Thank you all!
-Ric
On Tue, Nov 7, 2017 at 22:11, Geert Josten<geert.jos...@marklogic.com> wrote:
Hi Richard,
It is usually easiest to build up a few layers of roles. Most flexibility is
gained when you create separate read and update roles for each group of
documents to which you want to control access separately. You can then use role
inheritance to give a user or usergroup-specific role access to particular
groups of documents. You could also create one that has access to all.
To save on cross-products of roles, I’d also advice looking into compartment
security. That allows restricting access to combinations of roles, bit like AND
(compartments) versus OR (default behavior)..
Cheers,Geert
From: <general-boun...@developer.marklogic.com> on behalf of Shmennen
<shmen...@yahoo.com>
Reply-To: "shmen...@yahoo.com" <shmen...@yahoo.com>, MarkLogic Developer
Discussion <general@developer.marklogic.com>
Date: Tuesday, November 7, 2017 at 9:57 PM
To: Rob Szkutak <rob.szku...@marklogic.com>, MarkLogic Developer Discussion
<general@developer.marklogic.com>
Subject: Re: [MarkLogic Dev General] Document access based on field value
Thanks, it looks good!
Btw, another question, may be not related: is there any way to assign some
capabilities (e.g. insert, update, execute) to an user who can access all docs,
no matter what roles and privileges they have in db? E.g. some power user to
have access (read/write) to all docs, independent of users they were inserted,
but to not be admin.
RegardsRichard W.
On Tue, Nov 7, 2017 at 19:20, Rob Szkutak<rob.szku...@marklogic.com>
wrote:#yiv9954050599 -- P {margin-top:0;margin-bottom:0;}#yiv9954050599
Hello,
One solution to implement this is to use amplified functions (amps).
The basic idea is this:
* Restrict the document so that the user cannot read or update it.
* Create a function which the user must use to read or update the document.
* Amplify the function so that the user can read or modify the document only
within your function.
* Have your function perform the validation check and either perform the
desired document operation or return the appropriate invalid document response
to the user.
Another solution is that every time a document is inserted or updated, you
could perform a check if the document is valid or not and assign the
appropriate role to it when the document is placed into the database.
Something like :
let $valid := true or false
return
xdmp:document-insert("uri", $document, if($valid) then xdmp:permission("user
can read") else xdmp:permission("user cannot read"))
If required you may also combine these two techniques.
Hope this is helpful.
Best,
Rob
Rob SzkutakSenior ConsultantMarkLogic Corporationwww.marklogic.com
From:general-boun...@developer.marklogic.com
<general-boun...@developer.marklogic.com> on behalf of Shmennen
<shmen...@yahoo.com>
Sent: Tuesday, November 7, 2017 10:54:40 AM
To: MarkLogic Developer Discussion
Subject: [MarkLogic Dev General] Document access based on field value Hello All,
Is there any possibility to get access to a document (suppose an XML or
JSON) from database only if the value of a tag has a specific values?
E.g. user1can read/modify document if only checktag has value "VALID". <data>
<amount>999</amout>
<check>VALID</check>
</data>
- Richard
_______________________________________________
General mailing list
General@developer.marklogic.com
Manage your subscription at:
http://developer.marklogic.com/mailman/listinfo/general
