Enabling Non-privileged Users to Create and Manage Users (Data Users)
- Last Updated: May 20, 2026
- 3 minute read
- MarkLogic Server
- Version 12.0
- Documentation
The http://marklogic.com/xdmp/privileges/create-data-user allows non-admin users (with the manage role) to create and manage users.
-
data user: created by a data manage (non-admin) user
-
data role: created by a data manage (non-admin) user
-
data manage user for data users:
-
non-admin to create and manage users
-
can only manage (edit and delete) users own created or granted
-
might be the same data manage user to create data roles and data users
-
requires one role to include
create-data-userprivilege andmanagerole (or privilege) -
user self can be created by
adminor another data manage user -
optional
grant-my-roleprivilege to grant roles or create another data manage user -
can grant data users own created or granted to other data roles
-
-
created data users are attached to the roles (with
create-data-userprivilege) data manage user owned- tracked by an internal
data-user-edit-<USERID>privilege created for every data user
- tracked by an internal
-
every data manage user granted (new or existed) with above roles can also manage these data users
- to share responsibility for managing data users through a common data role
-
An optional privilege -
http://marklogic.com/xdmp/privileges/user-set-queries- is required to create data users with query-based access control (QBAC) queries. Thehttp://marklogic.com/xdmp/privileges/user-get-queriesprivilege is needed for reading the QBAC queries on the data users. For more information on QBAC, please see Query-Based Access Control.
For example:
Create a role (demo-data-user-role-one) and grant that role the create-data-user privilege.
curl -s --anyauth -u admin:admin -H "content-type:application/json" \
-X POST -d "{\"role-name\": \"demo-data-user-role-one\", \
\"description\": \
\"A role for demonstrating the create-data-user privilege\", \
\"privilege\": [ { \
\"privilege-name\": \"create-data-user\", \
\"action\": \
\"http://marklogic.com/xdmp/privileges/create-data-user\", \
\"kind\": \"execute\"}]}" \
http://localhost:8002/manage/v2/roles
Create another role (demo-data-user-role-two) and grant that role the create-data-user privilege.
curl -s --anyauth -u admin:admin -H "content-type:application/json" \
-X POST -d "{\"role-name\": \"demo-data-user-role-two\", \
\"description\": \
\"Second role for demonstrating the create-data-user privilege\", \
\"privilege\": [ { \
\"privilege-name\": \"create-data-user\", \
\"action\": \
\"http://marklogic.com/xdmp/privileges/create-data-user\", \
\"kind\": \"execute\"}]}" \
http://localhost:8002/manage/v2/roles
Create user demo-user-one, and grant two roles: the manage role, the new created demo-data-user-role-one role.
curl -s --anyauth -u admin:admin -H "content-type:application/json" \
-X POST -d "{\"user-name\": \"demo-user-one\", \
\"password\": \"password\", \
\"description\": \"A demo user one\", \
\"role\": [ \"demo-data-user-role-one\", \"manage\" ] }" \
http://localhost:8002/manage/v2/users
Also create another user demo-user-two and grant demo-data-user-role-two and manage role.
curl -s --anyauth -u admin:admin -H "content-type:application/json" \
-X POST -d "{\"user-name\": \"demo-user-two\", \"password\": \"password\", \
\"description\": \"A demo user two\", \
\"role\": [ \"demo-data-user-role-two\", \"manage\" ] }" \
http://localhost:8002/manage/v2/users
Now that user demo-user-one can create new users, demo-one-created-user:
curl -s --anyauth -u "demo-user-one:password" -H "content-type:application/json" \
-X POST -d "{\"user-name\": \" demo-one-created-user\", \
\"description\": \"user created by demo-user-one\" }" \
http://localhost:8002/manage/v2/users
And user demo-user-two can create new users, demo-two-created-user:
curl -s --anyauth -u "demo-user-two:password" -H "content-type:application/json" \
-X POST -d "{\"user-name\": \" demo-two-created-user\", \
\"description\": \"user created by demo-user-two\" }" \
http://localhost:8002/manage/v2/users
The user demo-one-created-user can be updated (and also deleted) by user demo-user-one who created this user:
curl -s --anyauth -u "demo-user-one:password" -H "content-type:application/json" \
-X PUT -d "{\"description\": \"demo-user-one updated this\"}" \
http://localhost:8002/manage/v2/users/demo-one-created-user/properties
And user demo-user-two can update demo-two-created-user:
curl -s --anyauth -u "demo-user-two:password" -H "content-type:application/json" \
-X PUT -d "{\"description\": \"demo-user-two updated this\"}" \
http://localhost:8002/manage/v2/users/demo-two-created-user/properties
But these users cannot update users they did not create.
curl -s --anyauth -u "demo-user-two:password" -H "content-type:application/json" \
-X PUT -d "{\"description\": \"demo-user-two updating demo-one-created-user\"}" \
http://localhost:8002/manage/v2/users/demo-one-created-user/properties
This request fails:
{
"errorResponse": {
"statusCode": "404",
"status": "Not Found",
"messageCode": "SEC-USERDNE",
"message": "SEC-USERDNE: (err:FOER0000) User does not exist: demo-one-created-user = %2"
}
}
All users created by demo-user-two are attached to demo-data-user-role-two role. They can be added to demo-user-one directly, so demo-user-one can edit them.
curl -s --anyauth -u "admin:admin" -H "content-type:application/json" \
-X PUT -d "{\"role\": [ \"demo-data-user-role-one\", \"demo-data-user-role-two\", \"manage\" ] }" \
http://localhost:8002/manage/v2/users/demo-user-one/properties
Now, user demo-user-two with role demo-data-user-role-two has the appropriate privilege to edit demo-one-created-user directly. So, demo-user-two can edit them, and the previous request will succeed.