You’d like to get a list of a particular user’s permissions on a document.


The xdmp:document-get-permissions() function will get all permissions, but you can narrow it down after identifying the user’s roles.

let $roles := xdmp:user-roles("some-user")
    [sec:role-id = $roles]/sec:capability/fn:string()

The result will be a sequence of permission strings from among “read”, “update”, “insert”, and “execute”.


Permissions are assigned to a document by role. Users are also assigned roles, and through them gain access to documents.

The first step of this recipe is to gather the roles that the specified user has. The xdmp:user-roles() function returns both the roles that the user has been directly granted and any inherited roles.

With the roles in hand, we can retrieve all the permissions on the target document, then use some XPath to retrieve just the ones we are interested in.

Learn More

Advanced Security

Explore all technical resources related to advanced security in MarkLogic.

MarkLogic Security Course

This course walks through how to securely manage data inside the MarkLogic database.

MarkLogic Security Guide

Read over how to use the role-based security model in MarkLogic Server.

This website uses cookies.

By continuing to use this website you are giving consent to cookies being used in accordance with the MarkLogic Privacy Statement.