Enabling Non-privileged Users to Create and Manage Roles (Data Roles)

The http://marklogic.com/xdmp/privileges/create-data-role allows non-admin users (with the manage role) to create and manage roles.

• data role: created by a data manage (non-admin) user

• data manage user for data roles:

  • non-admin to create and manage roles

  • can only manage (edit, delete and grant) roles own created or granted

  • requires one role to include create-data-role privilege and manage role (or privilege)

  • user self can be created by admin or another data manage user

  • optional grant-my-role privilege to grant roles or create another data manage user

  • can grant own created or granted data roles to other data roles

• created data roles are attached to the roles (with create-data-role privilege) data manage user owned

  • tracked by internal data-role-edit-<ROLEID> and data-role-inherit-<ROLEID> privileges created for every data role

• every data manage user granted (new or existed) with above roles can also manage these data roles

  • to share responsibility for managing data roles through a common data role

• An optional privilege - http://marklogic.com/xdmp/privileges/role-set-queries - is required to create data roles with query-based access control (QBAC) queries. The http://marklogic.com/xdmp/privileges/role-get-queries privilege is needed for reading the QBAC queries on the data roles. For more information on QBAC, please see Query-Based Access Control.

For example:

Create role (demo-data-role``), grant that role the create-data-role privilege.

curl -s --anyauth -u admin:admin -H "content-type:application/json" \
     -X POST -d "{\"role-name\": \"demo-data-role\",
                  \"description\": \
                     \"A role for demonstrating the create-data-role privilege\", \
                  \"privilege\": [ { \
                  \"privilege-name\": \"create-data-role\", \
                  \"action\": \"http://marklogic.com/xdmp/privileges/create-data-role\", \
                  \"kind\": \"execute\"}]}" \
     http://localhost:8002/manage/v2/roles

Create a user and grant that user (demo-user) the demo-data-role and the manage role.

curl -s --anyauth -u admin:admin -H "content-type:application/json" \
     -X POST -d "{\"user-name\": \"demo-user\", \"password\": \"password\", \
               \"description\": \"A demo user\", \
                \"role\": [ \"demo-data-role\", \"manage\" ] }" \
     http://localhost:8002/manage/v2/users

Now that user can create new roles, demo-role-one:

curl -s --anyauth -u "demo-user:password" -H "content-type:application/json" \
     -X POST -d "{\"role-name\": \"demo-role-one\",
                  \"description\": \"First demo role\" }" \
     http://localhost:8002/manage/v2/roles

And demo-role-two:

curl -s --anyauth -u "demo-user:password" -H "content-type:application/json" \
     -X POST -d "{\"role-name\": \"demo-role-two\",
                   \"description\": \"Second demo role\" }" \
     http://localhost:8002/manage/v2/roles

The users can assign roles they have created to each other:

curl -s --anyauth -u "demo-user:password" -H "content-type:application/json" \
     -X PUT -d "{\"role\": [\"demo-role-two\"]}" \
     http://localhost:8002/manage/v2/roles/demo-role-one/properties

But they cannot assign roles that they did not create. To allow a user to assign existing roles, you can grant this demo-data-role to another user or role, so that user can manage both demo-role-one and demo-role-two.

A user with the ability to edit a role may also delete it. When the role is deleted, the extra data-role-edit and data-role-inherit privileges associated with it are also removed.