Bureaucrats, editor, reviewer, Administrators
13,550
edits
Changes
Jump to navigation
Jump to search
All global permissions are stored in User names must follow the file [[Configuration#Configuration FilesValid Names|.basexpermvalid names constraints]],and local permissions are encoded in the database meta data (patterns must follow the [[Storage LayoutCommands#Glob_Syntax|inf.basexGlob Syntax]]).
[[File:perms.png|none|thumb|403px|Permissions hierarchy]]==Operations==
User names must follow the [[Valid Names|valid names constraints]].For all operations, admin permissions are required:
==Commands==
Admin permissions are needed to execute all of the following commands: '''Creating Create user 'test' (password will be entered on command line). By default, the user will have no permissions ('none'):
'''Showing local permissions on database 'factbook':'''
'''Dropping of user 'test':'''Salted SHA256 hashes are used for authentication (the current timestamp will be used as salt). Additionally, digest hashes are used in the client/server architecture and the [[Clients|Language Bindings]], and in the [[Web Application|HTTP Context]] if {{Option|AUTHMETHOD}} is set to {{Code|Digest}}.
<code>> DROP USER test</code> =Changelog=
[[Category:Server]]Revised in Version 8.0.
no edit summary
This article is part of the [[Advanced User's Guide]].The user management defines which permissions are requiredby a user to perform a specific database command or XQuery expression. Permissions are mostly relevant in the client/server architecture, as the [[CommandsGUI]] and the [[Command-Line Client]] is run with admin permissions. There are a few exceptions such as the [[XQuery Module#xquery:eval|database commandxquery:eval]]function: Its execution scope can also be limited by specifying a permission. Please take care of usual security measures: ensure that your password will not end up in your bash history, avoid sending passwords via ordinary REST requests, etc. ==Rules==
In the permission hierarchy below, the existing permissions are illustrated.
A higher permission includes all lower permissions.
For example, all users who have the <code>WRITEwrite</code> permission assignedwill also be able to execute commands requiring <code>READread</code> permission.Next, local Local permissions exist, which can be assigned are applied to single databases.Local permission They have a higher priority precedenceand override global permissions. [[File:perms.png|Permissions hierarchy]]
<code>> CREATE USER test</code>
'''Change password of user 'test' password (password will be entered on command line)to '71x343sd#':
<code>> ALTER USER PASSWORD test71x343sd#</code> As global permissions, you can set 'none', 'read', 'write', 'create' and 'admin': '''Grant all permissions to user 'test': ''' <code>> GRANT admin TO test</code> Valid local permissions are 'none', 'read' and 'write':
'''Granting Grant local write permission on database 'factbook' permissions to user 'test': '''
<code>> GRANT write ON factbook unit* TO test</code>
Note: Local permissions overwrite global permissions.
As a consequence, the 'test' user will only be allowed toaccess (i.e., read and write) database starting with the letters 'factbookunit' database.If no local permissions are set, the global rights areinherited.
'''Showing Show global permissions:'''
<code>> SHOW USERS</code>
==XQuery== The available user functions are listed in the [[User Module]]: '''Create user 'test' with no permissions:''' <code>> SHOW USERS ON factbookdb:create('test', 'top-secret')</code> '''Show detailed information about user 'test':''' <code>user:list-details()[@name = 'test']</code> '''Drop user 'test':''' <code>user:drop('test')</code> =Storage= The permission file {{Code|users.xml}} is stored in the database directory. This file can be manually edited; it will be parsed once when BaseX is started.
