Unexpected Behavior with Permissions
- Last Updated: April 14, 2026
- 1 minute read
- MarkLogic Server
- Version 11.0
- Documentation
In this example, the role has the necessary document-level permissions. The example has to do with the element level, protected path permissions. Say you have a document (example.xml) with these nodes:
<foo>
<bar>
</foo>
For this example, role1 has both read and update permissions on the <foo> node, and update permissions on the <bar> node, but no read permissions on the <bar> node:
<foo>, ("role1", "read"), ("role1", "update")
<bar>, ("role1", "update")
It is assumed for these examples that all of the query rolesets are already configured correctly.
If role1 calls this xdmp:node-replace() query:
xquery version "1.0-ml";
xdmp:node-replace(doc("/example.xml")/foo, <foo><baz>Hello</baz></foo>);
The query will succeed, because role1 has update permissions on /foo.
If role1 calls this xdmp:node-replace() query on /bar:
xquery version "1.0-ml";
xdmp:node-replace(doc("/example.xml")/foo/bar, <baz>Hello</baz>);
The expression /foo/bar will return an empty sequence because role1 cannot read the bar element. Hence the node-replace call will effectively be a no-op, because xdmp:node-replace() was asked to replace nothing with something.