|
It would be nice to allow custom roles to deny some specific privileges.
For example, I need a custom role which have full readWrite privileges except for dropCollection.
At present, the admin have to use the following command to archive this:
db.createRole({
|
role: "upsert",
|
privileges: [
|
{ resource: { db: "mydb", collection: "" }, actions: [ "convertToCapped", "createCollection", "createIndex", "dropIndex", "insert", "renameCollectionSameDB", "update", "remove" ] }
|
],
|
roles: [ "read" ]
|
})
|
With deny privileges, we can do it in a simple way:
db.createRole({
|
role: "upsert",
|
privileges: [
|
{ resource: { db: "mydb", collection: "" }, actions: [ "-dropCollection" ] }
|
],
|
roles: [ "readWrite" ]
|
})
|
|