-
Type:
Improvement
-
Resolution: Duplicate
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Security
-
None
-
Fully Compatible
-
None
-
3
-
None
-
None
-
None
-
None
-
None
-
None
It would be nice to allow custom roles to deny some specific privileges.
For example, I need a custom role which have full readWrite privileges except for dropCollection.
At present, the admin have to use the following command to archive this:
db.createRole({
role: "upsert",
privileges: [
{ resource: { db: "mydb", collection: "" }, actions: [ "convertToCapped", "createCollection", "createIndex", "dropIndex", "insert", "renameCollectionSameDB", "update", "remove" ] }
],
roles: [ "read" ]
})
With deny privileges, we can do it in a simple way:
db.createRole({
role: "upsert",
privileges: [
{ resource: { db: "mydb", collection: "" }, actions: [ "-dropCollection" ] }
],
roles: [ "readWrite" ]
})
- duplicates
-
-
- Open
-