Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

Table of Contents

Parent/Child Relationships in Query Rolesets

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 14, 2026
  • 1 minute read
    • MarkLogic Server
    • Version 10.0
    • Documentation

You might have a document where one user has permissions for an element that is the child of a parent element, for which that user does not have permissions. For example, there might be a simple document like this:

<root>
 <content>Contents of document 
  <top-secret>Only role with "top-secret" can read this
    <secret>Only role with "secret" can read this</secret>
  </top-secret>
 Unclassified content
 </content>
</root>

This document might have these protected paths:

sec:protect-path("secret", (), (xdmp:permission("els-role-2", "read"))),
sec:protect-path("top-secret", (), (xdmp:permission("els-role-1", "read")))

A user with permissions on only the protected path for “secret” can’t see “secret” content unless the user also had permissions for the protected path for “top-secret” because the “secret” node is a child of the “top-secret” parent node.

TitleResults for “How to create a CRG?”Also Available inAlert