Algorithm That Determines Which Query Rolesets to Use
- Last Updated: May 20, 2026
- 1 minute read
- MarkLogic Server
- Version 12.0
- Documentation
In MarkLogic Server 9.0-1, if the path permissions on a node are “weaker” (as defined in Document Level Security and Indexing) than the document level permissions or its parent node’s permissions, the path level permissions will be ignored as far as query rolesets definition is concerned.
Note: A child node will still inherit its parent’s query rolesets.
In MarkLogic Server 9.0-2, the set of query rolesets for a given node (after inheritance from ancestors) will be “compacted” based on the “weaker” permissions defined in Document Level Security and Indexing. If a query roleset in the set is “weaker” than any other query rolesets in the set, that “weaker” roleset will be “removed”.
For example:
Roles: role-1, role-2, role-3
Document:
<foo>Hello<bar>World</bar>,</foo>
with ((role-1, read), (role-2, read), (role-3, read))
Protected Paths:
//foo (role-1, read), (role-2, read)
//bar (role-1, read)
In MarkLogic Server 9.0-1, the query rolesets for the “bar” node is ((role-1, role-2), (role-1)), but in 9.0-2 it is simplified (“compacted”) to ((role-1)).
Note: If any query roleset in the above set is “weaker” than the document level permissions, it will be omitted too.
Here is another example:
Roles: role-1, role-2, role-3
Document:
<foo><bar>Hello</bar></foo>
with (role-1, read)
Protected Paths:
/foo/bar (role-1, read), (role-2, read)
//bar (role-3, read)
In 9.0-1, the query rolesets for the “bar” node is ((role-1, role-2), (role-3)), but in 9.0-2 it is simplified (“compacted”) to ((role-3)) because (role-1, role-2) is “weaker” than the document level permissions.