MarkLogic Content Pump (mlcp)

Security Considerations

Save PDF

Security Considerations

Save PDF

Last Updated: April 14, 2026
1 minute read

MarkLogic Server
Version 12.0
Documentation

When you use mlcp, you supply the name of a user(s) with which to interact with MarkLogic Server. If the user does not have admin privileges, then the user must have at least the privileges listed in the table below.

Note:

Additional privileges may be required. These roles only enable use of MarkLogic Server as a data source or destination. For example, these roles do not grant read or update permissions to the database.

mlcp Command	Privilege	Notes
import	hadoop-user-write	Applies to the username specified with `-username`. It is recommended that you also set `-output_permissions` to set the permissions on inserted documents.
export	hadoop-user-read	Applies to the username specified with `-username.`
copy	hadoop-user-read (input) hadoop-user-write (output)	The `-input_username` user have the `hadoop-user-read` privilege on source MarkLogic Server instance. The `-output_username` user must have the `hadoop-user-write` privilege on destination MarkLogic Server instance.

mlcp Command

Privilege

Notes

import

hadoop-user-write

Applies to the username specified with -username. It is recommended that you also set -output_permissions to set the permissions on inserted documents.

export

hadoop-user-read

Applies to the username specified with -username.

copy

hadoop-user-read

(input)

hadoop-user-write

(output)

The -input_username user have the hadoop-user-read privilege on source MarkLogic Server instance.

The -output_username user must have the hadoop-user-write privilege on destination MarkLogic Server instance.

By default, mlcp requires a username and password to be included in the command line options for each job. You can avoid passing a cleartext password between your mlcp client host and MarkLogic Server by using Kerberos for authentication. For details, see Using mlcp with Kerberos.