Progress Acquires MarkLogic! Learn More

Exercising Privilege to Restrict Content

Back to blog
2 minute read
Back to blog
2 minute read

MarkLogic has a role-based security model, which makes roles very powerful. Application developers must keep that power in check when designing security. Assigning a role to your custom application role means it inherits not only access privileges, but also document permissions.

Using MarkLogic’s Role-Based Security Model as a starting point – where roles are central.

Privileges control what actions a role can perform. Document permissions restrict what content a role can view. MarkLogic provides fine-grained control for custom role definitions so that the right combination of privileges and permissions can be used. Developers should consider using privileges to provide access instead of MarkLogic’s out-of-the-box roles, which may unwittingly expose restricted content to end-users. Samplestack encountered this scenario and illustrates the design pattern to use the rest-reader privilege instead of the rest-reader role for its application-specific security model.

Application Requirement

Requirement to restrict visibility of Question & Answer documents for Samplestack roles


Two components of the role-based security model that can be applied here are permissions on the documents and application role definitions (privileges and assigned roles).

Here is the relevant portion of the security model Samplestack implemented to enforce the restricted content requirement:

Guest Contributor
Database User is: samplestack-guest samplestack-contributor
has Database Role: samplestack-guest samplestack-writer
is assigned (& inherits) roles: rest-extension-user samplestack-guest (rest-extension-user), rest-reader, rest-writer
is assigned (& inherits) privileges: rest-reader (rest-reader, rest-writer)


Design Considerations

A natural inclination might be to give the Guest the rest-reader role since Guests can view (some) content and do so via the Client API. However, it provides a possible loophole where the Guest could view more content than allowed.

From the REST Application Developer’s Guide:

By default, documents you create with the MarkLogic REST API have a read permission for the rest-reader role… a user with the rest-reader role can read all documents created with the REST API.

To enable users to [read] documents using the REST API yet restrict access, use custom roles with the rest-reader privileges and suitable default permissions, rather than relying on the pre-defined rest-reader.

As you can see, the rest-reader role has special access, so you may want to avoid using it for the basis of your own application role hierarchy.

Samplestack took these guidelines as inputs to making the following decisions:

  • Created custom application-specific roles
  • Used privileges rather than assigning out of the box roles
  • Applied document permissions for custom roles, rather than relying on pre-defined, MarkLogic-supplied roles

Limiting Guests to viewing documents using the explicit, application-specific samplestack-guest permission also gives application developers more fine-grained control over document visibility for their users in a scenario where other applications share the same database and could insert unknown content.

Check out the configuration yourself in the Samplestack GitHub repository.

Another approach would have been to create a layer of abstraction between the document state/permission and the user role. For example, a permission called accepted-answer could be applied to documents with accepted answers. The samplestack-guest role would be assigned the accepted-answer role. Abstracting the document permission away from the specific application role means some changes in access for guests would not require updating and re-indexing every document.

Thank you to the Samplestack engineers, Charles Greer and Daphne Maddox for review, to Caio Milani for security input, and to Mitch Yawitz for design assistance.

Kasey Alderete

Read more by this author

Share this article

Read More

Related Posts

Like what you just read, here are a few more articles for you to check out or you can visit our blog overview page to see more.

Developer Insights

Multi-Model Search using Semantics and Optic API

The MarkLogic Optic API makes your searches smarter by incorporating semantic information about the world around you and this tutorial shows you just how to do it.

All Blog Articles
Developer Insights

Create Custom Steps Without Writing Code with Pipes

Are you someone who’s more comfortable working in Graphical User Interface (GUI) than writing code? Do you want to have a visual representation of your data transformation pipelines? What if there was a way to empower users to visually enrich content and drive data pipelines without writing code? With the community tool Pipes for MarkLogic […]

All Blog Articles
Developer Insights

Part 3: What’s New with JavaScript in MarkLogic 10?

Rest and Spread Properties in MarkLogic 10 In this last blog of the series, we’ll review over the new object rest and spread properties in MarkLogic 10. As mentioned previously, other newly introduced features of MarkLogic 10 include: The addition of JavaScript Modules, also known as MJS (discussed in detail in the first blog in this […]

All Blog Articles

Sign up for a Demo

Don’t waste time stitching together components. MarkLogic combines the power of a multi-model database, search, and semantic AI technology in a single platform with mastering, metadata management, government-grade security and more.

Request a Demo