[SERVER-36141] Builtin role which only has INSERT/UPDATE/DELETE/FIND/STATs (Not create/drop collection & index) Created: 16/Jul/18 Updated: 08/Feb/23 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 3.4.16 |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Minor - P4 |
| Reporter: | 아나 하리 | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Assigned Teams: |
Server Security
|
| Participants: |
| Description |
|
A lot of companies has their own DBA team, And schema modification like create/drop index & collection task is responsible for DBA team. And DBA wants that schema change will be done by DBA only not Developer.
But current implementation of MongoDB, All CRUD(INSERT & UPDATE & DELETE & FIND) and schema change actions are included "readWrite" role. So CRUD and Schema-change action can not be separated when use builtin-role. We can make it with user-defined role, but user-defined role has some issues like https://jira.mongodb.org/browse/SERVER-17513 (we should make user defined role for each database).
I think make another builtin-role is easy. so what do you think make pureReadWriteRole for this use case. ``` // Read-write role // Pure read-write role (only contains READ and insert & remote & update) ``` |