Last active
August 17, 2016 12:45
-
-
Save jmakeig/cbf2a0718927a01ca99b103ad89de6c4 to your computer and use it in GitHub Desktop.
Display roles and privileges when you get a permission denied error
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import module namespace sec="http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy"; | |
| (: Don’t use this in production. It leaks security information available to a user with elevated privileges, such as admin. :) | |
| try { | |
| (: … :) | |
| } catch($err) { | |
| if('SEC-PERMDENIED' = $err/error:code/data()) then | |
| xdmp:invoke-function( function() { | |
| for $role in xdmp:user-roles(xdmp:get-current-user()) (: Or a specific user, especially if you’re running as an elevated role :) | |
| let $role-name as xs:string := sec:get-role-names($role)/data(.) | |
| order by $role | |
| return ( | |
| $role-name, | |
| '===================================', | |
| for $priv in sec:role-privileges($role-name) | |
| order by $priv/sec:privilege-name | |
| return fn:concat(' ', $priv/sec:privilege-name, ' (', $priv/sec:kind, ')') | |
| ) | |
| }, | |
| <options xmlns="xdmp:eval"> | |
| <user-id>{xdmp:user('admin') (: Or something more specific :)}</user-id> | |
| <database>{xdmp:database('Security')}</database> | |
| </options> | |
| ) | |
| else () | |
| } | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| bigpicture-nobody | |
| =================================== | |
| tde-admin | |
| =================================== | |
| infostudio-user | |
| =================================== | |
| infostudio (execute) | |
| unprotected-collections (execute) | |
| rest-admin | |
| =================================== | |
| manage (execute) | |
| rest-admin (execute) | |
| rest-reader (execute) | |
| rest-writer (execute) | |
| bigpicture-admin | |
| =================================== | |
| any-uri (execute) | |
| infostudio (execute) | |
| manage (execute) | |
| manage-admin (execute) | |
| rest-admin (execute) | |
| rest-reader (execute) | |
| rest-writer (execute) | |
| temporal-admin (execute) | |
| temporal:document-protect (execute) | |
| temporal:document-wipe (execute) | |
| temporal:set-lsqt-automation (execute) | |
| temporal:set-use-lsqt (execute) | |
| temporal:statement-set-system-time (execute) | |
| ts:database-create-sub-database (execute) | |
| ts:database-create-super-database (execute) | |
| ts:database-delete-sub-database (execute) | |
| ts:database-delete-super-database (execute) | |
| ts:database-partition-numbers (execute) | |
| ts:database-partitions (execute) | |
| ts:forest-combine (execute) | |
| ts:forest-migrate (execute) | |
| ts:partition-create (execute) | |
| ts:partition-delete (execute) | |
| ts:partition-delete-query (execute) | |
| ts:partition-forests (execute) | |
| ts:partition-get-query (execute) | |
| ts:partition-migrate (execute) | |
| ts:partition-number-forests (execute) | |
| ts:partition-queries (execute) | |
| ts:partition-resize (execute) | |
| ts:partition-set-availability (execute) | |
| ts:partition-set-query (execute) | |
| ts:partition-set-updates-allowed (execute) | |
| ts:partition-transfer (execute) | |
| unprotected-collections (execute) | |
| xdbc:eval (execute) | |
| xdmp:document-get (execute) | |
| xdmp:eval (execute) | |
| rest-reader | |
| =================================== | |
| rest-reader (execute) | |
| manage-user | |
| =================================== | |
| manage (execute) | |
| bigpicture-writer | |
| =================================== | |
| rest-reader (execute) | |
| rest-writer (execute) | |
| rest-extension-user | |
| =================================== | |
| tiered-storage-admin | |
| =================================== | |
| ts:database-create-sub-database (execute) | |
| ts:database-create-super-database (execute) | |
| ts:database-delete-sub-database (execute) | |
| ts:database-delete-super-database (execute) | |
| ts:database-partition-numbers (execute) | |
| ts:database-partitions (execute) | |
| ts:forest-combine (execute) | |
| ts:forest-migrate (execute) | |
| ts:partition-create (execute) | |
| ts:partition-delete (execute) | |
| ts:partition-delete-query (execute) | |
| ts:partition-forests (execute) | |
| ts:partition-get-query (execute) | |
| ts:partition-migrate (execute) | |
| ts:partition-number-forests (execute) | |
| ts:partition-queries (execute) | |
| ts:partition-resize (execute) | |
| ts:partition-set-availability (execute) | |
| ts:partition-set-query (execute) | |
| ts:partition-set-updates-allowed (execute) | |
| ts:partition-transfer (execute) | |
| temporal-admin | |
| =================================== | |
| temporal-admin (execute) | |
| temporal:document-protect (execute) | |
| temporal:document-wipe (execute) | |
| temporal:set-lsqt-automation (execute) | |
| temporal:set-use-lsqt (execute) | |
| temporal:statement-set-system-time (execute) | |
| xdbc:eval (execute) | |
| xdmp:eval (execute) | |
| rest-writer | |
| =================================== | |
| rest-reader (execute) | |
| rest-writer (execute) | |
| manage-admin | |
| =================================== | |
| infostudio (execute) | |
| manage (execute) | |
| manage-admin (execute) | |
| temporal-admin (execute) | |
| temporal:document-protect (execute) | |
| temporal:document-wipe (execute) | |
| temporal:set-lsqt-automation (execute) | |
| temporal:set-use-lsqt (execute) | |
| temporal:statement-set-system-time (execute) | |
| ts:database-create-sub-database (execute) | |
| ts:database-create-super-database (execute) | |
| ts:database-delete-sub-database (execute) | |
| ts:database-delete-super-database (execute) | |
| ts:database-partition-numbers (execute) | |
| ts:database-partitions (execute) | |
| ts:forest-combine (execute) | |
| ts:forest-migrate (execute) | |
| ts:partition-create (execute) | |
| ts:partition-delete (execute) | |
| ts:partition-delete-query (execute) | |
| ts:partition-forests (execute) | |
| ts:partition-get-query (execute) | |
| ts:partition-migrate (execute) | |
| ts:partition-number-forests (execute) | |
| ts:partition-queries (execute) | |
| ts:partition-resize (execute) | |
| ts:partition-set-availability (execute) | |
| ts:partition-set-query (execute) | |
| ts:partition-set-updates-allowed (execute) | |
| ts:partition-transfer (execute) | |
| unprotected-collections (execute) | |
| xdbc:eval (execute) | |
| xdmp:eval (execute) | |
| bigpicture-reader | |
| =================================== | |
| rest-reader (execute) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment