MarkLogic 10 and Data Hub 5.0

Latest MarkLogic releases provide a smarter, simpler, and more secure way to integrate data.

Read Blog →


Stay On Top Of Everything MarkLogic

Be the first to know! News, product information, and events delivered straight to your inbox.

Sign Me Up →

Limiting Optic security permissions
22 August 2023 07:09 AM


If, as recommended in the Optic security advisory, you are not able to upgrade straight away, the following steps can be followed to disable the Optic query functionality. 

Note: This will disable the ability to run all Optic and SPARQL queries so this can only be done if applications do not rely on those features.


The Optic and SPARQL query engines can be disabled via a script, or via the administration user interface.

In both cases the sem:sparql privilege will be removed from all the relevant roles.

Scripted privilege removal

Run the script listed below to remove the sem:sparql privilege from all roles. The script removes the sem:sparql privilege from the four out-of-the-box roles, then prompts the user to remove the privilege from the custom roles, if any are found. Please make sure to take good note of the affected roles If you intend to re-enable the privilege after upgrading your deployment.

xquery version "1.0-ml";
import module namespace sec="" at 
let $ootb-sem-sparql-roles:=  ("optic-reader-internal",
let $remove-privilege:=""
return xdmp:invoke-function(function() {
    let $sem-sparql-priv:=sec:get-privilege($remove-privilege,"execute")  
    let $_ := if (fn:count($sem-sparql-priv) eq 0 ) then fn:error(xs:QName("PRIV-NOT-FOUND"),"sem-sparql privilege not found. Contact MarkLogic Support.") else ()
    let $_ := if (fn:count($sem-sparql-priv) gt 1 ) then fn:error(xs:QName("MULTIPLE-PRIVS-FOUND"),"Multiple sem-sparql privileges found. Contact MarkLogic Support.") else ()
    let $role-ids-having-sem-sparql:=$sem-sparql-priv/sec:role-ids/sec:role-id/xs:unsignedLong(.)
    let $role-names:=sec:get-role-names($role-ids-having-sem-sparql)/xs:string(.)
    let $ootb-roles-having-sem-sparql:=$role-names[. = $ootb-sem-sparql-roles]
    let $custom-roles-having-sem-sparql:=$role-names[fn:not(. = $ootb-sem-sparql-roles)]
    let $_ := if (fn:count($ootb-roles-having-sem-sparql) gt 0) then
                 xdmp:invoke-function(function() {
              else ()
    return  if (fn:count($role-names) eq 0) then
                 "No roles have the sem:sparql privilege." 
                 ("Removed sem:sparql from the following MarkLogic Server out-of-the-box roles:",
                  if (fn:count($ootb-roles-having-sem-sparql) eq 0) then "No OOTB roles have sem:sparql" else $ootb-roles-having-sem-sparql,
                  "The following non OOTB roles have sem:sparql which should be removed manually:",
                  if (fn:count($custom-roles-having-sem-sparql) eq 0) then "No custom roles present having sem:sparql" else $custom-roles-having-sem-sparql)

Manual privilege removal

Alternatively, the sem:sparql privilege can be removed manually via the Admin UI. From the side menu, select Security > Execute Privileges. Scroll to the sem:sparql privilege, click on it and then uncheck any roles that are selected and click "OK". Please make sure to take good note of the affected roles If you intend to re-enable the privilege after upgrading your deployment.

 remove-sem-sparql-priv.xqy (2.19 KB)
(2 vote(s))
Not helpful

Comments (0)