[MarkLogic Dev General] Create temporary user

Jason Hunter Jason.Hunter at marklogic.com
Mon Sep 18 05:59:50 PDT 2017

I understand that JWT will provide for authentication.  How do you intend to do authorization?

Meaning, how do you intend to know what roles the username given in the JWT should have within MarkLogic?  Or do all authenticated users get the same roles, or something?


On Sep 18, 2017, at 15:07, Andreas Hubmer <andreas.hubmer at ebcont.com<mailto:andreas.hubmer at ebcont.com>> wrote:


I'll answer for my colleague.
We'd like to use JSON Web Tokens (JWT) and extract the user roles from the token.
The users are managed in an external system and similar to the LDAP connection we want to avoid that every user has to be created/updated in MarkLogic too.

Amps do not give the same flexibility as a temporary user with an arbitrary combination of roles.


2017-09-15 17:50 GMT+02:00 Justin Makeig <Justin.Makeig at marklogic.com<mailto:Justin.Makeig at marklogic.com>>:
Rather than describe your solution, can you explain the problem you’re trying to solve? Why do you think you need a temporary user? What permission/privilege challenge are you trying to address?

You might also take a look at amps <https://docs.marklogic.com/guide/admin/security#id_81246>. An amp allows a security administrator to elevate the privileges of a specific function. This is beneficial in that the security is defined in configuration, not code.


Justin Makeig
Senior Director, Product Management
jmakeig at marklogic.com<mailto:jmakeig at marklogic.com>

> On Sep 15, 2017, at 4:29 AM, Andreas Holzgethan <andreas.holzgethan at ebcont.com<mailto:andreas.holzgethan at ebcont.com>> wrote:
> Hi @all,
> I need the possibility to create temporary user for a transaction.
> I just found in the documentation that such a functionality is used when for example LDAP is configured as an external security.
> Could you please explain me how this is done there?
> My thirst thought was to create a user with the function "sec:create-user-with-role". At the end of the transaction I would just call the function "sec:remove-user".
> Could you please give me feedback about this implementation?
> Is such a implementation a big influence on the performance?
> Thanks!
> Best regards
> Andreas Holzgethan
> Andreas Holzgethan BSc.
> IT Consultant

Andreas Hubmer
Senior IT Consultant

EBCONT enterprise technologies GmbH
General mailing list
General at developer.marklogic.com<mailto:General at developer.marklogic.com>
Manage your subscription at:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://developer.marklogic.com/pipermail/general/attachments/20170918/31f672d1/attachment.html 

More information about the General mailing list