4

We have a protected path on /record/historical, no namespace, with one role having read permission and "admin" role given read, update, insert permissions.

We have a user, "deployment", with the "admin" role.

When logged into the query console as "deployment", and query for /record I can get a result of the full /record document (including /record/historical), but when I query for /record/historical (or anything below it), I get no results.

Also, this problem is not consistent across different instances of MarkLogic (all 9.0-4). Aside from Users and Protected Paths, what else should I be checking for differences?

Mads Hansen
  • 63,927
  • 12
  • 112
  • 147
Alma Pellett
  • 307
  • 2
  • 8

1 Answers1

4

To configure element level security you need to setup both protected paths and query rolesets.

Start by checking both the protected path and the query rolesets configuration between your instances. You can view this configuration using the Admin interface and looking under Security and then Query Rolesets.

Query rolesets are needed to efficiently execute queries across data in protected paths using the indexes at scale. Without a query roleset defined, your search queries across protected data will not return any results. This explains why the behavior you describe where your protected path security works as expected when you read a document from the database, but does not work as expected when you query (search) the database.

Even though you are granting the user the admin role, a query roleset is still required. But I would strongly recommend that you consider if granting the user the admin role is actually necessary. It almost always is not, and as a best practice you should work to give users the minimum amount of power they need to be able to do their job.

To learn more about security in MarkLogic and element-level security specifically I'd encourage you to look at these examples and documentation:

Mads Hansen
  • 63,927
  • 12
  • 112
  • 147
Greg Nist
  • 56
  • 2