Details
-
Improvement
-
Resolution: Duplicate
-
Major - P3
-
None
-
None
-
None
-
Fully Compatible
Description
It would be nice to allow custom roles to deny some specific privileges.
For example, I need a custom role which have full readWrite privileges except for dropCollection.
At present, the admin have to use the following command to archive this:
db.createRole({
|
role: "upsert", |
privileges: [
|
{ resource: { db: "mydb", collection: "" }, actions: [ "convertToCapped", "createCollection", "createIndex", "dropIndex", "insert", "renameCollectionSameDB", "update", "remove" ] } |
],
|
roles: [ "read" ] |
})
|
With deny privileges, we can do it in a simple way:
db.createRole({
|
role: "upsert", |
privileges: [
|
{ resource: { db: "mydb", collection: "" }, actions: [ "-dropCollection" ] } |
],
|
roles: [ "readWrite" ] |
})
|
Attachments
Issue Links
- duplicates
-
SERVER-13696 Allow revoke/deny role permissions
-
- Open
-