Checks documents and deletes any permissions to missing roles

delete-orphaned-permissions.xqy

xquery version "1.0-ml";

let $uris := cts:uris((), 'limit=30000')
let $permissions-map :=  map:new((
 $uris ! map:entry(., xdmp:document-get-permissions(.))
 ))
let $orphaned-map :=
 xdmp:eval('
 xquery version "1.0-ml";
 import module namespace sec="http://marklogic.com/xdmp/security" at 
   "/MarkLogic/security.xqy";
  declare variable $PERMISSIONS external;
  map:new(
    for $uri in map:keys($PERMISSIONS)
    let $orphaned := 
      for $p in map:get($PERMISSIONS, $uri)
      return try { 
        let $name := sec:get-role-names($p/sec:role-id) 
        return ()
      }
      catch ($e) { 
        if ($e/error:code = "SEC-ROLEDNE")
        then $p
        else xdmp:rethrow()
      }
    where (exists($orphaned))
    return map:entry($uri, $orphaned)
 )
 ', 
 (xs:QName('PERMISSIONS'), $permissions-map),
 <options xmlns="xdmp:eval">
   <database>{xdmp:security-database()}</database>
 </options>)
for $o in map:keys($orphaned-map)
let $permissions := map:get($orphaned-map, $o)
return xdmp:document-remove-permissions($o, $permissions)