In Kasey’s post about security in Samplestack, we learned some tips and recommendations about using roles. How can we use them to prepare for the consequences of the Brexit or any other exits? This unprecedented decision of a country to leave the European Union will certainly cause severe uncertainty and very likely changes to financial regulation for banks. British branches that were subject to European directives may have to adapt to new British regulation while still complying to some European regulation. Let’s take the case of a global bank that will have to operate on both sides of the channel.
Current European regulation hints that in the future, information about European citizens and businesses may not be allowed to leave European borders. For instance, employees working on the London branch would not be able to access some documents created in the French branch of the bank. To prepare for this possible outcome, MarkLogic administrators should start adopting granular permissions and a hierarchical role-based access control model.
Let me demonstrate this with a simple use case based on document creation location. Once a document is created, its permission to read is set according to a role that defines the location; for instance, a document created in France would have xdmp:permission("france_locale", "read")
, one in London xdmp:permission("england_locale", "read")
, one in Edinburgh xdmp:permission("scotland_locale", "read")
.
In order to create an abstraction that would allow MarkLogic administrators to quickly adapt to the new regulation, we will use an indirect role model. Users will have a role that defines their overarching legal permission. For instance, users in the European Union will be assigned the EU_law
role and outsiders the NON-EU_law
. EU_law
inherits france_locale
and every other country in the E.U., which as of today still includes england_locale
, scotland_locale
, etc.
When the United Kingdom finally exits the European Union, rather than updating all documents to change permissions, the administrator will just create a new overarching role called UK_law
that inherits UK members, e.g., england_locale
, scotland_locale
, add these locales to NON-EU_law
as well and, finally, remove england_locale
, scotland_locale
from the EU_law
role. This will trigger an update to the security database but not an update to all documents, which could lead to a very large amount of merging. After this update, employees of the London branch who should be part of the UK_law
role will not be able to access documents created inside the European Union, but will still be able to see documents created in London or Edinburgh.
This model also prepares for later changes. If Scotland later leaves the United Kingdom, in a similar manner, the administrator would create a Scotland_law
role that inherits scotland_locale
and remove scotland_locale
from UK_law
.
In sum, we learned that it’s best practice to use granular roles (e.g. country in this example) for document permissions, and to use business-level roles (government/law unit), which are assigned to users. This model allows quick changes to access control that do not trigger document updates and reindexing, which means that you can perform security changes anytime and not be concerned about massive I/O in your database.
Like what you just read, here are a few more articles for you to check out or you can visit our blog overview page to see more.
The MarkLogic Optic API makes your searches smarter by incorporating semantic information about the world around you and this tutorial shows you just how to do it.
Are you someone who’s more comfortable working in Graphical User Interface (GUI) than writing code? Do you want to have a visual representation of your data transformation pipelines? What if there was a way to empower users to visually enrich content and drive data pipelines without writing code? With the community tool Pipes for MarkLogic […]
Rest and Spread Properties in MarkLogic 10 In this last blog of the series, we’ll review over the new object rest and spread properties in MarkLogic 10. As mentioned previously, other newly introduced features of MarkLogic 10 include: The addition of JavaScript Modules, also known as MJS (discussed in detail in the first blog in this […]
Don’t waste time stitching together components. MarkLogic combines the power of a multi-model database, search, and semantic AI technology in a single platform with mastering, metadata management, government-grade security and more.
Request a Demo