Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-3198

Ability to restrict operations by role

    • Type: Icon: New Feature New Feature
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.3.2
    • Affects Version/s: 1.8.1
    • Component/s: Security
    • Labels:
      None

      Feature:
      Ability to restrict the operations a user can perform. For example, an admin and create and drop indexes but cannot perform a find on a collection.

      Needed for SOX and other regulatory reasons that access to the data content must be restricted.

      Use Case:
      Jim is a DBA for a financial application for Mega Corp. He needs access to the database to ensure that the database is working efficiently, perform backups etc. He needs to create and drop indexes when needed, add shards etc. However, because of the nature of the data, his organizations data security policy states that he cannot view any of the financial data stored in the database. Therefore he is prevented from issuing a db.foo.find() command, running map/reduce jobs etc.

      Proposed Role Delineations:

      name description of privilege
      read ability to query data in any collection in the database, other than 'system.users', and also ability to run any command without an A or W attribute
      readWrite everything permitted by 'read' privilege, and also the ability to insert, update,
      or remove documents or indexes in any collection other than 'system.users', and also the ability to run any command without an A attribute
      userAdmin ability to read and write the 'system.users' collection
      dbAdmin ability to run admin commands affecting a single database; see list below
      serverAdmin ability to run admin commands affecting the entire database server; Can only be set on admin database; see discussion
      clusterAdmin admin commands for a cluster of shards or a replica set; Can only be set on admin database

            Assignee:
            schwerin@mongodb.com Andy Schwerin
            Reporter:
            alvin Alvin Richards (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: