-
Type: Improvement
-
Resolution: Duplicate
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Security
-
None
-
Fully Compatible
It would be nice to allow custom roles to deny some specific privileges.
For example, I need a custom role which have full readWrite privileges except for dropCollection.
At present, the admin have to use the following command to archive this:
db.createRole({ role: "upsert", privileges: [ { resource: { db: "mydb", collection: "" }, actions: [ "convertToCapped", "createCollection", "createIndex", "dropIndex", "insert", "renameCollectionSameDB", "update", "remove" ] } ], roles: [ "read" ] })
With deny privileges, we can do it in a simple way:
db.createRole({ role: "upsert", privileges: [ { resource: { db: "mydb", collection: "" }, actions: [ "-dropCollection" ] } ], roles: [ "readWrite" ] })
- duplicates
-
SERVER-13696 Allow revoke/deny role permissions
- Open