if you're on ML9, you can use the new xdmp:role-name function, but the below will work on ML8 too):

xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";
for $u in /sec:user
let $n := string($u/sec:user-name)
order by $n
return
  <user>
    <name>{$n}</name>
    {
      for $role-id in $u/sec:role-ids/sec:role-id 
      let $role-name := sec:get-role-names($role-id)/fn:string()
      order by $role-name
      return element role {$role-name}
    }
  </user>