Reputation: 527
MarkLogic privilege setting
How do I set the privilege for set-session-field() function in MarkLogic for the application user? I cannot seem to find this information in the MarkLogic documentation and I currently get the following error when I try to use this function:
SEC-PRIV: xdmp:set-session-field("myfield", "myvalue") -- Need privilege: http://marklogic.com/xdmp/privileges/xdmp-set-session-field in /my_xquery_file.xqy, at 48:6 [1.0-ml]
thx
p.s. Got this one: OK, for anyone else who needs this information, I found it in the MarkLogic doc "Understanding and Using Security Guide" on page 28. Open the MarkLogic admin panel in your browser; Go to Configure->Security->Execute Privileges; Scroll down to find the function/privilege you want to grant and click on the specific function/privilege. In the next screen, check the app-user if you want your xquery scripts to execute the function. My app can now store data in user sessions (set-session-field privilege).
Upvotes: 1
Views: 695
Answers (2)
Reputation: 2137
Rather than giving all users with the app-user role the ability to create session fields, you might also consider creating a library function that creates specific types of session fields (perhaps for specific users) and amp that function to a role that can create session fields. Amps allow you to elevate permissions temporarily for a specific function call. They allow a user to do privileged things in the context of an application without having to give that user blanket privilege to do that same task in any context. You can read more about amps in section 5.2 of the Understanding and Using Security Guide referenced above.
Upvotes: 1
Reputation: 20414
Yes, the answer you give yourself is correct.
A link to the PDF copy of that manual can be found here: http://community.marklogic.com/docs (direct link: http://community.marklogic.com/pubs/5.0/books/security.pdf ). The searchable docs site is also note worthy. It can be found here: http://docs.marklogic.com/5.0doc/docapp.xqy (direct link to the Execute Privileges section: http://docs.marklogic.com/5.0doc/docapp.xqy#display.xqy?fname=http://pubs/5.0doc/xml/security/execute.xml ).
Note though that MarkLogic's Security model is role-based. You assign the Execute Privilege to a role, and the user you authenticate with needs to have this role. So if your user has the app-user role, than the above is correct.
HTH!
Upvotes: 1
Related Questions
- Marklogic Secuirty Roles
- Role creation based on MarkLogic permissions
- cts:search and setting of permissions (MarkLogic)
- Properties, Collections and Permissions information
- How to check user permissions in marklogic
- MarkLogic - xdmp:Spawn Privilege for trigger
- what privileges required for executing a function in MarkLogic?
- Setting permissions on a document using MarkLogic's REST API
- How to grant http://marklogic.com/xdmp/privileges/get-role privilege?
- Marklogic admin interface read only access