How can I set limit of roles for a new dba access to Marklogic 8.7 admin GUI, but not allowing to change the config on gui, only allow to do backup/recovery or view.
In Mongodb I can assign backup and restore roles to user. he can access to GUI to do backup and restore only. But not sure how it can be done in Marklogic.
example in Mongodb: db.createUser({user:"joe",pwd:"joe123", roles:[{role:"backup",db:"admin"},{role:"restore",db:"admin"}]})
Thanks
thichxai
The Admin UI requires having the admin
role, which provides more privileges that you want:
Only authorized administrators can log into the Admin Interface. An authorized administrator is a user who has the admin role. Authorized administrators have access to all administrative tasks in MarkLogic Server; therefore, authorized administrators are trusted personnel and are assumed to be non-hostile, appropriately trained, and follow proper administrative procedures.
Instead, the person responsible for backups can use the Management API. Sending a POST request to /manage/v2/databases/{name}
can kick off a backup, restore, merge, clear, index, or reindex operation. Security in MarkLogic is all about the roles, so you'll want to set up a role that only has the rights to do the specific operations that are authorized. For instance, to allow someone to backup and restore of database whose ID is 123, but not the other operations, set up a role with the following:
manage
rolehttp://marklogic.com/xdmp/privileges/admin/database/backup/123
privilegehttp://marklogic.com/xdmp/privileges/admin/database/restore/123
privilegeThe you can grant that role to your user.
Note that controlling access to Management API endpoints at this level of detail is part of the Granular Security feature that came out in MarkLogic 9, so you'll need to be using that version or later for this.