I am trying to create a user for my application which will inherit from "read" role and will allow write operations except for being able to create/drop collections and create/drop indexes.

Bug can be reproduced as follows.

Step1 – Create a database and a collection using admin privileges.

db name:  intacct-db1
collection name: col1 (insert some dummy data)

Step2 – Create a role: (This role inherits from read role and than adds writes operations excluding add/drop collections and indexes)

db.createRole(

	{
	role: "Role-Intacct-App-ReadWrite-intacct-db1",
	privileges: [
		{resource:{db: "intacct-db1" , collection: "" } , actions: ["collStats","convertToCapped","dbHash","dbStats","find","insert","killCursors","listIndexes","listCollections","remove","update" ] }
			],
	roles: ["read"]
}
)

Step3 – Create a user with this role.

db.createUser({
user:"intacct-app",
pwd:"somepassword",
roles:[ 
	{role:"Role-Intacct-App-ReadWrite-intacct-db1",   db:"intacct-db1"},
	{role: "clusterMonitor",  db:"admin"} 
		]
	})

Step 4 — Disconnect and reconnect using the user above.

Step 5 — use intacct-db1 database and create a new collection.

                 use intacct-db1
                  db.createCollection("col-name") 
                 db.showCollections(). 

This seems to be a bug. I specifically excluded Create Collection privilege from the role !