1

I am running as a user without the admin role. The account has been granted execute for the http://marklogic.com/xdmp/privileges/get-role privilege as required for the sec:role-exists() call. I had to create the privilege manually as it was not included out of the box, as resolved in this thread:

How to grant http://marklogic.com/xdmp/privileges/get-role privilege?

But now, with the privilege added, the call always returns false, whereas if I run as admin, it works fine. Running xdmp:permission() with this user referencing an existing role works fine.

Community
  • 1
  • 1
TJ Tang
  • 921
  • 6
  • 17
  • Without a code example, it's hard to advise, but there's nothing in the documentation to suggest that `xdmp:permission()` requires any execution privileges to run. – wst Feb 18 '16 at 17:42

1 Answers1

2

You should be running as a user who has the security role, since it needs to read documents whose permissions only grant read access to that role.

Wayne Feick
  • 555
  • 2
  • 4
  • I granted the security role to my role, and everything works now. I guess if I wanted to do something custom where I wanted access to roles but not other stuff that comes along with the security role, I could create another role, with only the role specific privileges, and then make sure that role has read for all of the role related document records. Probably not worth the hassle though. – TJ Tang Feb 18 '16 at 19:38