Currently users with the find privilege action can also run mapReduce commands. Since the performance characteristics of mapReduce can be quite different to those of regular find, it would be very useful to be able to administratively prohibit the running of mapReduce jobs, while still allowing access to the data.

Using security.javascriptEnabled: false (aka --noscripting) to disable server-side Javascript is not a practical workaround, because it would only be useful if no other user or db requires access to run mapReduce, and no other user or db requires access to db.eval() (deprecated anyway) or $where.