<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 02:54:46 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-648] document level access control</title>
                <link>https://jira.mongodb.org/browse/SERVER-648</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;Access control to the documents in the system would be very helpful. What is done on my current project is to implement an interface that is called during all database operations and returns a boolean to indicate whether or not the document should be included in the result set. We have added some attributes/fields to the document to specify who should be able to access it, and we run through some business rules (ie. admin vs normal user, group belonged to etc.) to determine access. &lt;/p&gt;

&lt;p&gt;The backend that we use currently provided the hook for us via the java interface for us to implement, and it is simple and effective. I can&apos;t see an application layer where munging of the queries or doing sub queries to be as clean or error free.&lt;/p&gt;</description>
                <environment></environment>
        <key id="11338">SERVER-648</key>
            <summary>document level access control</summary>
                <type id="2" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14711&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="10038" iconUrl="https://jira.mongodb.org/images/icons/subtask.gif" description="">Backlog</status>
                    <statusCategory id="2" key="new" colorName="default"/>
                                    <resolution id="-1">Unresolved</resolution>
                                        <assignee username="backlog-server-security">Backlog - Security Team</assignee>
                                    <reporter username="mwaschkowski">Mark Waschkowski</reporter>
                        <labels>
                    </labels>
                <created>Fri, 19 Feb 2010 10:49:47 +0000</created>
                <updated>Wed, 22 Mar 2023 20:50:58 +0000</updated>
                                            <version>1.3.2</version>
                                                    <component>Security</component>
                                        <votes>27</votes>
                                    <watches>41</watches>
                                                                                                                <comments>
                            <comment id="5293564" author="charlie.little" created="Wed, 22 Mar 2023 20:50:58 +0000"  >&lt;p&gt;Views are not sufficient unless there are only a handful of roles.&#160; Defining filter predicates that can be parameterized (and possibly use session roles in the filters) can provide a more flexible way to do document level ACL.&#160; Look at ElasticSearch doc-level access control as an example.&lt;/p&gt;</comment>
                            <comment id="5282765" author="geert.bosch" created="Sun, 19 Mar 2023 00:59:16 +0000"  >&lt;p&gt;I think that effectively &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-142&quot; title=&quot;Read-only views over collection data.&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-142&quot;&gt;&lt;del&gt;SERVER-142&lt;/del&gt;&lt;/a&gt; (Read-only views) provides this capability. It is possible to create a view exposing documents according to an aggregation pipeline, and give specific authorizations to that view.&lt;/p&gt;</comment>
                            <comment id="2183593" author="russellc92" created="Mon, 18 Mar 2019 11:30:36 +0000"  >&lt;p&gt;I was wondering how this would be implemented and whether it would be similar to how access control is performed at the &lt;a href=&quot;https://docs.mongodb.com/manual/core/collection-level-access-control&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;collection level&lt;/a&gt; (That being: via the use of &lt;a href=&quot;#user-defined-roles]&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;user-defined roles&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;Here &#8220;By creating a role with privileges that are scoped to a specific collection in a particular database, administrators can provision users with roles that grant privileges on a collection level&#8221;. For example, the following privilege definition for a user role allows the find action on the &#8220;myCollection&#8221; collection:&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&#8220;{ resource: { db: &lt;/span&gt;&lt;span style=&quot;color: blue; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&quot;myDatabase&quot;&lt;/span&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;, collection: &lt;/span&gt;&lt;span style=&quot;color: blue; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&quot;myCollection&quot;&lt;/span&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt; },&#160; actions: [ &lt;/span&gt;&lt;span style=&quot;color: blue; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&quot;find&quot;&lt;/span&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt; ] }&#8221;.&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;I think this method could be difficult for Documents. Collections are named and therefore actions can be mapped to collection names (&#8220;find&#8221; on myCollection). Documents does not have such a naming system by default. (AKA - I can&#8217;t see here how to map specific documents to perhaps a user-defined role)&lt;/p&gt;

&lt;p&gt;Therefore, would the implementation differ and perhaps revolve around a tagging system as shown in &#8220;[Implement Field Level Redaction|&lt;a href=&quot;https://docs.mongodb.com/manual/tutorial/implement-field-level-redaction/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://docs.mongodb.com/manual/tutorial/implement-field-level-redaction/&lt;/a&gt;]&#8221;? Such an approach would be similar to what @Matthew Rummel has described above in the sense that a user has a token and documents would have tags containing matching token(s), giving the user access to that document (correct me if my interpretation is wrong here)&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</comment>
                            <comment id="1578512" author="matthew.rummel6@gmail.com" created="Wed, 24 May 2017 04:02:26 +0000"  >&lt;p&gt;A few thoughts on implementing document label security:&lt;/p&gt;

&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;User&apos;s should have a security token or belong to a group that has a security token. This token defines what documents a user is allowed to access.&lt;/li&gt;
	&lt;li&gt;A security token is a representation of all the security groups to which the user belongs.&lt;/li&gt;
	&lt;li&gt;A given user&apos;s token should be compared with the at the document and subdocument level (and potentially at the filed level)  in each document automatically when a crud operation is performed. Only those documents/subdocuments/fields that a user has access to will be affected by the operation.&lt;/li&gt;
	&lt;li&gt;The framework must allow for security groups to inherit the permissions of other security groups. For instance, if a document is tagged with the &quot;HR&quot; security group and &quot;HR&quot; is not inherited by any other defined security groups, then only users with the &quot;HR&quot; group will be able to perform CRUD operations on the document/subdocument/field.  However, If the &quot;Executive&quot; group inherits the &quot;HR&quot; group, then user&apos;s with either the &quot;Executive&quot; or &quot;HR&quot; security groups will be able to perform CRUD on the data.&lt;/li&gt;
	&lt;li&gt;The evaluation of a document&apos;s security label rules should allow for &apos;AND&apos; and &apos;OR&apos; operations, such as &quot;User is in security group A and B&quot; or &quot;User is in group A or B or C&quot;.&lt;/li&gt;
	&lt;li&gt;A user&apos;s security token and a data security label should allow for various compartments to be used in the evaluation, such as &quot;Department Context: &quot;User is in department security group A or B, Function Context: User is in functional group B or C&quot;.&lt;/li&gt;
	&lt;li&gt;Document level access control should be able to be enabled or disabled at the collection level. Some collections should enforce access control while others do not.&lt;/li&gt;
	&lt;li&gt;Both top level and embedded documents should be able to have their own access control label.  If an embedded document has a more restrictive access control than it&apos;s parent and a user does not have the permissions necessary to perform a crud operation at the embedded access level, the embedded document should be omitted from the operation.&lt;/li&gt;
	&lt;li&gt;A user should be able to run a CRUD operation that is more restrictive than their permissions allow. For instance, if a user has security groups &quot;Accounting&quot; and &quot;Engineering&quot;  wants to perform a find operation on documents that have the &quot;Engineering&quot; document label, he or she should be able to do so.&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="443446" author="nevi_me" created="Sat, 19 Oct 2013 14:10:01 +0000"  >&lt;p&gt;Ah, I didn&apos;t notice that part. Thanks&lt;/p&gt;


</comment>
                            <comment id="443445" author="gianfranco" created="Sat, 19 Oct 2013 13:57:29 +0000"  >&lt;p&gt;Neville, the SERVER ticket you mention talks about &lt;b&gt;collection&lt;/b&gt; access level control, not &lt;b&gt;document&lt;/b&gt;.&lt;br/&gt;
That is, each document can possibly have different authorisations (read, write) to different users&lt;/p&gt;</comment>
                            <comment id="442512" author="nevi_me" created="Thu, 17 Oct 2013 20:07:53 +0000"  >&lt;p&gt;I think this is solved by &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-1105&quot; title=&quot;access control per collection&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-1105&quot;&gt;&lt;del&gt;SERVER-1105&lt;/del&gt;&lt;/a&gt;. Maybe we should get the MongoDB team and the community to spend 1-2 days going through open issues that might have been resolved over time. I&apos;m personally tired of those people who blog about how MongoDB is focusing on benchmarks and unsafe writes blah blah, and they go point out very old issues that haven&apos;t been, or won&apos;t be resolved/worked on.&lt;/p&gt;

&lt;p&gt;Would also give MongoDB perspective on how things are going &lt;img class=&quot;emoticon&quot; src=&quot;https://jira.mongodb.org/images/icons/emoticons/smile.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt;&lt;/p&gt;</comment>
                            <comment id="306808" author="mloll" created="Fri, 5 Apr 2013 15:44:09 +0000"  >&lt;p&gt;I have been working on a proof of concept for this on and off for the past month.  I take an approach similar to how Accumulo handles column visibility - arbitrary boolean expressions like &apos;manager &amp;amp;&amp;amp; engineer&apos; indicate access restrictions on a document (its label if you are familiar with Oracle&apos;s label security).  Clients send a list of their rights (&lt;span class=&quot;error&quot;&gt;&amp;#91;&amp;#39;manager&amp;#39;, &amp;#39;engineer&amp;#39;, &amp;#39;readable&amp;#39;&amp;#93;&lt;/span&gt;) which are then used to prune out documents which may satisfy the query predicate but don&apos;t satisfy the access restriction.  If I can get it up on github I&apos;ll post a link, but it is not something that is really ready for prime time.&lt;/p&gt;

&lt;p&gt;Mike&lt;/p&gt;</comment>
                            <comment id="58387" author="nestor.urquiza@gmail.com" created="Tue, 4 Oct 2011 17:04:02 +0000"  >&lt;p&gt;I totally agree. Managing ACL in Service or any other layer ends up pretty soon in a mess. In the JPA world we have a project like jpasecurity which is a wrapper on top of the JPA provider that intercepts all queries and apply rules defined either in XML or with annotations.&lt;/p&gt;

&lt;p&gt;I think something like that should be included as part of MongoDB.&lt;/p&gt;

&lt;p&gt;I vote then for this feature.&lt;/p&gt;

&lt;p&gt;Best regards,&lt;br/&gt;
-Nestor&lt;/p&gt;</comment>
                            <comment id="12403" author="mwaschkowski" created="Fri, 19 Feb 2010 11:12:05 +0000"  >&lt;p&gt;In summary, AC is a global type restriction, and should be treated as such at the database level, which is the gatekeeper of the data.&lt;/p&gt;

&lt;p&gt;can also see discussion here:&lt;br/&gt;
&lt;a href=&quot;http://groups.google.com/group/mongodb-user/browse_thread/thread/72fc46873b5be14e&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://groups.google.com/group/mongodb-user/browse_thread/thread/72fc46873b5be14e&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="11936">SERVER-1105</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>10.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_12751" key="com.atlassian.jira.plugin.system.customfieldtypes:multiselect">
                        <customfieldname>Assigned Teams</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="25129"><![CDATA[Server Security]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[5002K00000rzy1uQAA]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 4 Oct 2011 17:04:02 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        46 weeks ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>charlie.little@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            46 weeks ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>backlog-server-security</customfieldvalue>
            <customfieldvalue>charlie.little@mongodb.com</customfieldvalue>
            <customfieldvalue>geert.bosch@mongodb.com</customfieldvalue>
            <customfieldvalue>gianfranco</customfieldvalue>
            <customfieldvalue>mwaschkowski</customfieldvalue>
            <customfieldvalue>matthew.rummel6@gmail.com</customfieldvalue>
            <customfieldvalue>mloll</customfieldvalue>
            <customfieldvalue>nestor.urquiza@gmail.com</customfieldvalue>
            <customfieldvalue>nevi_me</customfieldvalue>
            <customfieldvalue>russellc92</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrprof:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr9gcf:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>6341</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|ht0pxb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>