Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

Table of Contents

Scenario 2: Group Restrictions

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 20, 2026
  • 1 minute read
    • MarkLogic Server
    • Version 12.0
    • Documentation

Description: Another security architect Carly from Company XYZ now wants to enforce a policy that only folks in the engineering group should be able to see feature design specifications, and that only folks in the finance group should be able to read and update documents with pricing information. This scenario will show the interaction between QBAC and Compartment Security. For more information about Compartment Security, see Compartment Security.

Carly didn't need to use compartment security here because there is only one dimension of access, but she thinks she may have others and wants them to be intersectional. Since the update policy is of the form if (query) then Deny, we need to also put the negated queries on the roles that we want to exclude, so the implementation is a little more complicated.

Mike is a contractor who works for Company XYZ. He is only able to read the documents marked with "group-all" in the metadata. He cannot see any other documents in the database. Carly sets up a user for him and grants permissions through user queries, which are restrictive.

To run through the example, follow the steps in each subsection.

TitleResults for “How to create a CRG?”Also Available inAlert