paloma paloma - 2 months ago 6x
reST (reStructuredText) Question

Setting permissions on a document using MarkLogic's REST API

I'm trying to specify permissions on documents in a MarkLogic 6 database using the rest api.

This is the permissions metadata I'm sending in (


<rapi:metadata xmlns:rapi=""

using this command:

curl --anyauth --user user:pass -X PUT -T permissions.xml \
-H "Content-type: application/xml" \

When I look at the permissions afterwards, I see:

arole (update)
brole (read)
rest-reader (read)
rest-writer (update)

I expect it to only have the permissions for arole and brole.

The documentation says, "If no permissions are explicitly set, documents you create with the MarkLogic REST API have a read permission for the rest-reader role and an update permission for the rest-writer role." (And yes, I know, this example doesn't create a new document. But it does the same thing if I add a new document and set permissions at the same time using a multipart content+metadata message through the rest api).

Setting permissions via the direct xquery calls (ex.
with permissions) using the same user and database works as expected.

How can I keep the rest api from adding these extra permissions?


There's a ticket in with MarkLogic, no target date or version that I know of yet.

In case someone else runs into this, they did give me a workaround: Create new roles (or change existing ones), and give them rest-reader and/or rest-writer 'execute' privileges instead of having them inherit the rest-reader/rest-writer roles, or having a user directly assigned the rest-reader/rest-writer roles.


The internal function docmodupd:write-permissions always combines the input permissions with the output from xdmp:default-permissions. It does that to ensure that rest-reader can read the document, and rest-writer can update it. As far as I can tell there is no API to control this behavior.

If you have a strong use-case for omitting those extra permissions, contact support.