Databases Reference
In-Depth Information
As long as the logic is restricted to evaluating simple Boolean expressions, there's a
minimal impact on performance.
In our last case study, we'll look at how to use MarkLogic's role-based, access-
control security model for secure publishing.
11.5
Case study: using MarkLogic's RBAC model
in secure publishing
In this case study, we'll look at how role-based access control (
RBAC
) can protect
highly sensitive documents within a large organization and still allow for fine-grained
status reporting. Our example will allow a distributed team of authors, editors, and
reviewers to create and manage confidential documents and yet prevent unauthorized
users from accessing the text of the confidential documents.
Let's assume you're a topic publisher and you have a contract to create a new topic
on a hot, new NoSQL database that's being launched in a few months. The problem is
that the company developing the database wants assurances that only a small list of
people will be able to access the topic's content during its development. Your contract
specifically states that no employees other than the few listed in the contract can have
access to the text of the documents. Your payments are contingent on the contents of
the topic staying private. The contract only allows high-level reports of topic metrics to
be viewed outside the small authoring team.
Your publishing system has four roles defined: Author, Editor, Publisher, and
Reviewer. Authors and Editors can change content, but only users with the Publisher
role can make a document available to reviewers. Reviewers have collections config-
ured so that they can add comments in a comment log, but they can't change the
main document content.
11.5.1
Using the MarkLogic RBAC security model to protect documents
MarkLogic has built-in, database-layer support for role-based access control, as
described in “Using roles to calculate access control” in section 11.2.2. The MarkLogic
security model uses many of these same
RBAC
concepts as well as implements some
enhanced functionality.
MarkLogic applies its security policy at the collection and the document levels and
allows users to create functions that have elevated permissions. This feature enables
element-level control of selected documents without compromising performance.
This case study will first review the MarkLogic security model and then show how it
can be applied in a secure publishing example. Finally, we'll review the business bene-
fits of this model.
A logical diagram of how MarkLogic security models work is shown in figure 11.12.
Here are some of the interesting points of the MarkLogic
RBAC
security model:
Role hierarchy
—Roles are configured in a hierarchy, so a lower-level role will
automatically inherit the permissions of any parent roles.
