Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

MongoDB Tips and Tricks: Collection-Level Access Control

DZone's Guide to

MongoDB Tips and Tricks: Collection-Level Access Control

Here's how to set up collection-level access permissions within MongoDB.

· Database Zone ·
Free Resource

Databases are better when they can run themselves. CockroachDB is a SQL database that automates scaling and recovery. Check it out here.

As your database or project grows, you may be tasked with configuring access controls to allow different stakeholders access to the database. Rather than create a new user with full database privileges, it may be more appropriate to create a user that only has access to the data or collections they need. This allows users to query against the collections you define and limits their access to the rest of the database.

Here's a step-by-step example that demonstrates how to set up collection-level access control. This example will create a user named "finance" on the "acme" database. The "finance" user will only have "find" (read) access to the "billing" collection.

Step 1. Connect to the "Acme" Database Using an Existing User

> mongo ds123456.mlab.com:12345/acme -u dba -p password

Note that the "dba" user will need the userAdmin role to create and modify roles and users on the "acme" database. By default, mLab database users created through the UI are granted the dbOwner role, which combines the privileges granted by the readWrite, dbAdmin, and userAdmin roles.

Step 2. Create a New User-Defined Role for the "Billing" Collection

> db.createRole({ role: "readBillingOnly", privileges: [ { resource: { db: "acme", collection: "billing" }, actions: [ "find" ] } ], roles: [] })]

You can also add more privilege actions to the "actions" array, such as "insert" or "update."

Step 3. Create a New User Named "Finance" With the Role You Just Created

> db.createUser({ user: "finance", pwd: "password", roles: [ { role: "readBillingOnly", db: "acme" } ] })

Alternatively, if the user already exists, you can use the grantRolesToUser() method:

> db.grantRolesToUser("finance", [ { role: "readBillingOnly", db: "acme" } ])

And that's it! You now have a user named "finance" that has read-only access on the "billing" collection in the "acme" database.

Databases should be easy to deploy, easy to use, and easy to scale. If you agree, you should check out CockroachDB, a scalable SQL database built for businesses of every size. Check it out here. 

Topics:
privileges ,database ,access ,user

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}