All custom roles to deny specific privileges

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Duplicate
    • Priority: Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Fully Compatible
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      It would be nice to allow custom roles to deny some specific privileges.

      For example, I need a custom role which have full readWrite privileges except for dropCollection.

      At present, the admin have to use the following command to archive this:

      db.createRole({
          role: "upsert",
          privileges: [
              { resource: { db: "mydb", collection: "" }, actions: [ "convertToCapped", "createCollection", "createIndex", "dropIndex", "insert", "renameCollectionSameDB", "update", "remove" ] }
          ],
          roles: [ "read" ]
      })
      

      With deny privileges, we can do it in a simple way:

      db.createRole({
          role: "upsert",
          privileges: [
              { resource: { db: "mydb", collection: "" }, actions: [ "-dropCollection" ] }
          ],
          roles: [ "readWrite" ]
      })
      

              Assignee:
              Mark Agarunov (Inactive)
              Reporter:
              Albert Zhong
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: