Security Entities

The key entities in the MarkLogic Server security model are:

• User

  A user within the model has a set of roles. A user has privileges and permissions within the system based on the roles assigned.

• Role

  A role gives privileges and permissions to a user. A role may inherit from multiple roles. Role inheritance is an “is-a” relationship. Hence, an inherited role also has the privileges and permissions of its parent(s).

• Execute Privilege

  An execute privilege grants authorization to perform a protected action. Only roles (and their inherited roles) specified in the execute privilege can perform the action.

• URI Privilege

  A URI privilege grants authorization to create a document within a protected base URI. Only roles (and their inherited roles) specified in the URI privilege can create the document within the protected base URI.

• Permission

  A permission protects a document or a collection. Each permission associates a single role with a capability (Read, Update, Insert). A protected document or collection has a set of associated permissions.

• Collection

  A collection is a group of related documents. A document may belong to any number of collections. A collection exists when a document in the system states that it is part of that collection. However, an associated collection object is not created and stored in the Security database unless it is protected.

  Permissions created at the collection level apply to the collection but not to documents within the collection. A user needs to have permissions at both the collection and document level to add documents to a protected collection.

• Amp

  An amp temporarily gives the user additional roles while the user is performing a task or executing a function.

• Certificate Authority

  A Certificate Authority (CA) is a trusted third party that certifies the identity of entities, such as users, databases, administrators, clients, and servers. A CA is used by the SSL (Secure Sockets Layer) security standard to provide encrypted protection between browsers and App Servers. When an entity requests certification, the CA verifies its identity and grants a certificate, which is signed with the CA's private key. If the CA is trusted, then any certificate it issues is trusted unless it has been revoked. For details on SSL support in the MarkLogic Server, see Configuring SSL on App Servers in Securing MarkLogic Server.

• Certificate Template

  A certificate template generates certificate requests for hosts in a cluster. A certificate template is used by SSL to provide encrypted protection between browsers and App Servers. The template defines the name of the certificate, and includes a description and identity information about the owner of the certificate. For details on SSL support in the MarkLogic Server, see Configuring SSL on App Servers in Securing MarkLogic Server.

• Cluster API Token

  A security credential used to authenticate MarkLogic Server operations within a cluster. The token ensures that only authorized users and applications can perform administrative tasks and access cluster resources. It is issued by a MarkLogic Server user with the corresponding privilege. A dynamic host token is an example of a cluster API token.

• External Authentication

  An External Authentication Configuration Object is used to configure MarkLogic Server for external authentication by LDAP, Kerberos, SAML, or OAuth. An external authentication configuration object specifies which authentication protocol and authorization scheme to use, along with any other parameters necessary. For details on external authentication with MarkLogic Server, see External Security in Securing MarkLogic Server.

• Security Entity Relationships

  This diagram illustrates the relationships between the different entities in the MarkLogic Server security model:

The remaining sections detail the procedures to administer MarkLogic Server security entities. All security administrative tasks are “hot”— the changes take effect immediately without a server restart.

Permissions are not administered through the administrative interface and are not described in detail in this section. For more information on using permissions in MarkLogic Server, see the XQuery and XSLT Reference Guide.