Query for Protected Paths on a Document
- Last Updated: May 20, 2026
- 1 minute read
- MarkLogic Server
- Version 12.0
- Documentation
You can use this XQuery code as a model to customize. The code sample searches for the protected paths associated with foo.xml.
xquery version "1.0-ml";
import module namespace sec = "http://marklogic.com/xdmp/security"
at "/MarkLogic/security.xqy";
declare function local:get-role-name($p as element(sec:permission)) {
element sec:permission {
$p/*,
sec:get-role-names($p/sec:role-id)
}
};
let $doc := xdmp:eval('fn:doc("foo.xml")', (), <options xmlns="xdmp:eval"><database>{xdmp:database("Documents")}</database></options>)
for $p in fn:collection(sec:protected-paths-collection())/sec:protected-path
let $path :=
xdmp:with-namespaces(
for $ns in $p//sec:path-namespace
return ($ns/sec:prefix/fn:string(.), $ns/sec:namespace-uri/fn:string(.)),
xdmp:value("$doc" || $p/sec:path-expression/fn:string()))
return
if (fn:exists($path)) then
element sec:protected-path {
$p/* except $p/sec:permissions,
element sec:permissions {
$p/sec:permissions/sec:permission ! local:get-role-name(.)
}
}
else
()
You will only be able to see the protected paths for elements that you as the user would have permission to see. For example, if you had role1 and the protected path was associated with role2, role1 would not be able to see those paths.
Related functionality is the all-query-rolesets-fragment-count element returned from xdmp:forest-counts(). This number tells the caller how many fragments are indexed with a certain query-rolesets. If the number is 0 (across all databases), then query-rolesets is no longer in use.