Marklogic hero hex top

MarkLogic Server Security

Large investment banks, major healthcare organizations, and classified government systems all trust MarkLogic with their most critical data assets.

Key Security Features

MarkLogic Server offers advanced enterprise data security controls that shield against today’s cyber threats. Data loss prevention and other security principals are central to what we do.

Secure by Default

Security is not a feature that needs to be turned on and configured. When data is loaded, it is immediately secured.

Integration with LDAP, Kerberos, SAML

MarkLogic has scalable controls for authentication, ensuring that the system easily integrates into your environment.

Role Based Access Control (RBAC)

MarkLogic has granular access controls to govern what a user can do and see. Each user is associated with any number of roles, and each role is given privileges that determine what they can do. Also, each document has permissions dictating which roles can see and edit it. Security checks verify the necessary credentials before granting the requested action, and security information is stored in a specific security database in MarkLogic.

Element/Property Level Security

MarkLogic secures data at the collection level, document level, and even element/property level (like cell-level security in a relational database). This goes beyond what other document databases provide as it’s very hard to engineer on the back-end and maintain performance, but MarkLogic does it.

Built-in Auditing

MarkLogic closely monitors database activity and makes it possible to audit document access and updates, configuration changes, administrative actions, code execution, and changes to access control.

Advanced Encryption

Cutting-edge data encryption protects against unauthorized access of the database by a SysAdmin or Storage Admin. It allows data, configuration, and logs to be encrypted while the files are resting on disk using AES-256 encryption, and it conforms to FIPS 140 criteria.

Additional Security Models

In addition to RBAC, MarkLogic can also employ other security models such as Attribute-Based Access Control (ABAC), Policy-Based Access Control (PBAC), or Label-Based Access Control (LBAC). These models further restrict access based on attributes (e.g., social security number, IP address, user’s age, or time of day), policies, or simple labels representing “high” or “low” levels of trust.

Advanced Security Add-Ons

Out-of-the-box, MarkLogic provides you with the industry-leading security you need. But your organization may require the Advanced Security add-on, which includes three additional capabilities.


Redaction eliminates the exposure of sensitive information by making it possible to remove existing information or replace it with other values when exporting data or sharing. The process is simple, flexible, and is designed to work with large volumes of data.

External Key Management System (KMS) Support

This option makes it possible to use an external KMS (e.g., SafeNet or Vormetric) to help with advanced encryption, which is often done for the additional separation of concerns and ease of management.

Compartment Security

With compartment security, more complex rules can be applied to documents so that a user must have all of the right roles to access or create a document rather than just one of the rights roles. This is often useful when handling classified material.

MarkLogic Server

MarkLogic deployments are architected to ensure complete data privacy. That is why when you’re using MarkLogic Server, no one except those you authorize ever get access to the data you store in MarkLogic. Ever.

For self-managed MarkLogic deployments, MarkLogic support teams may get access to authorized telemetry data that includes performance data, configuration data, and log data in order to more quickly solve support problems. The telemetry feature can be easily toggled on or off.

Data Compliance

MarkLogic Server is in production on mission-critical systems with demanding security requirements, which is why the database has achieved top security certifications from various third parties.

Common Criteria

International standard (ISO/IEC 15408) for a common set of functional and assurance security requirements, evaluated by licensed labs. MarkLogic is the only non-relational database to have this.


Documented guidelines for deploying in U.S. DoD/DISA IT systems that provide guidance on how to set up and configure a product. MarkLogic has been “STIG’d” for multiple US federal projects.


General Data Protection Regulation (GDPR) that went into effect in May 2018 with the goal of strengthening personal data protection in Europe. MarkLogic complies with GDPR, and helps customers comply with GDPR.

Learning & Resources

MarkLogic Prefooter Banner

Ready to Get Started?

Our free Developer Edition is a full-featured version of MarkLogic Server for development use. Get access now and store up to 1TB of data.