Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-30519

All custom roles to deny specific privileges

    • Type: Icon: Improvement Improvement
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Fully Compatible

      It would be nice to allow custom roles to deny some specific privileges.

      For example, I need a custom role which have full readWrite privileges except for dropCollection.

      At present, the admin have to use the following command to archive this:

      db.createRole({
          role: "upsert",
          privileges: [
              { resource: { db: "mydb", collection: "" }, actions: [ "convertToCapped", "createCollection", "createIndex", "dropIndex", "insert", "renameCollectionSameDB", "update", "remove" ] }
          ],
          roles: [ "read" ]
      })
      

      With deny privileges, we can do it in a simple way:

      db.createRole({
          role: "upsert",
          privileges: [
              { resource: { db: "mydb", collection: "" }, actions: [ "-dropCollection" ] }
          ],
          roles: [ "readWrite" ]
      })
      

            Assignee:
            mark.agarunov Mark Agarunov
            Reporter:
            zhch186 Albert Zhong
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: