Security Built-In Functions - MarkLogic Server Online Documentation

	XQUERY/XSLT API DOCUMENTATION 5.0
All XQuery & XSLT Functions MarkLogic Built-In Functions Admin (xdmp:) AppServer (xdmp:) Classifier (cts:) Debug (dbg:) Document Conversion (xdmp:) Extension (xdmp:) Documents, Directories, Properties, and Locks Functions Extension Functions Function Values Functions HTTP Functions JSON Functions MarkLogic Server Functions Search Functions XML Functions XQuery Context Functions XSLT Functions map (map:) Math (math:) Profile (prof:) Search (cts:) cts:query Constructors Functions Geospatial Functions Geospatial Lexicon Functions Lexicon Functions Search Functions Search Clustering Functions Security (xdmp:) Server Monitoring (xdmp:) Spell (spell:) Transaction (xdmp:) Update (xdmp:) XQuery Library Modules Admin Library (admin:) Actions Functions Appserver Functions Cluster Functions Database Functions Database Replication Functions Forest Functions Group Functions Host Functions Mimetypes Functions Scheduler Functions Alerting (alert:) Configuration Packaging (package:) Custom Dictionary Management (cdict:) Elastic Compute Cloud (ec2:) Entity Enrichment (entity:) Flexible Replication (flexrep:) Geospatial Supporting Functions GEO Functions GeoRSS Functions GML Functions KML Functions MCGM Functions Information Studio (info:) Information Studio Developer (infodev:) Library Services (dls:) cts:query Constructor Functions Document Management Functions Document Update Functions Retention Policy Functions XInclude Functions Modular Documents XInclude Functions XPointer Functions PKI (pki:) Plugin (plugin:) rest Library (rest:) Search (search:) Security-sec (sec:) Spelling Dictionary Management (spell:) Thesaurus (thsr:) Triggers (trgr:) WordProcessingML (ooxml:) ZIP Package (ooxml:) CPF Functions Content Processing Framework (cpf:) CSS Conversion (css:) DocBook Conversion (dbk:) Domains (dom:) Excel Conversion (excel:) Generic Conversion (cvt:) Links (lnk:) MSWord Conversion (msword:) PDF Conversion (pdf:) Pipelines (p:) Powerpoint Conversion (ppt:) XHTML Conversion (xhtml:) W3C-Standard Functions Accessor (fn:) AnyURI (fn:) Boolean (fn:) Context (fn:) DurationDateTime (fn:) Error and Trace (fn:) Node (fn:) Numeric (fn:) QName (fn:) Sequence (fn:) String (fn:) XSLT (fn:) REST API Reference Management API Packaging API W3C XQuery/XSLT Reference W3C XQuery Functions W3C XQuery Language W3C XSLT Language

This page was generated

March 13, 2012

4:48 AM

XQuery & XSLT Built-In & Modules Function Reference

Built-In: Security

The security built-in functions are XQuery functions to perform many security-related tasks in MarkLogic Server.

Function Summary
xdmp:amp	Returns the amp ID for the specified amp.
xdmp:amp-roles	Returns the set of all roles assigned to an amp, including roles directly assigned to the amp and roles inherited by other roles.
xdmp:can-grant-roles	Tests whether a user can grant or revoke a set of roles.
xdmp:default-collections	Returns the collections any new document would get if the current user were to insert a document without specifying the collections.
xdmp:default-permissions	Returns the permissions any new document would get if the current user were to insert a document without specifying the default permissions.
xdmp:document-get-permissions	Returns the permissions to a given document.
xdmp:get-current-roles	Returns all the current roles, both assigned and inherited by the current user and any received from amps.
xdmp:get-current-user	Returns the name of the current user.
xdmp:get-request-user	Returns the id of the current user.
xdmp:has-privilege	Tests whether the current user has at least one of a given set of privileges.
xdmp:permission	Returns a permission element in the security namespace corresponding to the named role and capability given.
xdmp:privilege	Returns the privilege ID for the specified privilege name.
xdmp:privilege-roles	Returns the set of all roles that have a given privilege.
xdmp:role	Returns the role ID for the specified role name.
xdmp:role-roles	Returns the set of all roles inherited by a given role, including roles directly assigned to the role and roles inherited from other roles.
xdmp:security-assert	Tests whether the current user has at least one of a given set of privileges.
xdmp:user	Returns the user ID for the specified user name.
xdmp:user-roles	Returns all roles assigned to a user, including roles directly assigned to the user and roles inherited by other roles.

Function Detail

xdmp:amp(
	$namespace as xs:string,
	$localname as xs:string,
	$module-uri as xs:string,
	$database as xs:unsignedLong
) as xs:integer

Summary:

Returns the amp ID for the specified amp. Unlike the security library module function sec:uid-for-name, this function can be evaluted against any database and does not need to be evaluated directly against the security database. It returns the amp ID from the security database configured for the database in which the App Server evaluates against.

Parameters:

$namespace : A function namespace.

$localname : A function localname.

$module-uri : The module URI for the amp.

$database : The ID of the database in which the module to which this amp refers is stored. If the module is on the filesystem under the Modules directory, then specify 0 for the database ID.

Example:

  xdmp:amp("http://my-app/test","my-func","/modules/my-module.xqy",
            xdmp:modules-database())
  => 2392349873545

Example:

  xdmp:amp("http://marklogic.com/xdmp/security", "amp-add-roles", 
         "/MarkLogic/security.xqy", 0) 
  => 3548369234520018804

xdmp:amp-roles(
	$namespace-uri as xs:string,
	$localname as xs:string,
	$document-uri as xs:string,
	$database-id as xs:unsignedLong
) as xs:unsignedLong*

Summary:

Returns the set of all roles assigned to an amp, including roles directly assigned to the amp and roles inherited by other roles.

Parameters:

$namespace-uri : The amped function namespace URI.

$localname : The amped function localname.

$document-uri : The amped function module URI.

$database-id : The database ID containing the module.

Example:

  xdmp:amp-roles("http://marklogic.com", 
                 "read-docs", 
                 "/app/docs.xqy",
                 239487239487)
  =>(2349872340, 432987324)

xdmp:can-grant-roles(
	$roles as xs:string*
) as empty-sequence()

Summary:

Tests whether a user can grant or revoke a set of roles. Raises an error if the session user can not.

Parameters:

$roles : A set of role names

Example:

  xdmp:can-grant-roles(("development", "qa"))

xdmp:default-collections(
	[$uri as xs:string]
) as element()*

Summary:

Returns the collections any new document would get if the current user were to insert a document without specifying the collections.

Parameters:

$uri (optional): The document URI to get parent directory.

Example:

  xdmp:default-collections()
  =>("http://example.com/docs",
        "http://example.com/manuals")

xdmp:default-permissions(
	[$uri as xs:string]
) as element()*

Summary:

Returns the permissions any new document would get if the current user were to insert a document without specifying the default permissions.

Parameters:

$uri (optional): The document URI to get parent directory.

Example:

  xdmp:default-permissions("http://example.com/content/foo.xml")
  =>(<sec:permission>
          <sec:capability>read</sec:capability>
          <sec:role-id>324978243</sec:role-id>
        </sec:permission>,
        <sec:permission>
          <sec:capability>read</sec:capability>
          <sec:role-id>32493478578243</sec:role-id>
        </sec:permission>,
        <sec:permission>
          <sec:capability>update</sec:capability>
          <sec:role-id>32493478578243</sec:role-id>
        </sec:permission>)

xdmp:document-get-permissions(
	$uri as xs:string
) as element()*

Summary:

Returns the permissions to a given document.

Parameters:

$uri : The document URI.

Example:

  xdmp:document-get-permissions("chapter5.xml")
  =>(<sec:permission>
          <sec:capability>read</sec:capability>
          <sec:role-id>324978243</sec:role-id>
        </sec:permission>,
        <sec:permission>
          <sec:capability>read</sec:capability>
          <sec:role-id>32493478578243</sec:role-id>
        </sec:permission>,
        <sec:permission>
          <sec:capability>update</sec:capability>
          <sec:role-id>32493478578243</sec:role-id>
        </sec:permission>)

                   
                   xdmp:get-current-roles(  ) as  xs:unsignedLong*
                    

Summary:

Returns all the current roles, both assigned and inherited by the current user and any received from amps.

Example:

  xdmp:get-current-roles()
  =>(2349872340, 432987324)

                   
                   xdmp:get-current-user(  ) as  xs:string
                    

Summary:

Returns the name of the current user.

Example:

  xdmp:get-current-user()
  =>"ian"

                   
                   xdmp:get-request-user(  ) as  xs:unsignedLong
                    

Summary:

Returns the id of the current user.

Example:

  xdmp:get-request-user()
  =>23987236

xdmp:has-privilege(
	$privileges as xs:string*,
	$kind as xs:string
) as xs:boolean

Summary:

Tests whether the current user has at least one of a given set of privileges. Returns true if they do, false otherwise.

Parameters:

$privileges : The set of privilege URIs. These are the URIs for the privileges, not the names of the privileges.

$kind : The kind of privileges (either "execute" or "uri").

Example:

xdmp:has-privilege("http://myprivs/function-foo", "execute")
  => true if the current user has the execute privilege on a 
     privilege with the URI "http://myprivs/function-foo"

xdmp:permission(
	$role as xs:string,
	$capability as xs:string
) as element()

Summary:

Returns a permission element in the security namespace corresponding to the named role and capability given.

Parameters:

$role : A role name.

$capability : A capability (read, update, insert, or execute).

Example:

  xdmp:permission("development", "read")
  =><sec:permission>
          <sec:capability>read</sec:capability>
          <sec:role-id>32497824353</sec:role-id>
       </sec:permission>

xdmp:privilege(
	$action as xs:string,
	$kind as xs:string
) as xs:integer

Summary:

Returns the privilege ID for the specified privilege name. Unlike the security library module function sec:uid-for-name, this function can be evaluted against any database and does not need to be evaluated directly against the security database. It returns the privilege ID from the security database configured for the database in which the App Server evaluates against.

Parameters:

$action : A privilege action.

$kind : A privilege kind: "execute" or "URI".

Example:

  xdmp:privilege("http://my-app/test","execute")
  => 2392349873545

xdmp:privilege-roles(
	$action as xs:string,
	$kind as xs:string
) as xs:unsignedLong*

Summary:

Returns the set of all roles that have a given privilege.

Parameters:

$action : The privilege action.

$kind : The privilege kind.

Example:

  xdmp:privilege-roles(
         "http://marklogic.com/privileges/delete-all", 
         "execute")
  =>(2349872340, 432987324)

xdmp:role(
	$role as xs:string
) as xs:integer

Summary:

Returns the role ID for the specified role name. Unlike the security library module function sec:uid-for-name, this function can be evaluted against any database and does not need to be evaluated directly against the security database. It returns the role ID from the security database configured for the database in which the App Server evaluates against.

Parameters:

$role : A role name.

Example:

  xdmp:role("editor")
  => 2392349873545

xdmp:role-roles(
	$name as xs:string
) as xs:unsignedLong*

Summary:

Returns the set of all roles inherited by a given role, including roles directly assigned to the role and roles inherited from other roles.

Parameters:

$name : The role name.

Example:

  xdmp:role-roles("vp")
  =>(2349872340, 432987324)

xdmp:security-assert(
	$privileges as xs:string*,
	$kind as xs:string
) as empty-sequence()

Summary:

Tests whether the current user has at least one of a given set of privileges. Raises an error if the user does not have any of the privileges.

Parameters:

$privileges : The set of privilege URIs. These are the action URIs for the privileges, not the names of the privileges.

$kind : The kind of privileges (either "execute" or "uri").

Example:

xdmp:security-assert("http://my-function/function-foo", "execute")

xdmp:user(
	$user as xs:string
) as xs:integer

Summary:

Returns the user ID for the specified user name. Unlike the security library module function sec:uid-for-name, this function can be evaluted against any database and does not need to be evaluated directly against the security database. It returns the user ID from the security database configured for the database in which the App Server evaluates against.

Parameters:

$user : A user name.

Example:

  xdmp:user("sylvester")
  => 239871567325

xdmp:user-roles(
	$name as xs:string
) as xs:unsignedLong*

Summary:

Returns all roles assigned to a user, including roles directly assigned to the user and roles inherited by other roles.

Parameters:

$name : The user name.

Example:

  xdmp:user-roles("ian")
  =>(2349872340, 432987324)

Copyright © 2012 MarkLogic Corporation. All rights reserved.