Thank you all! -Ric On Tue, Nov 7, 2017 at 22:11, Geert Josten<geert.jos...@marklogic.com> wrote: Hi Richard, It is usually easiest to build up a few layers of roles. Most flexibility is gained when you create separate read and update roles for each group of documents to which you want to control access separately. You can then use role inheritance to give a user or usergroup-specific role access to particular groups of documents. You could also create one that has access to all. To save on cross-products of roles, I’d also advice looking into compartment security. That allows restricting access to combinations of roles, bit like AND (compartments) versus OR (default behavior).. Cheers,Geert From: <general-boun...@developer.marklogic.com> on behalf of Shmennen <shmen...@yahoo.com> Reply-To: "shmen...@yahoo.com" <shmen...@yahoo.com>, MarkLogic Developer Discussion <general@developer.marklogic.com> Date: Tuesday, November 7, 2017 at 9:57 PM To: Rob Szkutak <rob.szku...@marklogic.com>, MarkLogic Developer Discussion <general@developer.marklogic.com> Subject: Re: [MarkLogic Dev General] Document access based on field value
Thanks, it looks good! Btw, another question, may be not related: is there any way to assign some capabilities (e.g. insert, update, execute) to an user who can access all docs, no matter what roles and privileges they have in db? E.g. some power user to have access (read/write) to all docs, independent of users they were inserted, but to not be admin. RegardsRichard W. On Tue, Nov 7, 2017 at 19:20, Rob Szkutak<rob.szku...@marklogic.com> wrote:#yiv9954050599 -- P {margin-top:0;margin-bottom:0;}#yiv9954050599 Hello, One solution to implement this is to use amplified functions (amps). The basic idea is this: * Restrict the document so that the user cannot read or update it. * Create a function which the user must use to read or update the document. * Amplify the function so that the user can read or modify the document only within your function. * Have your function perform the validation check and either perform the desired document operation or return the appropriate invalid document response to the user. Another solution is that every time a document is inserted or updated, you could perform a check if the document is valid or not and assign the appropriate role to it when the document is placed into the database. Something like : let $valid := true or false return xdmp:document-insert("uri", $document, if($valid) then xdmp:permission("user can read") else xdmp:permission("user cannot read")) If required you may also combine these two techniques. Hope this is helpful. Best, Rob Rob SzkutakSenior ConsultantMarkLogic Corporationwww.marklogic.com From:general-boun...@developer.marklogic.com <general-boun...@developer.marklogic.com> on behalf of Shmennen <shmen...@yahoo.com> Sent: Tuesday, November 7, 2017 10:54:40 AM To: MarkLogic Developer Discussion Subject: [MarkLogic Dev General] Document access based on field value Hello All, Is there any possibility to get access to a document (suppose an XML or JSON) from database only if the value of a tag has a specific values? E.g. user1can read/modify document if only checktag has value "VALID". <data> <amount>999</amout> <check>VALID</check> </data> - Richard
_______________________________________________ General mailing list General@developer.marklogic.com Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general