CODEWITHSUNDEEP
javascriptmongodbmongoosesails.js
Vishnu Mishra
Vishnu Mishra

Reputation: 4029

how give different privilege for user and admin in mongodb

I'm creating the an application using sails and MongoDB. where I need three level of user.

I want to give the different privileges for each of user

so how to user different schema for the different type of user. and restrict one user to access the other resources.

Upvotes: 2

Views: 1993

Answers (3)

Robins Gupta
Robins Gupta

Reputation: 3153

Suppose you are working on a database name "records"

In mongo shell >>

//SuperADMIN
use admin
db.createUser(
 {
   user: "superuser",
   pwd: "12345678",
   roles: [ "root" ]
 }
 )


 //ADMIN
 use records
 db.createUser
 (
   {
     user: "recordsUserAdmin",
     pwd: "password",
     roles: [ { role: "userAdmin", db: "records" } ]
   }
 )





//Any User
use records
db.createUser(
 {
    user: "recordUser",
    pwd: "12345678",
    roles: [
       { role: "read", db: "records" },
       { role: "read", db: "user" },
       { role: "read", db: "sales" },
       { role: "readWrite", db: "accounts" }
    ]
  }
 )

For more info:

Mongo tutorial create admin

Add user to mongo

Upvotes: 2

nalinc
nalinc

Reputation: 7425

I want to give the different privileges for each of user

  • Super admin can access whole DB.
  • Admin can access the data relate to that field
  • User can access the data related to the user.

What you need is primarily a document-level access control where a user can access a document based on value in a particular field. Unfortunately, as of version 3.0, there is not yet any built in way to provide access-control at the document/field level. Mongo's ACLs go to the Collection-level only.

..So how to use different schema for the different type of user. and restrict one user to access the other resources.

Because of reasons mentioned above, this is impossible at database level alone if by 'resource' you mean a 'document'. However, you can still manage to achieve the similar functionality on application level(sailJS). At database level, the best you can do is- move that users document to a different collection. You mat use the createRole() method to create a role and specify its privilege.

For SuperAdmins:

db.createRole({ role: "SuperAdmin",
  privileges: [
    { resource: { db: "myCustomDB", collection: "" }, actions: [ "find", "update", "insert", "remove" ]}
  ],
  roles: []
})

SuperAdmins have access to all collections in myCustomDB database and perform find, update, insert and remove actions

For Admins:

db.createRole({ role: "Admin",
  privileges: [
    { resource: { db: "myCustomDB", collection: "AdminCollection" }, actions: [ "find", "update", "insert", "remove" ]},
    { resource: { db: "myCustomDB", collection: "" }, actions: [ "find"]}
  ],
  roles: []
})

Admins can access all documents in their own collection and perform CRUD operations. However, they only have read-only access to any other collection in the database.

For Users:

db.createRole({ role: "User",
  privileges: [
    { resource: { db: "myCustomDB", collection: "UserCollection" }, actions: [ "find", "update", "insert", "remove" ]}
  ],
  roles: []
})

Note: If you are using version 2.4(or below), you would need to move that users collection to a different database. MongoDB 2.4(and below) ACLs go to the Database-Level only.

Upvotes: 6

haxim
haxim

Reputation: 196

What you're describing is impossible to achieve in just the database level.

It would be possible to create another user who has different read/write permissions to the database. However, it is not possible to create a user who has permission to only view data related to themselves. What you would need to do is perform authentication within the application to see if the user is authorized to see said data. Obviously this is very specific to the implementation, but it would be similar to perform an application check of "is user ABC the owner of data XYZ? If yes, let them see it, if no, error".

Upvotes: 1

Related Questions