[MarkLogic Dev General] Re: URI Privileges

Paul Preuveneers paul.preuveneers at gmail.com
Tue May 1 05:27:36 PDT 2007 

Yes, fixed it thankyou!

It was the any-uri setting on the role that was the problem.

Thanks!

Paul

On 29/04/07, Michael Blakeley <michael.blakeley at marklogic.com> wrote:
>
> Paul,
>
> Have you read our documentation on "Understanding and Using Security"
> (http://developer.marklogic.com/pubs/)? I'm asking because I suspect
> that you may be confused about URI Privileges vs document-level
> permissions. For example, there is no such thing as an "update
> privilege" in the MarkLogic Server security model.
>
> It's also misleading to talk about a "protected URI". All URIs are
> protected, unless the user has the "any-uri" Execute Privilege. The
> purpose of a URI Privilege is to unprotect a URI prefix for a particular
> role or user.
>
> I apologize for being so pedantic, but the terminology is important.
>
> General debugging tips: it is always useful to say which version of
> MarkLogic Server you are using. Also, each security item has a
> "Describe" tab in the admin server, which provides a nice summary of the
> item's configuration.
>
> Here's how I set up a similar model to what I believe you're after: we
> use this as an example in our training course. I've copied the text from
> the description tab for each item.
>
> * URI Privilege: priv-uri-public
> ** privilege name: priv-uri-public
> ** privilege action: /public/
>
> * Role: writer
> ** Execute Privileges: none
> ** URI Privileges: priv-uri-public
> ** Permissions: writer (insert, update, read), reader (read)
> ** Collections: none
>
> * User: writer
> ** Roles: writer
>
> * Role: reader
> ** Execute Privileges: none
> ** URI Privileges: none
> ** Permissions: none
> ** Collections: none
>
> * User: reader
> ** Roles: reader
>
> With this configuration, "writer" may insert new documents under
> /public/, but nowhere else in the database. The "writer" may
> subsequently query, update, and overwrite those documents. The "reader"
> may only query those documents.
>
> -- Mike
>
> > Paul Preuveneers paul.preuveneers at gmail.com
> > Mon Apr 23 03:37:10 PDT 2007
> >
> > I am trying to lock down a particular URI to a particular role/user and
> I
> > don't seem to be able to
> > get the URI Privileges functionality to work.
> >
> > I have the following idiom for users and roles:
> >
> > Role                        User
> > web-user                  my-web-user
> > content-manager       my-content-manager
> >
> > The web-user role does not have document update privileges, whereas the
> > content-manager role does.
> > I connect to ML using my-web-user and only use content-manager when
> loading
> > data or for cq.
> >
> > I want to be able to let the web-user role only update a specific URI
> and
> > nowhere else, however even after creating
> > a URI privilege and assigning it to that role, I still cannot create
> > documents in that uri (or anywhere else!). The user
> > still seems to need document update privileges? But if I grant these I
> can
> > create docs in any URI.
> > I can also still create documents in the protected URI with the
> > content-manager user also, and I was hoping
> > this would not be allowed until I gave the privilege to this role also.
> >
> > So far, I can't see the URI Privileges having any kind of effect at
> all...
> >
> > What am I doing wrong?
> >
> > Thanks
> >
> > Paul
>
>
> _______________________________________________
> General mailing list
> General at developer.marklogic.com
> http://xqzone.com/mailman/listinfo/general
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://xqzone.marklogic.com/pipermail/general/attachments/20070501/c33a8701/attachment.html

More information about the General mailing list