Hello Tim, The wiki page you point to seems to be very outdated. More relevant for your questions i the page http://docs.basex.org/wiki/User_Management
1) This is not possible, permission levels are always granted on the database level. If you want to do that, you should create new databases for these documents. There is no harm in having many databases, as it is a rather lightweight construct and you can query over all databases in your system in one query. 2) This is a completely separate thing. In the point before we talked about the database level, but now we are in an application level. It heavily depends on which technology you use, most prominently RESTXQ and our REST interface come to mind. With RESTXQ each endpoint could have some application-specific function e.g. user:check-login() which would throw an error if a not-authenticated user is attempting to access the site. This is the responsibility of the application designer to provide these access restrictions. 3) We currently do not support this, but I think this is a good idea. Adding roles to our user management seems like a good idea to me. But again, this is just on the database level. 4) Well, users want to do all sorts of things and desire a lot - The question is if it is really desirable. Imagine a node-level security: You would have to check this all the time when evaluating the query and this will be a significant performance drop. I am pretty sure the majority of users would not be happy with that. This is also why I am quite sure we will not be more specific in our security schemas than using the database level (especially, because the user is free to split different security-aware nodes by him/herself and put them into different databases). Cheers, Dirk On 01/15/2016 01:25 AM, Finney, Tim wrote: > > Hi Everyone, > > > > Sorry if this is a dumb question. What is a good way to do security in > BaseX? I found a stub here: > > > > http://docs.basex.org/wiki/Security:_Use_Cases > > > > What I would like is to be able to restrict who can do what with a > database. Here are a few things I’d like to be able to do: > > > > 1. Grant create, read, update, and delete permissions on each > document in a database, and have a default mask for a database document. > > 2. Say whether a user can or cannot execute a function or visit a > URL (and get something besides a 404). > > 3. Allow the creation of roles which can be assigned to users. > (Having a particular role allows all users with that role to do > particular things, like update docs, or visit particular URLs.) > > 4. No doubt there are more desiderata. E.g. one might conceivably > want to be able to grant permissions at the node level within a document. > > > > Any pointers? > > > > Best, > > > > Tim Finney > -- Dirk Kirsten, BaseX GmbH, http://basexgmbh.de |-- Firmensitz: Blarerstrasse 56, 78462 Konstanz |-- Registergericht Freiburg, HRB: 708285, Geschäftsführer: | Dr. Christian Grün, Dr. Alexander Holupirek, Michael Seiferle `-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22