Main Page » Advanced User Guide » User Management

User Management

The user management defines which permissions are required by a user to perform a database command or XQuery expression.

Permissions are mostly relevant in the client/server architecture, as the Graphical User Interface and the Command-Line Interface are run with admin permissions. There are a few exceptions, such as the xquery:eval function: Its execution scope can also be limited by specifying a permission.

Please take care of usual security measures: ensure that your password will not end up in your command-line history, avoid sending passwords via ordinary REST requests, etc.


In the permission hierarchy below, the existing permissions are illustrated. A higher permission includes all lower permissions. For example, all users who have the write permission assigned will also be able to execute commands requiring read permission.

Local permissions are applied to databases. They have a higher precedence and override global permissions.

Usernames must follow the valid names constraints, and the database patterns must follow the Glob Syntax.


For all operations, admin permissions are required:


Create new user test:

The password will be requested on the command line. By default, the user will have no permissions ('none').

Change password of user test to 71x343sd#:

ALTER PASSWORD test 71x343sd#
If the password is omitted, it will be requested on the command line.

Grant local write permissions to user test:

GRANT write ON unit* TO test
Local permissions overwrite global permissions. As a consequence, the test user will only be allowed to access (i.e., read and write) databases starting with the characters unit. If no local permissions are set, the global rights are inherited.

Show global permissions:



Various User Functions exist to organize users and their permissions:

Create user test with no permissions:

user:create('test', 'top-secret')

Show detailed information about user test:

user:list-details()[@name = 'test']

Drop user test:



The permission file users.xml is stored in the database directory. This file can be manually edited; it will be parsed once when BaseX is started.

Salted SHA256 hashes are used for authentication (the current timestamp will be used as salt). Additionally, digest hashes are used in the client/server architecture and the Clients, and in the HTTP Context if AUTHMETHOD is set to Digest.


Version 8.0
  • Added: Revised in Version 8.0.

⚡Generated with XQuery