Failing to create custom user permissions to restrict content

Question

I am struggling to get my user permissions/privileges/roles setup correctly to get the behaviour I need.

I am using MarkLogic 8 and Roxy to create and deploy an application.

This application has different users that have content that should be restricted to the individual user. But they also participate in projects in which they need to collaborate together.

I have seen this helpful blog and the discussion on github issue 303 but still not able to get it right.

Default roxy app user role:

<role>
  <role-name>${app-role}</role-name>
  <description>A role for users of the ${app-name} application</description>
  <role-names>
  </role-names>
  <permissions>
    <permission>
      <capability>execute</capability>
      <role-name>${app-role}</role-name>
    </permission>
    <permission>
      <capability>update</capability>
      <role-name>${app-role}</role-name>
    </permission>
    <permission>
      <capability>insert</capability>
      <role-name>${app-role}</role-name>
    </permission>
    <permission>
      <capability>read</capability>
      <role-name>${app-role}</role-name>
    </permission>
  </permissions>
  <collections>
  </collections>
  <privileges>
    <privilege>
      <privilege-name>xdmp:value</privilege-name>
    </privilege>
    <privilege>
      <privilege-name>xdmp:add-response-header</privilege-name>
    </privilege>
    <privilege>
      <privilege-name>xdmp:invoke</privilege-name>
    </privilege>
    <privilege>
      <privilege-name>xdmp:with-namespaces</privilege-name>
    </privilege>
  </privileges>
</role>

My custom role:

<role>
  <role-name>sccss-user</role-name>
  <description>sccss default role</description>
  <role-names>
    <!-- TODO test which roles we really need -->
    <!--
    <role-name>alert-user</role-name>    
    <role-name>alert-internal</role-name> 
    <role-name>rest-admin</role-name> 
    <role-name>rest-writer-internal</role-name>
    <role-name>rest-reader</role-name> 
    <role-name>network-access</role-name>
    <role-name>qconsole-user</role-name>
    -->
    <!-- cluey app role for rest api access TODO replace with dedicated api user and role 

    <role-name>${app-role}</role-name>
    -->

  </role-names>
  <permissions>
  </permissions>
  <collections>
  </collections>
  <privileges>
    <!-- HK -->
    <!--
    <privilege>
      <privilege-name>any-uri</privilege-name>
    </privilege>
    -->
    <privilege>
      <privilege-name>devices-uri</privilege-name>
    </privilege>
    <privilege>
      <privilege-name>any-collection</privilege-name>
    </privilege>
    <!-- to make this role have acces to the REST API-->
    <privilege>
      <privilege-name>rest-reader</privilege-name>
    </privilege>
    <privilege>
      <privilege-name>rest-writer</privilege-name>
    </privilege>
    <!-- TODO test this
    <privilege>
      <privilege-name>xdmp:value</privilege-name>
    </privilege>
    <privilege>
      <privilege-name>xdmp:add-response-header</privilege-name>
    </privilege>
    <privilege>
      <privilege-name>xdmp:invoke</privilege-name>
    </privilege>
    <privilege>
      <privilege-name>xdmp:with-namespaces</privilege-name>
    </privilege>
  </privileges>
  -->
</role>

I have tested and tried what is described in the blog above but with those settings I get no access to any document, apparently no rest extension access. If I give my users the {app-role} it gives the problem that users can see other users' private content... because the all users have the 'rest-reader' role... So I need to restrict the default-app role to not use the rest-reader role and use rest-reader privileges but cant get it to work...

One option I am considering is to use document-insert() permissions for the restricted content but this should be possible with the right roles and privileges if I can set it up correctly, right?

ADDITION

In repsonse to Grtjn's answer : thx 4 your comments, I think I am puzzled by the REST roles. If I look at the default roles in a roxy app on git those look empty but when I set my roxy app type to be a REST app things seem to get more complicated. The main confusion is what roles and privileges do I need for a second (independent)role to be able to use the REST endpoint? What are the xdmp:(value,add-response-header, invokes etc etc) privileges exactly doing and needed for? In my example for a user to be able to access the REST api he/she needs the following roles:

      <role-name>${app-role}</role-name>
      <!-- we need this to amp internal privileges-->
      <role-name>alert-user</role-name>    
      <role-name>alert-internal</role-name> 
      <role-name>rest-admin-internal</role-name> 

And then we get into the discussion if rest-reader should be a privilege or a role?

So a more concrete question:

What is the minimum role/privilege set I would need to access a REST endpoint create by a roxy rest type application?

Answer 1

I'd recommend taking the following approach here:

Use the app-role for application execution, not for content access to start with. For that reason, remove the default permissions from that role, and just give it the rest-reader/rest-writer privilege, and maybe some privs for running MLCP and such.

Next, make sure that REST extensions, and anything else that is not deployed by Roxy directly, get read and execute document permission. Think of triggers and alerts created with custom code, sql-views or schemas not loaded with deploy schemas, etc. The change_permissions function we use in slush-marklogic-node could serve as example of how to handle this: https://github.com/marklogic/slush-marklogic-node/pull/298/files#diff-a529d1d70bd21866e1d12eda3a99f7b6R96

Once there create a dedicated role for each portion of content that needs to be granted access to separately. If you need a set of docs to be accessible by one user only, you will need a user specific role. If you also have a set of docs accessible by project members only, you also need a project specific role. If you need to distinguish between read/write too, make two roles for each (two user, two project roles). These roles will have no privs, and should not inherit roles (except write inheriting the corresponding read role perhaps).

Once you have the read/write roles, you can start thinking about how to apply them correctly for document permissions at ingest. With this level of complexity, you might wanna avoid default permissions, and choose document permissions explicitly. xdmp:document-insert, MLCP and /v1/documents all take explicit document permissions, so you should have a reasonable amount of control with those.

ADDITION

Note on Roxy's out of the box ml-config file. It is not properly tuned for REST type applications. That is why the slush-marklogic-node generator patches the ml-config: https://github.com/marklogic/slush-marklogic-node/blob/master/slushfile.js#L346

The bare minimum to have read access to the REST api, is rest-reader priv, and to have update access to the REST api, is rest-writer priv. REST extensions are running from modules database, not from filesystem, so you need module access for that in addition. The change_permissions function mentioned above fixes that for you.

Anyhow, my general advice would be to use app-role for app execution, like mentioned before, and the other roles for data access. Any user that wants to use the app should inherit app-role, as well as some of the other roles to provide the appropriate amount of data access.

HTH!