cts:search and setting of permissions (MarkLogic)

Question

Iv been reading and understand that there are several ways of setting permissions such as sec:collection-set-permissions, xdmp:document-set-permissions, sec:path-set-permissions, sec:protect-path, sec:priv-doc-permissions, setting of permission through MLCP and redaction.

However, I have been trying to see if there are any other ways as well as if it is possible to do a CTS:Search + setting of permissions in a scalable way. For now I know I can approach this with a similar approach done as shown in the following question Pattern or Format Match in XQuery MarkLogic. However, this approach don't seem to be scalable with the use of a for loop.

Any advise to solve as well as any recommendations of setting permissions in a scalable way would be greatly appreciated.

Answer 1

You are referring to functions that related to quite different security topics, each of which has a different purpose. Just for clarity:

• sec:collection-set-permissions is related to Protected Collections, which is about who can add documents to a collection (and not about protecting the documents inside it)
• xdmp:document-set-permissions and MLCP's -output_permissions argument are about Document Permissions, which is how you control who can access which document. Compartment Security is a related topic here.
• sec:path-set-permissions and sec:protect-path are related to Protected Paths, which is about fine-grained access control at element or property level inside documents. In other words, it adds on top of document access. It is also known as Element Level Security (ELS).
• sec:priv-doc-permissions is just an internal function to help with creating so-called Privileges.
• Redaction is mostly for exporting your data in such a way that sensitive data can be hidden or obfuscated.

You'd normally not need to use functions from the sec library. You'd also normally design your security plan upfront to avoid needing to touch your documents afterwards.

During development however you often find yourself you need to apply changes. For documents, this would only apply to xdmp:document-set-permissions, as that is the only one that should be applied to the documents themselves. You would basically do a 'for loop' for that, but not on all documents at once. You typically batch up the files you want to process, and spawn processing onto the Task Server. Here some pointers on this: https://stackoverflow.com/a/52953123/918496

Adding protected paths by the way would trigger a reindex of all related documents, which MarkLogic will take care of fully automatically for you. Protecting collections would only affect inserts and updates after applying the protection.

HTH!