Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

Table of Contents

Changes to Security Module APIs

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 20, 2026
  • 2 minute read
    • MarkLogic Server
    • Version 12.0
    • Documentation

The following security APIs are updated to allow for queries to be added to users and roles, sec:create-user() and sec:create-role():

sec:create-user(
  $user-name as xs:string,
  $description as xs:string?,
  $password as xs:string,
  $role-names as xs:string*
  $permissions as element(sec:permission)*,
  $collections as xs:string*,
  [$external-names as xs:string*],
  [$queries as map:map]
  ) as xs:unsignedLong
sec:create-role(
  $role-name as xs:string,
  $description as xs:string?,
  $role-names as xs:string*,
  $permissions as element(sec:permission)*,
  $collections as xs:string*,
  [$compartment as xs:string?],
  [$external-names as xs:string*],
  [$queries as map:map]
)   as xs:unsignedLong

Queries are a mapping from capabilities to CTS queries.

Capabilities associated through permissions are read, insert, update, node-update, and execute. For more information about Document Permissions, see Capabilities Associated through Permissions. Please note that, in terms of QBAC queries, operations that need a node-update capability will use the node-update query, and those that need update capability will use update query to reduce complexity. The node-update capability does not serve as a subset of the update capability.

These new APIs are added to support QBAC:

sec:role-get-queries($role-name as xs:string) as map:map

The sec:role-get-queries() function requires the privilege http://marklogic.com/xdmp/privileges/role-get-queries.

sec:role-set-queries(
  $role-name as xs:string,
  $queries as map:map
  ) as empty-sequence()

The sec:role-set-queries() functions requires the privilege http://marklogic.com/xdmp/privileges/role-set-queries.

sec:role-set-query(
  $role-name as xs:string,
  $capability as xs:string,
  $query as cts:query?
  ) as empty-sequence()

The sec:role-set-query() function requires the privilege http://marklogic.com/xdmp/privileges/role-set-queries.

sec:user-get-queries($user-name as xs:string) as map:map

The sec:user-get-queries() requires the privilege http://marklogic.com/xdmp/privileges/user-get-queries.

sec:user-set-queries(
  $user-name as xs:string,
  $queries as map:map
  ) as empty-sequence()

The sec:user-set-queries() function requires the privilege http://marklogic.com/xdmp/privileges/user-set-queries.

sec:user-set-query(
  $user-name as xs:string,
  $capability as xs:string,
  $query as cts:query?
  ) as empty-sequence()

The sec:user-set-query() function requires the privilege http://marklogic.com/xdmp/privileges/user-set-queries.

TitleResults for “How to create a CRG?”Also Available inAlert