MarkLogic implements a role-based security model, which is described in-depth in the Security Guide

In a role-based security model, roles are used to define a set of permissions or privileges, which can also be inherited from other roles. For example, a role might allow reading but not modifying specific information in the database.

A user who is assigned one or more roles is granted the union of the permissions in those roles.

Pieces of information in a record can also be restricted further. For example, access to personally identifiable information (PII), such as addresses and credit card numbers, can be more restricted than access to other information in the same record. PII data is visible only to users with the pii-reader role. For more information on managing PII in DHF, see Managing Personally Identifiable Information.

You might use DHF in two typical environments:

  • During development

    • Typically on a local machine.
    • Frequent iterations of development (creating and modifying components, such as flows, modules, mappings), testing, and re-deploying.
    • The user account requires more privileges than operators and end-users.
  • In production

    • Typically on a production environment.
    • All code and settings are already deployed to the production server.
    • The user account only needs to be able to write documents and to evaluate data across databases. It does NOT need to deploy modules or reconfigure MarkLogic.

NOTE: DHF 4.x supports only basic and digest authentication.

Security Roles and Users

In DHF 4.3 and Later Versions

DHF 4.3 and later versions provide the following default roles in your project:

Role Name Role Description Auto-Generated User When used
data-hub-admin-role • Installs, uninstalls, and upgrades DHF.
• Creates DHF roles based on existing ones.
• Assigns roles to users.
• Manages MarkLogic Server resources and performs tasks related to databases, indexes, and configuration of the MarkLogic Server.
• Must be assigned as part of the first deployment (i.e., bootstrapping role).
• Does not have administrative access to the entire MarkLogic server.
For security reasons, DHF does not automatically create a user with this role and does not assign this role to an existing user. You must do so manually, and then update mlUsername and mlPassword in During setup
flow-developer-role • Creates and updates flows and modules.
• Deploys flows, modules, and security configurations (including PII).
• Configures the indexes and TDEs.
(Same role as in Data Hub Service.)
flow-developer During development
flow-operator-role • Runs flows.
• Monitors activity in the jobs logs.
(Same role as in Data Hub Service.)
flow-operator In a production environment

The following security settings must be in your file:

  # You must update this username and password manually.
  # The account used for mlUsername must be assigned the Data Hub Admin role.
  # The flow-developer user is automatically generated by DHF.
  # The flow-operator user is automatically generated by DHF.

In DHF 4.2 and Earlier Versions

DHF 4.2 and earlier versions provide the following default roles in your project:

Default names Description When used
hub-admin-role Does not have administrative access to the entire MarkLogic server, but has enough to deploy and undeploy code from a data hub. NOTE: When the data hub is initially installed, this role is overridden by the value of the mlHubAdminUserRole property in, if set. During development
data-hub-role Can be used for data ingestion and for flow execution in the data hub. In a production environment

The following default users are also provided:

Default names Default assigned roles Purpose
hub-admin-user hub-admin-role and data-hub-role To administer a data hub and to run flows.
data-hub-user data-hub-role To run flows.

The hub-admin-user is assigned both roles by default because that user needs to run flows and administer a data hub; however, you can remove the data-hub-role in your production environment for improved security.

When installing DHF, you need a MarkLogic Server security admin account with sufficient privileges to create these roles and users. You can specify the username and password of this security admin account in the mlSecurityUsername and mlSecurityPassword properties in the file.

Subsequent steps in the deployment process use the account you specify in mlUsername or mlManageUsername.