[MarkLogic Dev General] Creating user with read-only permission

Michael Blakeley mike at blakeley.com
Fri Aug 31 08:49:17 PDT 2012


Well, you *could* write amp functions that let users read documents as if they have the x-user role, while doing everything else as some new role. But that feels like a hack to me, and makes it harder to hide documents that the new role shouldn't be able to see.

Updating 10M documents isn't such a big deal, especially if you already know how to use Corb, presta, or xdmp:spawn. If you think you have the security model right this time, just do it. The sooner you start, the sooner you will finish.

Why isn't there an easier way? Basically because document permissions are part of the document, similar to filesystem permissions. If you need to change the permissions on 10M files, the only way to do it is to update those 10M files. Tools like 'chmod -R' make that easier, and with MarkLogic you can use xdmp:spawn or Corb. With a filesystem or with MarkLogic, the main ways to avoid this are to ignore security entirely (everyone runs privileged), or to get the security model right before scaling out.

-- Mike

On 31 Aug 2012, at 06:57 , Danny Sinang wrote:

> Hi,
> 
> I need to create users with read-only permission over all our documents but, from what I've read, it looks like I have to update the permissions on all documents to do this.
> 
> We've got around 10 million documents in ML and all of them were created using a user called "x-admin-user" who is assigned the following roles :
> 
> admin
> security
> dls-user
> dls-admin
> x-admin
> 
> The x-admin role has the following default permissions :
> 
> x-user : read
> x-user : insert
> x-user : update
> x-user : execute
> 
> So far, the only way I can give my new users access to our data is to give them the role of "x-user" but that gives them update privileges as well.
> 
> Is there an easier way to grant read-only access ?
> 
> Regards,
> Danny
> 
> _______________________________________________
> General mailing list
> General at developer.marklogic.com
> http://developer.marklogic.com/mailman/listinfo/general



More information about the General mailing list