Changes

==This article is part of the [[Advanced User Management=='s Guide]]. The user management defines which permissions are required by a user to perform a database command or XQuery expression.

Permissions are mostly relevant in the client/server architecture, as the [[Standalone Mode]] and the [[GUI]] is run with admin permissions.There are a few exceptions such as the [[XQuery Module#xquery:eval|xquery:eval]] function: Its execution scope can also be limited by specifying a permission. Please take care of usual security measures: ensure that your password will not end up in your bash history, avoid sending passwords via ordinary REST requests, etc. ==Rules== In the permission hierarchy below, the existing permissions are illustrated.A higher permission includes all lower permissions.For example, all users who have the <pcode>Admin write</code> permission assignedwill also be able to execute commands requiring <code>read</code> permission. Local permissions are needed applied to execute one of databases. They have a higher precedenceand override global permissions. [[File:perms.png|none|thumb|403px|Permissions hierarchy]] User names must follow the [[Valid Names|valid names constraints]], and the database patterns must follow the following processes[[Commands#Glob_Syntax|Glob Syntax]]. ==Operations== For all operations, admin permissions are required: =Commands= '''Create user 'test' (password will be entered on command line).By default, the user will have no permissions ('none'): <code>&gt; CREATE USER test</code>  '''Change password of user 'test' to '71x343sd#': <code>&gt; ALTER PASSWORD test 71x343sd#</pcode>

===Creating user 'test' with password 'test'=== <code>&gt; CREATE USER test test</code> <p>As global permissions, you can set 'none', 'read', 'Grant local write', 'create' and 'admin':</p> ===Revoking all global permissions from to user 'test'=== <code>&gt; GRANT none TO test</code> <p>Valid local permissions are : 'none', 'read' and 'write':</p> ===Granting write permission on database 'factbook' to user 'test'=== <code>&gt; GRANT write ON factbook unit* TO test</code> <p>

As a consequence, the 'test' user will only be allowed toaccess (i.e., read and write) database starting with the letters 'factbookunit' database.If no local permissions are set, the global rights areinherited.</p>

===Showing '''Show global permissions=== :''' 

==XQuery=Dropping of = The available user functions are listed in the [[User Module]]: '''Create user 'test'with no permissions:''' <code>db:create('test', 'top-secret')</code> '''Show detailed information about user 'test':''' <code>user:list-details()[@name === 'test']</code> '''Drop user 'test':''' <code>&gt; DROP USER user:drop('test')</code>  =Storage= The permission file {{Code|users.xml}} is stored in the database directory. This file can be manually edited; it will be parsed once when BaseX is started.

==Permissions hierarchy==Salted SHA256 hashes are used for authentication (the current timestamp will be used as salt). Additionally, digest hashes are used in the client/server architecture and the [[File:perms.pngClients|noneLanguage Bindings]], and in the [[Web Application|thumb|200pxHTTP Context]] if the [[Options#AUTHMETHOD|Permissions hierarchyAUTHMETHOD]]is set to {{Code|Digest}}.

==Commands and Permissions table=Changelog=

{| border="1" cellpadding="5" cellspacing="0"!Command!Description!Needed Permission|-|close|Closes currently opened database.|None|-|exit|Exits BaseX.|None|-|get|Returns a property value.|None|-|help|Shows the help texts.|None|-|password|Changes password of currently logged-Revised in userVersion 8.|None|-|set|Sets a property value.|None|-|xquery|Executes a xquery function without database access.|None|-|info|Shows information about the currently opened database.|Read|-|list|Shows all available databases.|Read|-|open|Opens a database.|Read|-|xquery|Executes a read-only xquery function with database access.|Read|-|add|Adds documents to the currently opened database.|Write|-|create index|Creates the specified index.|Write|-|delete|Deletes documents from the currently opened database.|Write|-|drop index|Drops the specified index.|Write|-|optimize|Optimizes the database structure and renews the indexes.|Write|-|xquery|Executes a xquery update function.|Write|-|alter db|Renames a database.|Create|-|create db|Creates a database.|Create|-|drop db|Drops a database.|Create|-|export|Exports the database content.|Create|-|alter user|Changes the password of an user.|Admin|-|create users|Creates a new user.|Admin|-|drop user|Drops an user.|Admin|-|grant|Assigns permissions to users.|Admin|-|kill|Kills an user session on the server.|Admin|-|show|Shows different server information0.|Admin|}