I'm seeking guidance on configuring granular privileges in MarkLogic to allow updates to database configurations for a specific database only, excluding others.
For example, I have a user named 'custom-rest-admin' with the roles rest-writer
, rest-admin
, and manage-admin
assigned for a specific REST API. The database in question is named MY_DATABASE_NAME
. Using the following command, I successfully updated the database properties:
curl --anyauth --user custom-rest-admin:pass -X PUT -d@"./database-config.json" -i -H "Content-type: application/json" "http://localhost:8002/manage/v2/databases/MY_DATABASE_NAME/properties"
However, due to the broad scope of the manage-admin
role, I found that I could also update properties for other databases, as demonstrated here:
curl --anyauth --user custom-rest-admin:pass -X PUT -d@"./database-config.json" -i -H "Content-type: application/json" "http://localhost:8002/manage/v2/databases/OTHER_DATABASE_NAME/properties"
I've reviewed the section on Granular Privileges in MarkLogic's documentation but haven't found specific guidance on this scenario: MarkLogic Granular Privileges.
Could someone provide instructions or code examples on how to achieve this level of granularity?
Instead of granting manage-admin
role, can create an appropriate fine-grained privilege, assign it to some role, and then assign that role to the user.
Find the ID of the MY_DATABASE_NAME database that you want to grant privileges for, and use it to grant a privilege with that ID.
For example, if the MY_DATABASE_NAME ID was 123456, then grant:
http://marklogic.com/xdmp/privileges/admin/database/123456
A privilege of this category grants a user an ability to administer a specific resource (for example, a database with the specified identifier). This privilege is granted by suffixing the administrator privilege for that kind of resource (for example, "database") with the specific identifier (for example, database-ID ), which results in the specific privilege (for example, http://marklogic.com/xdmp/privileges/admin/database/database-ID). This privilege may imply the privilege to read and write a portion of a configuration file. It also grants the ability to call various built-in functions for specific resources (for example, http://marklogic.com/xdmp/privileges/xdmp-forest-clear/forest/forest-ID privilege allows calls to xdmp:forest-clear() for that forest identifier).