Limitations

In the MarkLogic Server Role-Based Security Model, the update capability includes the node-update and insert capabilities. However, in QBAC, this is not so: a role or user query that has the update capability does not also have the node-update and the insert capabilities. In QBAC, these three capabilities are strictly separate: operations that need node-update capability must specify node-update, those that need insert capability must specify insert, and those that need update capability must specify update. For more details on the capabilities needed on certain operations, see Capabilities Associated through Permissions.

Always include default permissions when inserting a document--even if you plan to access this document only through QBAC.

Users with QBAC document access are not able to read document properties. This is a design limitation. Users with QBAC document access do not have properties access by default, unless the QBAC query explicitly matches document properties through a CTS query. However, QBAC access to document properties gives access to the document itself by default.

Queries run unfiltered. If a query has false positives that means that access may be granted where it is not intended to.

It is not recommended to use expensive QBAC queries (for example, wildcards with lexicon expansion), since they run on every database request.

Queries may depend on specific indexes (for example, range queries). If those indexes are deleted, the queries will fail and will lead to denial of access.

Configuration of QBAC queries is through security APIs and RMAs only. See the RMAs for configuring roles and users at /11.0/REST/POST/manage/v2/roles and /11.0/REST/POST/manage/v2/users.