Execute Privilege: grant-my-privilege

In MarkLogic 10.0-3 and later, the “grant my privilege” feature is used as part of Executive Privileges to assign some privileges to roles. In the context of Data Hub Service, non-admin users (users with the “manage” role but not “admin”, “Security”, or “manage-admin” roles) need to be able to assign some privileges to roles so that they become available to the users in possession of those roles.

A user with the grant-my-privileges privilege can assign privileges that they already possess to roles that they are allowed to modify. This feature works in conjunction with the “data roles” feature. The grant-my-privileges privilege is useless in isolation, as its only purpose is to assign privileges to roles.

To access the grant-my-privilege feature in the Admin Interface:

1. Click the Security icon in the left tree menu.

2. Click on the Execute Privileges icon.

3. Scroll down on this page to find grant-my-privileges and click on the link.

   The Execute Privilege: grant-my-privileges screen opens, where you can select the roles assigned this privilege.

4. Select the roles to assign to the privilege.

5. Click OK when you are done to save the changes.

The precise set of privileges that a user can assign is determined by the privileges that they already possess. It is not possible for a user to assign a privilege that they do not possess (admin, for example). If a user attempts to change the privileges associated with a role, the request will succeed if (and only if) the following conditions apply:

• The user has the “grant-my-privileges” privilege. A user without this privilege cannot make any changes to the privileges associated with a role.

• The user has the “create-data-roles” privilege and the necessary granular edit privilege for the role that they are modifying. Without these privileges, they cannot modify the role.

• The user possesses all of the privileges that they are attempting to add or remove from the role.