Reputation: 41
mongodb: restrict read/write access on a specific collection
Is there any way that we can restrict the read/write access for a specific collection in a DB even though users have the read/write access for the Database ?
For example: I have a DB called : PRODCAST and it contains collA, collB, collC and collD. Assume that we have 10 users where they all can able to access the PRODCAST database and able to perform the read/write operations on all collections which are existed in the DB.
Here my question is, Is there anyway we can prevent all the users to perform read/write operations especially on CollC as the collC having some sensitive data hence i would not show to everyone even though they have the DB access.
Upvotes: 2
Views: 8736
Answers (1)
Reputation: 65323
Is there any way that we can restrict the read/write access for a specific collection in a DB even though users have the read/write access for the Database ?
As at MongoDB 3.6, roles and privileges are additive: you can grant additional permissions to a user but cannot remove or restrict existing privileges that have been granted or inherited.
For example: I have a DB called : PRODCAST and it contains collA, collB, collC and collD. Assume that we have 10 users where they all can able to access the PRODCAST database and able to perform the read/write operations on all collections which are existed in the DB.
Suggested approaches to restrict access to collC would be to either:
- explicitly grant permission for each collection (instead of read/write access for the entire
PRODCASTdatabase), or - create a separate database for collections needing more restrictive permissions
If all of your users need a common set of access privileges you could create a user-defined (custom) role to make administration easier. You could then grant the custom role (eg. PRODCAST) to your users and update the role as required when you add new collections/databases with shared access.
Here my question is, Is there anyway we can prevent all the users to perform read/write operations especially on CollC as the collC having some sensitive data hence i would not show to everyone even though they have the DB access.
For further restrictions on accessing sensitive data, you could use either of the above approaches to limit overall read/write access and then create a read-only view of the collection (MongoDB 3.4+). Similar to collections, access to views requires read access. However, read permission to a view can be granted without read permission to the underlying collection, so sensitive fields can be fully redacted.
Upvotes: 3
Related Questions
- How to lock a Collection in MongoDB
- How can I implement field-level permissions for MongoDB?
- Create Read only user in Mongo DB Instance for a particular database
- How to create user with read-write access for specific DB only in MongoDB?
- How can i restrict the user in MongoDB?
- Write-only collections in MongoDB
- Properly set up a read only user in MongoDB 3.0?
- How to restrict a mongo user from dropping a collection?
- Can you have collection level permissions in MongoDB?
- MongoDB: How to prevent read access while a collection is emptied and re-populated?