[SERVER-36141] Builtin role which only has INSERT/UPDATE/DELETE/FIND/STATs (Not create/drop collection & index) Created: 16/Jul/18  Updated: 08/Feb/23

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: 3.4.16
Fix Version/s: None

Type: New Feature Priority: Minor - P4
Reporter: 아나 하리 Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Participants:

 Description   

A lot of companies has their own DBA team,

And schema modification like create/drop index & collection task is responsible for DBA team. And DBA wants that schema change will be done by DBA only not Developer.

 

But current implementation of MongoDB, All CRUD(INSERT & UPDATE & DELETE & FIND) and schema change actions are included "readWrite" role. So CRUD and Schema-change action can not be separated when use builtin-role. We can make it with user-defined role, but user-defined role has some issues like https://jira.mongodb.org/browse/SERVER-17513 (we should make user defined role for each database).

 

I think make another builtin-role is easy. so what do you think make pureReadWriteRole for this use case.

```

// Read-write role
readWriteRoleActions += readRoleActions;
readWriteRoleActions
<< ActionType::convertToCapped // db admin gets this also
<< ActionType::createCollection // db admin gets this also
<< ActionType::dropCollection
<< ActionType::dropIndex
<< ActionType::emptycapped
<< ActionType::createIndex
<< ActionType::insert
<< ActionType::remove
<< ActionType::renameCollectionSameDB // db admin gets this also
<< ActionType::update;

// Pure read-write role (only contains READ and insert & remote & update)
pureReadWriteRoleActions += readRoleActions;
pureReadWriteRoleActions
<< ActionType::emptycapped
<< ActionType::insert
<< ActionType::remove
<< ActionType::update;

```


Generated at Thu Feb 08 04:42:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.