- Data Hub Framework 4.x
- Learning DHF
- Understanding DHF
- Create Project
- Configure Flow Tracing
- Protect PII
- DHF Glossary
- DHF on GitHub
MarkLogic implements a role-based security model, which is described in-depth in the Security Guide
In a role-based security model, roles are used to define a set of permissions or privileges, which can also be inherited from other roles. For example, a role might allow reading but not modifying specific information in the database.
A user who is assigned one or more roles is granted the union of the permissions in those roles.
Pieces of information in a record can also be restricted further. For example, access to personally identifiable information (PII), such as addresses and credit card numbers, can be more restricted than access to other information in the same record. PII data is visible only to users with the
pii-reader role. For more information on managing PII in DHF, see Managing Personally Identifiable Information.
You might use DHF in two typical environments:
- Typically on a local machine.
- Frequent iterations of development (creating and modifying components, such as flows, modules, mappings), testing, and re-deploying.
- The user account requires more privileges than operators and end-users.
- Typically on a production environment.
- All code and settings are already deployed to the production server.
- The user account only needs to be able to write documents and to evaluate data across databases. It does NOT need to deploy modules or reconfigure MarkLogic.
Security Roles and Users
In DHF 4.3 and Later Versions
DHF 4.3 and later versions provide the following default roles in your project:
|Role Name||Role Description||Auto-Generated User||When used|
||• Installs, uninstalls, and upgrades DHF.
• Creates DHF roles based on existing ones.
• Assigns roles to users.
• Manages MarkLogic Server resources and performs tasks related to databases, indexes, and configuration of the MarkLogic Server.
• Must be assigned as part of the first deployment (i.e., bootstrapping role).
• Does not have administrative access to the entire MarkLogic server.
| For security reasons, DHF does not automatically create a user with this role and does not assign this role to an existing user. You must do so manually, and then update
||• Creates and updates flows and modules.
• Deploys flows, modules, and security configurations (including PII).
• Configures the indexes and TDEs.
(Same role as in Data Hub Service.)
||• Runs flows.
• Monitors activity in the jobs logs.
(Same role as in Data Hub Service.)
||In a production environment|
The following security settings must be in your
# You must update this username and password manually. # The account used for mlUsername must be assigned the Data Hub Admin role. mlUsername=data-hub-admin-user mlPassword=your-data-hub-admin-password ... # The flow-developer user is automatically generated by DHF. mlFlowDeveloperRole=flow-developer-role mlFlowDeveloperUserName=flow-developer mlFlowDeveloperUserPassword=your-flow-developer-password ... # The flow-operator user is automatically generated by DHF. mlFlowOperatorRole=flow-operator-role mlFlowOperatorUserName=flow-operator mlFlowOperatorUserPassword=your-flow-operator-password
In DHF 4.2 and Earlier Versions
DHF 4.2 and earlier versions provide the following default roles in your project:
|Default names||Description||When used|
||Does not have administrative access to the entire MarkLogic server, but has enough to deploy and undeploy code from a data hub. NOTE: When the data hub is initially installed, this role is overridden by the value of the
||Can be used for data ingestion and for flow execution in the data hub.||In a production environment|
The following default users are also provided:
|Default names||Default assigned roles||Purpose|
||To administer a data hub and to run flows.|
||To run flows.|
hub-admin-user is assigned both roles by default because that user needs to run flows and administer a data hub; however, you can remove the
data-hub-role in your production environment for improved security.
gradle.propertiesfile during DHF installation.
When installing DHF, you need a MarkLogic Server security admin account with sufficient privileges to create these roles and users. You can specify the username and password of this security admin account in the
mlSecurityPassword properties in the
Subsequent steps in the deployment process use the account you specify in