Databases Reference
In-Depth Information
Users and roles
both have default
permissions for
documents and
collections.
Multiple roles can be
associated with special
privileges on functions,
queries, and URIs.
Amplified permission (AMP)
Execute privilege
URI privilege
Document
User
Role
Permission
Collection
Roles exist in a hierarchy
and lower roles inherit
permissions from
upper roles.
Each permission record, stored with
a document or collection, associates
a single capability (read, write, update,
or execute) with a single role.
Each document
and collection is
associated
with a URI and
permissions.
Figure 11.12
The MarkLogic security model is based on the role-based access control
(RBAC) model with extensions to allow elevated permissions for executing specific
functions and queries. Documents and collections each have a set of permissions that
consist of role-capability pairs.
Default permissions
—Users and roles can each be configured to provide default
permissions for both documents and collections.
Elevated security functions
—Functions can run at an elevated security level. The
elevated security only applies within the context of a function. When the func-
tion finishes, the security level is lowered again.
Compartments
—An additional layer of security beyond
RBAC
is available with an
optional license. Compartmentalized security allows complex Boolean
AND
/
OR
business rules to be associated with a security policy.
11.5.2
Using MarkLogic in secure publishing
To enforce the contract rules, create a new role for the project called
secret-nosql-
book
using the web-based role administration tools and associate the new role with the
collection that contains all of the topic's documents including text, images, and
reviewer feedback. Then configure that collection to include the role of
secret-
nosql-book
to have read and update access to that collection. Also remove all read
access for people not within this group from the collection permissions. Make sure
that all new documents and subcollections created within this collection use the cor-
rect default permission setting. Finally, add the role of
secret-nosql-book
to only the
users assigned to the project.
The project also needs to provide a book progress report that an external project
manager can run on demand. This report counts the total number of chapters, sec-
tions, words, and figures in the topic to estimate chapter-by-chapter percentage com-
pletion status. To implement this, give the report elevated rights to access the content
using functions that use amplified permission (
AMP
) settings. External project
