Collection-Level Access Control
Collection-level access control allows administrators to grant usersprivileges that are scoped to specific collections.
Administrators can implement collection-level access control throughuser-defined roles. By creating a role withprivileges that are scoped to a specific collectionin a particular database, administrators can provision users with rolesthat grant privileges on a collection level.
Privileges and Scope
A privilege consists of actionsand the resources upon which theactions are permissible; i.e. the resources define the scope of theactions for that privilege.
By specifying both the database and the collection in theresource document for aprivilege, administrator can limit the privilege actions just to aspecific collection in a specific database. Each privilege action in arole can be scoped to a different collection.
For example, a user defined role can contain the following privileges:
- privileges: [
- { resource: { db: "products", collection: "inventory" }, actions: [ "find", "update", "insert" ] },
- { resource: { db: "products", collection: "orders" }, actions: [ "find" ] }
- ]
The first privilege scopes its actions to the inventory
collectionof the products
database. The second privilege scopes its actionsto the orders
collection of the products
database.
Additional Information
For more information on user-defined roles and MongoDB authorizationmodel, see Role-Based Access Control. For a tutorial on creatinguser-defined roles, see Manage Users and Roles.